Develop Reference

Why I can not read http request with wireshark?

I try to see the network trafic of my mobile device in my home wlan network.when I opened wireshark, listening on the WLAN Adapter and entered http.request.method == "GET"` to the wireshark filter.
All I can see is the requests from my laptop and not of my mobile device.
If I enter ip.addre == 10.0.0.30 i can see the protocolls BJNP, ICMP, IGMPv2 and so on.
What is the reason for this behavior?
In my opinion, if I can see a TCP IP Protocol, it should be also possible to see a HTTP request.

There are two things that need to happen in order for you to be able to sniff TCP traffic from another device.
Your device needs to receive the traffic you want to analyze, and
Your device must be configured in "promiscuous mode".
If promiscuous mode is disabled (which is the default), packets not intended for your laptop will never make it to Wireshark. They will instead be filtered out by your network adapter.
There are cases where this is not enough, for example, if you connect to a network with a layer 2 switch.

The first thing you need to ensure is that your network adapter is set to monitor or promiscuous mode, otherwise you just won't be able to see packets not meant for your NIC. Also, set your computer as an access point, and connect your phone to said access point.
If you're going to sniff HTTPS traffic don't forget to add your own certificate to the phone.

Why is traffic not being properly routed through iOS's Network Extension Tunnel Provider?

I am experimenting with iOS's network extension tunnel provider, which uses NETunnelProviderManager and related classes, and Apple's sample provider SimpleTunnel which works with a test server tunnel_server.
I am able to get things working so that I map my iPhone device to the address 192.168.2.2, and then I am able to hit an apache web server running locally on the tunnel_server (Running on my macbook pro) from that same IP address. I believe this proves the tunnel is working since normally I cannot access 192.168.2.2 from my iPhone (although I can access this same macbook pro from a different email address). Also, when I add logging on the client and server sides I can see the TCP/IP packets flowing for this case.
However, when I tried to access yahoo.com from the same iPhone (keeping my VPN connection on), it is not able to access. I then tested pinging an yahoo.com address from my phone (for example 98.138.253.109) and I cannot reach that when the VPN is up. So this explains why the DNS resolution is not working on the iPhone. I also cannot seem to reach any other addresses through the iPhone.
The strange thing is that for these cases that don't work, there is no packets flowing through the logging in tunnel_server or the extension provider. So the traffic is being limited now, even though I have not specified any such limitations.
If someone has any idea how to further triage this please let me know.
UPDATE:
I verified that the SimpleTunnel program is properly adding the default route so that all IP traffic from the iPhone is routed into the tunnel (this is done in PacketTunnelProvider.swift: createTunnelSettingsFromConfiguration(...)).
With this route in, I am effectively seeing all traffic on the device blocked, as if it is trying to route it but getting lost somewhere before it gets to the tunnel, because I don't see it hitting the logging in the extension (specifically in ClientTunnelConnection.swift: handlePackets()).
Since it is clearly not reaching the server side, I am pretty sure there is no issue on that end, which leaves some configuration on the client side. However, I'm not sure where to look.
UPDATE 2:
I've tried using WireShark on the machine where tunnel_server and inspecting the utun2 interface, and I can see traffic coming in when I try to hit access the server machine itself from my iPhone via 192.168.2.2, the assigned address.
However, I don't see much other TCP or ICMP traffic on this interface. For example, if I try to ping one of my DNS servers (using it's IP address) from my iPhone, I don't see any ICMP packed on the utun2 interface.
I also tried changing the assigned address from 192.168.2.2 to the address 10.15.68.200 which is on the same subnet as my server (10.15.68.160), but no luck.
This is what the resultant utun2 interface looks like on the server side:
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 10.15.68.200 --> 10.15.68.200 net mask 0xfffff800
I also found this post which alludes to a similar problem, but it wasn't of too much help.
UPDATE 3:
I found these entries in the iPhone's log right around the time the tunnel gets connected. I feel they may be related to the cause of why things aren't working, but not sure exactly what is going on.
Feb 23 09:28:06 iPhone PacketTunnel[1260] <Warning>: Tunnel connection state changed to Connecting
Feb 23 09:28:06 iPhone networkd[97] <Error>: -[NETClient sendMessage:replyHandler:] attempting to send an XPC message to a suspended client PacketTunnel.1260! This is a bug!
Feb 23 09:28:06 iPhone configd[38] <Notice>: network changed
Feb 23 09:28:06 iPhone PacketTunnel[1260] <Warning>: Tunnel connection state changed to Connected
Feb 23 09:28:06 iPhone configd[38] <Notice>: network changed: v4(utun0+:10.15.68.200, en0, pdp_ip0) DNS! Proxy!
Feb 23 09:28:06 iPhone networkd[97] <Error>: __42-[NETClientConnection evaluateNetworkPath]_block_invoke apsd.103 connection 75: trigger network agents (<NULL>) error Error Domain=NWPathEvaluatorErrorDomain Code=1 "(null)"
Feb 23 09:28:06 iPhone networkd[97] <Error>: __42-[NETClientConnection evaluateNetworkPath]_block_invoke com.apple.Safar.1236 connection 4: trigger network agents (<NULL>) error Error Domain=NWPathEvaluatorErrorDomain Code=1 " (null)"
Feb 23 09:28:06 iPhone networkd[97] <Error>: __42-[NETClientConnection evaluateNetworkPath]_block_invoke com.apple.Safar.1236 connection 5: trigger network agents (<NULL>) error Error Domain=NWPathEvaluatorErrorDomain Code=1 "(null)"
Feb 23 09:28:06 iPhone nesessionmanager[355] <Notice>: NESMVPNSession[Demo VPN:296CC30E-E2BD-4C73-8C29-E5264E9C4285]: status changed to connected
UPDATE 4:
Viewing the routing table using the "IT Tools" app on the iPhone shows the following: (Will only show the top part of the IPv4 routing)
default link#16 utun0 UCS
default 10.15.64.1 en0 UGSci
10.15.64.0/21 link#8 en0 UCS
10.15.64.1/32 link#8 en0 UCS
...
10.15.68.200 10.15.68.200 utun0 U
...
The first strange thing is that there is two default gateways, which seems like it should never happen. Having said that, the first gateway is the utun0 which is what I would expect, although I am not seeing all the traffic to go the network tunnel provider extension. The last of these routes seems to be the only one what is working, since I actually can see packets going to that IP address go through the tunnel.
UPDATE 5:
I discovered that the traffic is actually going from utun2 to en0 on my server, but for some reason was not coming back to the server from outside. A look at the source IP address showed the packets were not being properly natted, since they still had source addresses of 192.168.2.2
By adding the below rule to pf.conf (for pfctl) I was able to get natting working there, such that it changed the source address to my server's address:
nat on en0 inet from !(en0) to any -> (en0)
Now I actually see return packets from my final destination coming into en0. However, I do not see these routed back to utun2. It seems like there may be another NAT rule I need to add, but after trying many different things, nothing works.

I'm not absolutely sure from your post, but if you're running on a macbook and you have the VPN icon on the top of your phone, meaning the tunnel has been established, but can't access the net from the phone - it probably means you have a routing problem on your mac.
This is how I fixed it...
tunnel_server/config.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-/
<plist version="1.0">
<dict>
<key>IPv4</key>
<dict>
<key>Routes</key>
<array>
<dict>
<key>Netmask</key>
<string>255.255.255.0</string>
<key>Address</key>
<string>10.10.5.0</string>
</dict>
</array>
<key>Pool</key>
<dict>
<key>EndAddress</key>
<string>10.10.5.10</string>
<key>StartAddress</key>
<string>10.10.5.3</string>
</dict>
</dict>
</dict>
</plist>
Configure the NAT
sudo vi /etc/pf.conf
add the following:
nat-anchor "simpleTunnel"
load anchor "simpleTunnel" from "/etc/pf.anchors/simpleTunnel"
While keeping in mind that the pf.conf has an order it needs to have the settings in.
So after adding, mine looks like this: (added the rules after the scrub anchor)
scrub-anchor "com.apple/*"
nat-anchor "simpleTunnel"
load anchor "simpleTunnel" from "/etc/pf.anchors/simpleTunnel"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
Edit:
sudo vi /etc/pf.anchors/simpleTunnel
nat on en0 from 10.10.0.0/16 to any -> en0
Run the following:
sudo sysctl net.inet.ip.forwarding=1
sudo sysctl net.inet.ip.fw.enable=1
sudo pfctl -evf /etc/pf.conf
Now the responses can arrive at en0
Let me know if it helps.

Wireshare Check for Torrentz

I want to use wireshark to check which network users is using Port 59666 for downloads. Is it possible to use wireshark? and how would I begin to do this?

It may be possible to do this with wireshark, but it may require you to adjust your network topology to achieve this.
Firstly you need to decide where to run wireshark.
Wireshark can only tell you about network packets that it can see. To assist, wireshark can put the network card into promiscuous mode, but if the network card is connected to a switch, the switch will not send other network packets to you - so wireshark cannot report on them.
If your users are connected using wifi, then you can run wireshark on a wifi addapter and inspect all wifi network packets from all users on that wifi network. You may also install wireshark on a computer operating as the router / firewall, and inspect all the packets there.
The final option depends on your switch hardware. On managed switches it is usually possible to duplicate all network traffic to an additional port. That would allow you to connect your computer to this port, and then run wireshark on this network connection.
When you are receiving the wireshark trace, set up a filter for the ports you are interested in, and wait for your users to send packets. Inspect the packets, and you will see the source IP address. You now need to translate this IP address to a physical computer (DNS / DHCP servers may help with this).
Depending on your computer environment, tracking it down to a single computer may not identify an individual responsible. Someone could have left a torrent running in the background and someone else could have logged onto and used the machine.

capturing IEEE 802.11 packets without connecting to the network

I want to analyze networks traffic but not by connecting it Just
switch on wifi and sniff the packets (IEEE 802.11 Frames)
in promiscuous mode
I have tried libpcap but it may be internally changing datalinktype as i am giving wifi interface in
descr=pcap_open_live("en1", MAXBYTES2CAPTURE, 1, 512, errbuf);
(as we know mac OS x have en1 as wifi interface )
now when i do this
printf("%s", pcap_datalink_val_to_name( pcap_datalink(descr)));
It gives me result "ethernet"
I have tried to capture packets using wireshark without connecting to my wifi network and it worked!!
I was able to capture Beacon , Acknowledgement and Authentication frames without connecting to my wifi network.
now:
do I have to make a network card driver for that or libpcap can do that ?if yes how?
Is wireshark making some kind of driver for that? if yes please help me to locate that in it's source code.
I have tried Apple's CFNetwork but it too can't capture without connecting to the network.
It will be very helpful if i get some suggestion on some user space code as kernel level coding is a little tuff :(
I am coding on MacOS 10.7 in xCode 4.5.1
Update:
I am already doing this:
descr=pcap_create("e1", errbuf);
pcap_set_rfmon(descr, 0);
pcap_set_promisc(descr, 0);
pcap_activate(descr);
descr=pcap_open_live("en1", 2048, 1, 512, errbuf);
And yes there is a little monitor icon at the wifi and I can sniff the
packets but only when I connect to the network, I want to do the same
when I am not connected to wifi like capturing Beacon and
Acknowledgment Frames means packets through which our network card detects available wifi network

If you're running on Snow Leopard or later (which you are, as you're running Lion), you should use the new pcap_create()/pcap_activate() APIs, and turn on monitor mode by calling pcap_set_rfmon() between the pcap_create() and pcap_activate() calls.
That's what Wireshark 1.6.0 and later do if you check the monitor mode checkbox, and what tcpdump 1.0.0 and later, and TShark and dumpcap in Wireshark 1.6.0 and later, do if you specify the -I command-line flag.
By default, Wi-Fi interfaces on many OSes, including but not limited to OS X, supply Ethernet headers, not 802.11 headers, which is why pcap_datalink_val_to_name(pcap_datalink(descr)) is reporting Ethernet headers. On Linux and OS X, you have to go into monitor mode to get 802.11 headers; on *BSD, you can get 802.11 headers without going into monitor mode.
You do not need your own driver to go into monitor mode on OS X; Wireshark does not supply its own drivers.

Wireshark and wifi monitor mode failing

I want to sniff wifi packets with wireshark but monitor mode seems to fail. I'm using backtrack 5 and an alpha AWUS036H wifi usb card, i try to sniff my own box without encryption.
Here is what i'm doing to activate monitor mode :
root#root:~# airmon-ng start wlan0
wich seems to be working :
root#root:~# iwconfig mon0
mon0 IEEE 802.11bg Mode:Monitor Tx-Power=20 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Power Management:on
However when i start capturing on mon0 in wireshark i'm only getting broadcast packets.
In capture options the "capture packets in monitor mode" option is grayed out.
I do not understand what's going on. Any Ideas ?

What channel number is your mon0 interface set to?