How to extract network traffic information using tshark? - wireshark

I need to analyze the wireless traffic occurring in Ch 1 of 802.11g. I have captured all the traffic logs using NETMON as test.cap file.
Q: How can extract the information using tshark to suitable format so that it can be used for further post processing?

I have captured all the activity in Ch11 but in wireshark it shows only 802.11 in protocol.
That usually means "the traffic is encrypted and Wireshark doesn't have enough information to decrypt it"; it does represent activity.
So if you're capturing on channel 11, an I/O graph in Wireshark, rather than anything extracted using TShark and further processed, should suffice to show the level of activity on that channel. You'd only have to dissect it if you want to see what type of traffic, at a higher level, that activity is, but it sounds as if you just care about activity, no matter what the packets are.

Related

Video transmission over wifi using UDP/packet injection

Hey Stackoverflow community :)
Im looking into making a camera stream video from a an RC device into a computer using wifi.
After considering all of the options I had Im left with two:
use UDP to transfer video in packets
use packet injection and packet sniffing on the receiving device.
I was wondering what are the pros and cons of each method (for that specific purpose of video transmission)?
after looking around I found many implementations for both ways but nowhere have they specified why one is better than the other.
few things that I have not mentioned:
I know UDP does not have error correction which can make the video weird- I dont care about the quality of the video as long as it will be recognizeable.
I dont want to use connection based protocol (TPC, etc)- I dont want to wait for handshake when I get disconnected.
thanks :)
I'm trying to do a similar thing. My take on this is basically when you use the wifi cards in monitor mode (i.e. using packet sniffing/injection) you don't actually need to be connected to that network. Typically, you still need to be connected to an Access point as a client then you can communicate using UDP through that connection. But, in this case, the UDP messages are routed to the Wifi cards and the packets are injected out without being associated with any client. Then, any 'client' just has to sniff or listen on that same channel to get the transmission. So the benefit is not only does UDP not check for lost frames/etc, but also in this case you don't need to be connected to the network to get the packets.
In my case, this is preferable, since basically you will need to connect to the AP in the former case and that would require more capable hardware on the receiver side typically (more range is needed for the association part since you need to send messages back over TCP essentially to get it connected).
FYI here are the links/repos I am using and it also is a reference to what I am talking about
https://docs.px4.io/master/en/tutorials/video_streaming_wifi_broadcast.html
https://github.com/svpcom/wifibroadcast
I am using an off the shelf 'solution' in the short term, the Accsoon Cineye Air, which basically transmits HDMI 300ft line of sight over WiFi. You need an android phone to receive it, and basically I'm using the Vysor application (paid version is $40) to mirror the screen to my desktop. It works, but the latency is still more than I want : 60ms at least from the cineeye, so you can drive it around but its not as quick as DJI which is around 30-40ms ), which is my goal.

How to read ports and ip-adresses out of PCAP-File using WinPCAP Api?

I am currently trying to read some PCAP files using WinPCAP-API.
With this example I managed to read the data, timestamp and length. But I do not get how to read the source and destination IP-adresses and ports?
But I do not get how to read the source and destination IP-adresses and ports?
By dissecting the raw packet data that WinPcap gives you; libpcap/WinPcap provide no APIs for dissecting raw packet data (because different libpcap/WinPcap applications have different needs - an intrusion detection application such as Snort and a packet analyzer such as tcpdump or Wireshark do different things with the data).
See, for example, libtins as a C++ library for doing packet dissection, or the libpcap tutorial for an example of how to do the dissecting yourself.

Debug Packet Loss In TCP Communication in iOS/iPad Application

I have an iOS application that remotely connects to 3 sockets(of some hardware). Each Socket has its own priority. One channel is only used for transferring messages between iPad App & hardware, one for Tx/Rx Images, another one for Tx/Rx Videos. I had implemented all the three sockets using GCDAsyncSocket API & things worked fine while using MSGSocket/ImageSocket (OR) MSGSocket/VideoSocket, but when I start using the VideoSocket/ImageSocket/MSGSocket simultaneously this is where things go a little haywire. I Lose Packets of Data.{Actually a chunk of file goes missing :-(} I went through the API & found some bug in the API: Unable to complete Read Stream which I assumed could be a cause of problem. Hence, I Switched to threads & implemented the same using NSThreads/CFSocket API.
I changed only the implementation for ImageSocket/VideoSocket code using NSThreads/CFSocket API & here is the implementation of the same dropbox-ed. I'm just unable to understand as to where the things are going wrong whether it is at iOS App end or at the Server side. In my understanding there shall be no loss of packets in TCP Communication.
Is there a way to Debug This issue. Also I request to go through the code & let me know if any thing is wrong(I know this can be too much that I'm asking for but I need some assurance as to the code implementation is correct). Any help to resolve this issue will be highly appreciated.
EDIT 1: After #JoeMcMahon Comment, I referred to this Technical Q&A & got a TCP Dump - trace.pcap file. I opened this tcp dump with Wireshark & it does show me the bytes transferred between the ports of hardware & iPad.
Also in the terminal when I stopped the tcp dump capture I saw these messages:
12463 packets captured
36469 packets received by filter
0 packets dropped by kernel
Can someone point out the difference between packets captured & packets received by filter?
Note - The TCP dump attached is not for a failed scenario.
EDIT 1.1: Found the answer to difference between packets captured & packets received by filter here
TCP communication is not guaranteed to be reliable. The basic ack-syn paradigm can break, that is why you have re-transmission mechanism etc. Wireshark reports such problem in your packet capture session.
For using wireshark/tcpdump, you generally want to provide a filter, since the amount of traffic goes through the wire is overwhelming (ping, ntp, etc), you want to filter the capture using some basic filter to see the packets which is relevant to you. The packets which are filtered out is not captured, hence the numerical difference.
If it is a chunk of file went missing, I doubt issue is at TCP level. Most likely it is something higher level went wrong. I would run a fixed size file repeatedly through the channel till I can reliably reproduce the loss.

Parsing packets captured using wireshark for management frames identification using libpcap or similar library

I want to parse packets captured by wireshark offline using libpcap. I am capturing packets from a wireless network in monitor mode. I have read that "libpcap" can be used to capture and parse packets captured in the ethernet. Can it be used for wireless networks too? If yes, can anyone suggest me some tutorial? and if No, which library is suitable for it and how to use it?
libpcap, and its Windows port, WinPcap can be used to capture network traffic (in fact, they're what Wireshark uses to capture network traffic), as well as to read a capture file in pcap format (the default format for Wireshark's existing releases) and, in libpcap 1.1 and later, to read some capture files in pcap-ng format (the default format for the current development version of Wireshark; it should write out files that libpcap 1.1 and later can read).
They can handle a number of network types, including Ethernet and Wi-Fi.
They do not, however, support parsing any packet types; that's the job of the code that uses them, whether it's tcpdump/WinDump, Wireshark, or some other application. There's a library called WiFiPcap that is:
A C++ wrapper around libpcap that parses 802.11 frames, and the most common layer 3 (IPv4, IPv6, ARP) and layer 4 protocols (TCP, UDP, ICMP) contained within them. Also works without link-layer headers. Works in Linux and Windows.
(copied from its web page, but edited to fix the protocol layer numbers to match the OSI model).
I have not looked at it, but it might do what you want.
There might also be other libraries that could be used to parse the packets.

Detect unreachable ports for UDP in Erlang

I am looking for a way to detect "port unreachable" errors for outgoing UDP packets in Erlang, so I can eagerly report transport layer errors to the application. I.e, I want to capture ICMP type 3 packets to report to the higher layers that packet have not reached the destination.
Currently I know about two approaches:
Use undocumented gen_udp:connect/3. However, it seems like this requires opening a new socket for every new destination pair address:port. The advantage is that this does not require any privileges.
Use gen_icmp which requires either setuid helper or capabilities to open raw sockets.
Are there any other variants I am missing?
procket might be what you're looking for, but I've never used it myself. It's a binding to the low-level socket API, therefore it allows you to use all the protocols the underlying API supports. I'm just quoting its README, so please take it with a pinch of salt.

Resources