wireshark


Decrypting Firefox Traffic Using Wireshark in Ubuntu GNU/Linux

Wireshark is a powerful network protocol analyzer that lets you capture and analyze real-time network traffic. By default, Wireshark does not decrypt encrypted traffic, such as HTTPS, as it is designed to maintain security and privacy. However, there are cases where decrypting network traffic can be helpful in debugging or analyzing security issues. This blog post will guide you through the steps to decrypt Firefox traffic using Wireshark in Ubuntu GNU/Linux.

Step 1: Download and Extract Firefox:

Since Ubuntu uses the snap package manager to install Firefox, which does not provide access to the file system by default, we need to download Firefox from the official website as a tar.gz archive. Open your browser and navigate to the Mozilla Firefox website (https://www.mozilla.org/en-US/firefox/new/) to download the tar.gz package suitable for your Ubuntu version.

Once the download is complete, navigate to the downloaded location and extract the tar.gz file using the following command:

tar -xvf firefox-<version>.tar.gz;

Step 2: Set up the SSLKEYLOGFILE Environment Variable:

To enable Wireshark to decrypt the SSL/TLS traffic from Firefox, we need to set up the SSLKEYLOGFILE environment variable. This variable will point to a log file where Firefox will write the session keys used for encryption. Execute the following command in the terminal:

export SSLKEYLOGFILE="/home/$USER/.ssl-key.log";

This command sets the SSLKEYLOGFILE environment variable to the specified file path, which is /home/$USER/.ssl-key.log. Feel free to change the file path and name to your preference.

Step 3: Launch Wireshark and Configure Preferences:

Open the terminal and start Wireshark by entering the following command:

wireshark;

Once Wireshark runs, go to “Edit” in the menu bar and select “Preferences” from the dropdown menu. This will open the Wireshark Preferences window.

Step 4: Configure TLS Protocol Preferences:

In the Preferences window, locate and select “Protocols” on the left-hand side. Scroll down the protocols list and find “TLS”. Click on it to expand the options.

Within the TLS section, you will find a field labeled “(Pre)-Master-Secret log filename”. Click on the folder icon next to the field and browse to select the file path for the SSLKEYLOGFILE we set earlier.

After selecting the file path, click the “OK” button to save the changes and close the Preferences window.

Step 5: Capture and Decrypt Firefox Traffic:

With the configuration set up, you can now start capturing and decrypting Firefox traffic. Keep the Wireshark application running and launch the Firefox browser you downloaded and extracted earlier.

Wireshark will capture the network traffic as you browse the web using Firefox. You should be able to see the decrypted traffic in the Wireshark capture window.

Conclusion:

Decrypting network traffic using Wireshark can be valuable for analyzing and troubleshooting network-related issues. This blog post covered the steps to decrypt Firefox traffic using Wireshark in Ubuntu GNU/Linux. By downloading Firefox directly from the website, setting up the SSLKEYLOGFILE environment variable, and configuring Wireshark preferences, you can capture and analyze unencrypted network traffic within Wireshark. Remember to use this technique responsibly and respect the privacy of others while conducting network analysis.


Building wireshark-2.4.2 on CentOS 7 (64bit)

Recently we were trying to compile WireShark from source on a CentOS 7 (64bit) with GTK3 disabled (./configure --disable-gtk3;).

As seen in the truncated logs below we got some errors.
To resolve them we had to install a few packages using yum.
Specifically, our solution involved the installation of the following:


sudo yum install libgcrypt-devel qt5-qttools-devel libpcap-devel -y;

Truncated logs:

...
checking for libgcrypt-config... no
checking for LIBGCRYPT - version >= 1.4.2... no
configure: error: libgcrypt not found; install libgcrypt-devel package for your system
libgcrypt-devel.i686 libgcrypt-devel.x86_64 
[george@CentOS wireshark-2.4.2]$ sudo yum install libgcrypt-devel -y

checking for lrelease-qt5... no
checking for lrelease... no
configure: error: I couldn't find lrelease-qt5 or lrelease; make sure it's installed and in your path
[george@CentOS wireshark-2.4.2]$ sudo yum install qt5-qttools-devel

checking whether to use libpcap for packet capture... yes
checking for pcap-config... no
checking for extraneous pcap header directories... not found
checking pcap.h usability... no
checking pcap.h presence... no
checking for pcap.h... no
configure: error: Header file pcap.h not found; if you installed libpcap
from source, did you also do "make install-incl", and if you installed a
binary package of libpcap, is there also a developer's package of libpcap,
and did you also install that package?
[george@CentOS wireshark-2.4.2]$ sudo yum install libpcap-devel

[george@CentOS wireshark-2.4.2]$ ./configure --disable-gtk3

 


How to process tcpdump live data stream from a remote machine on a local WireShark 1

Recently we needed to process the results of a tcpdump command using the GUI version of WireShark on machine that did not have a window manager installed. That device was an embedded device, for which it did not make sense to even consider installing a window manager on it. So, in order to process the results of the tcpdump command we decided to use another machine that had a full working window manager installed and was able to operate the GUI version of WireShark.

For our solution to work some requirements were expected to be met by the embedded device (a.k.a. remote machine).

  1. tcpdump was installed on the remote machine
  2. ssh server was installed on the remote machine and allowed us to connect to it remotely
  3. there was a user that had remote ssh rights on the remote machine that also had the rights to execute tcpdump on the needed interfaces

Synopsis of our solution:

Just execute the following on the machine with the GUI (a.k.a. local machine)


mkfifo /tmp/board;
wireshark -k -i /tmp/board &
ssh [email protected] "tcpdump -s 0 -U -n -w - -i lo not port 22" > /tmp/board;

Explanation of our solution:

Following are the steps that we performed on the local machine to pipe the results of tcpdump on the remote machine on the wireshark on the local machine.

  1. First we created a named pipe as follows:
    mkfifo /tmp/board;
    You can name your pipe anyway you like and place it in any folder you wish. We used /tmp as our pipe is a temporary construct that we do not care to preserve across time/restarts.
  2. Then we started wireshark from a terminal so that we could pass as capture interface the named pipe we just created using the -i /tmp/board parameter. The -k parameter instructs wireshark to start the capture session immediately.
    wireshark -k -i /tmp/board &
    Since this operation was going to execute for a long time, we sent it to the background to release the terminal for further use by placing the & symbol at the end of the command.
  3. Finally, we started tcpdump over ssh on a board and redirected its output to our named pipe.
    ssh [email protected] "tcpdump -s 0 -U -n -w - -i lo not port 22" > /tmp/board;
    The parameters we used on tcpdump have the following effects:
    -s 0 instructs tcpdump to set the snapshot length of data from each packet to the default value of 262144 bytes.
    -U Since the -w option is not specified, make the printed packet output packet-buffered. Which means that it will print the description of the contents of each packet without waiting for the output buffer to get full.
    -n Does not convert host addresses to names. This can be used to avoid DNS lookups.
    -w - Write the raw packets to Standard Output rather than parsing them.
    -i lo Defines which interface to listen on. We wanted the loopback interface to listen to everything.
    not port 22 Since we used ssh to start this command, we do not want to listen to the data that we produce as well and flood the inputs.

 


Ubuntu: Headless wireshark (or wireshark from terminal)

Recently, we wanted to use wireshark on an Ubuntu through ssh and no X-Server forwarding enabled.
After a quick search we found tshark.

TShark is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. TShark‘s native capture file format is pcap format, which is also the format used by tcpdump and various other tools.
Without any options set, TShark will work much like tcpdump. It will use the pcap library to capture traffic from the first available network interface and displays a summary line on stdout for each received packet.
TShark is able to detect, read and write the same capture files that are supported by Wireshark.

From: man tshark

Install tshark on Ubuntu


sudo apt-get install tshark -y;

Using tshark to capture all traffic on eth0 to a pcap file


sudo tshark -i eth0 -w something.pcap;

Note: If you just want to capture network traffic on a network interface and not use the additional features wireshark has to offer, you can also use tcpdumpas follows


#The following command will create a files that has in its name the current date and time using the date function.
sudo tcpdump -i eth0 -w "data.`date +%Y-%m-%d\ %H.%M`.pcap";