Monday, February 13, 2017

tcpdump in userspace

Many times we'll have inexplicable collisions -- eg 2000ms pings -- on our home LAN. Is someone squatting on our LAN? Is it a configuration problem?

1. squatting

If I'm not at the LAN's router terminal to view the DHCP table...

# nmap -sn --max-rate 100 192.168.1.0/24

Slow-down the rate to 100 to catch cell phones, which otherwise may not have time to respond. The generic 192 net will obviously vary depending on setup.

2. weird collisions

If possible switch from channel 1 on the Wi-Fi of course. And if our client is at the outer range of the router, we'd expect more interference and might have to move things around.

If these are not the causes, we'd want to capture some traffic and review it for suspicious activity. This is not typically trivial. To access traffic, we need to install tcpdump and reconfigure it for user-level execution, so that its files (.PCAP) are easy to manage. Next, we attempt to constrain tcpdump's enormous PCAP captures to a manageable size and format. Finally, we could evaluate the PCAP network data. Let's do the last two first, since many readers already have tcpdump configured.

A. use and constrain PCAP

As usual, StackOverflow closes the most relevant questions as irrelevant, lol. But you can scroll down to bro to see how its done with bro. Wireshark and some others , Zeek are additional options.

Try to pre-simplify by limiting tcpdump. Obviously, tcpdump unhelpfully only outputs to the screen, so a person has to tee its output to a file, let's start there...

The command gets long, but we can get a good PCAP.

time limit

Tcpdump doesn't have an inherent duration flag. Users typically must CTRL-C which can corrupt the output file -- the program was natively designed to STDOUT to the screen. However the "-c" flag tells it how many packets to capture before quitting.

$ tcpdump [other filters] -c -w filename.$(date +%Y-%m-%d.%Z.%H.%M.%S).pcap

B. evaluate PCAP

Problematic areas include

C. configure tcpdump for user

Users must root-up to operate tcpdump as installed:

$ tcpdump
tcpdump: wifi01: You don't have permission to capture on that device

Of course, to see the error messages more completely:

$ strace tcpdump 2>&1 | tee file.txt

after initial setup

Typically problems only occur after a restart and/or an update. The steps for initial setup follow this section and users can refer to those if anything needs to be reset. Otherwise...

  1. attempt a user-level simple usage.
    $ tcpdump
  2. if all goes well, use the more complex commands discussed in section A.

initial setup

Generally, know which tcpdump location executes, and add the user to any created groups. General instructions.

For location, run $ strace tcpdump and note whether if fails in /bin, /usr/bin, /usr/sbin. For groups, verify inside /etc/group. Then...

  1. create pcap group and add the user
    # groupadd pcap
    # usermod -a -G pcap user
  2. give pcap group permissions to tcpdump and make it group executable (750). Let's suppose tcpdump executes from /usr/bin.
    # chgrp pcap /usr/bin/tcpdump
    # chmod 750 /usr/bin/tcpdump
  3. We modify executable (binary) file capabilities, in this case tcpdump, using setcap. The specified group, (not just root) can then operate the wifi in promiscuous mode.
    # setcap cap_net_raw,cap_net_admin=eip /usr/bin/tcpdump
  4. Verify the binary capabilities were updated
    $ getcap /usr/bin/tcpdump
    /usr/bin/tcpdump cap_net_admin,cap_net_raw=eip

problems

There can be other permission problems. The initial problem is user permission to the wifi device. That is handled above. A secondary problem is user access to run tcpdump. This gives the following failure.

$ tcpdump
bash: /usr/bin/tcpdump: Permission denied

One site adds this line to ensure tcpdump is receiving root access for the user. Suppose we verify by strace that our execution of tcpdump is from /usr/bin/tcpdump. His would be...

# groupadd tcpdump
# usermod -a -G tcpdump user
# chown root.tcpdump /usr/bin/tcpdump
# chmod 0750 /usr/sbin/tcpdump
# setcap cap_net_raw,cap_net_admin=eip /usr/bin/tcpdump

last resort

If everything is set, getcap is returning everything proper and the error still appears, we can change the execution from group level only (750), and add it to the user also (755). I consider this a last resort because, at that point, there is essentially zero security on the wifi card. However, a person could run 755 when they want to run wireshark or some such and