Network traffic sniffing: tcpdump on Linux + Wireshark on Windows
From the Windows box using the CLI console (cmd):
ssh USER@HOST "tcpdump -s 0 -U -n -w - -i NETIF FILTER" | "c:\Program Files\Wireshark\Wireshark.exe" -k -i -
# USER - remote user of the linux box
# HOST - host address of the remote linux box
# NETIF - network interface to snif in the remote linux box
# FILTER - (optional) rules for filtering traffic to capture
Use case:
C:\Windows\System32\OpenSSH>ssh root@192.168.4.74 "tcpdump -s 0 -U -n -w - -i eno2 udp and not port 53" | "c:\Program Files\Wireshark\Wireshark.exe" -k -i -Let me present a rare use case of this useful trick. I use a QNAP NAS as a gateway in my home network, where I have 5 NICs. So it’s really useful to snif traffic remotly but I have no tcpdump packet in the system. What I did is use tcpdump as Docker container and finally the commands is like that.
# sniffing SIP traffic (port 5060) on interface eth0
# remote linux host (QNAP NAS) use SSH port 55222
# docker container is created and when work is done is removed
C:\Windows\System32\OpenSSH>ssh -p 55222 admin@10.2.0.1 "cd /share/Container/tcpdump && docker run --rm --net=host corfr/tcpdump -s 0 -U -n -w - -i eth0 not port 22 and port 5060" | "c:\Program Files\Wireshark\Wireshark.exe" -k -i -
Windows 10: Internal Virtual Switch with NAT
When you are playing with Windows Hyper-V and you want to create a completely virtual internal network with private virtual machines inside your Windows 10 machine virtual switch are mandatory.
Then it’s the time to connect that virtual switch with the host machine using a virtual network interface. All those steps can be done using Hyper-V manager user interface, but you cannot control 100% of parameters like enable, or not, the NAT of the virtual internal network.
Using PowerShell the steps are:
New-VMSwitch -SwitchName NATSwitch -SwitchType Internal
New-NetIPAddress -IPAddress 10.46.1.1 -PrefixLength 24 -InterfaceAlias "vEthernet (NATSwitch)"
New-NetNAT -Name NATNetwork -InternalIPInterfaceAddressPrefix 10.46.1.0/24Of course, change “NATSwitch” for your switch name and “10.46.1.1” for the IP address of the host virtual network card. Finally “NATNetwork” is another arbitrary name for referring to the NAT rule, and “10.46.1.0/24” is the network address of the virtual internal host network.
Running the commands looks like:
For removing what you did:
Remove-VMSwitch -Name "NATSwitch"
Remove-NetIPAddress -InterfaceAlias "vEthernet (NATSwitch)"
Remove-NetNAT -Name NATNetworkIn Windows 10 IP forwarding is not enabled and packets between interfaces are not routed. According to the Microsoft forums, you can enable IP forwarding (routing) using the following steps:
Go to Start and search on cmd or command. Right click on either cmd or command then select Run as administrator. At the command prompt type regedit. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\Tcpip\Parameters\IPEnableRouter setting, right click and select Modify. Change 0 to 1 and exit the editor.
When your back at the command prompt type services.msc and navigate to the Routing and Remote Access service. Right click and select Properties. Change to Automatic and click on Start to start the service.
I had to research a long time until I found all this information, but in my case leverage my proofs of concepts to another level.
rp_filter Linux kernel feature
It’s just an IP spoofing protection which is by default enabled on Linux kernels. When it’s value is ‘1’ means that all IP address which are not directly routable and received form a network interface they are directly discarded.
So, if you want to scan a range of IP address in your LAN which not belong to that interface address space when packets from IP addresses are received they are going to be discarded by the kernel. So, take that into account when you have those “unusual” requirements.
It can be enable/disabled by all interfaces or just one:
root@mini9:/proc/sys/net/ipv4# cat ./conf/all/rp_filter
1
root@mini9:/proc/sys/net/ipv4# cat ./conf/ztly5q4n37/rp_filter
1Zerotier peers monitored on Windows PowerShell
No words just a simple an powerful .ps1 script:
while (1) { Start-Process -NoNewWindow -FilePath 'C:\ProgramData\ZeroTier\One\zerotier-one_x64.exe' -ArgumentList "-q","peers"; sleep 5; cls }Or just a command, even equally useful.
DRY DHCP Client: request and IP address to the DHCP server without a DHCP Client
When you want to discover LAN metadata without being part of that network. So, when you want to discover network address range, gateway, DNS IPs, DHCP server IPs, etc. this simple nmap parameter will help you so much.
# nmap --script broadcast-dhcp-discover
Starting Nmap 7.60 ( https://nmap.org ) at 2021-05-19 15:07 CEST
Pre-scan script results:
| broadcast-dhcp-discover:
| Response 1 of 1:
| IP Offered: 192.168.1.127
| DHCP Message Type: DHCPOFFER
| Subnet Mask: 255.255.255.0
| Renewal Time Value: 4d00h00m00s
| Rebinding Time Value: 7d00h00m00s
| IP Address Lease Time: 8d00h00m00s
| Server Identifier: 192.168.1.1
| Router: 192.168.1.1
|_ Domain Name Server: 8.8.8.8, 8.8.4.4
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 1.43 secondsAlive: shell script for alive monitoring using PING
Simple shell script based on bash which monitor a host with command line ping. Just bash and ping are the unique dependencies. Only state change are going to be printed:
#!/bin/bash
IP="THE_IP_TO_MONITOR"
STATE="offline"
show_state()
{
echo "$(date '+%Y-%m-%dT%H:%M:%S') - " + $STATE;
}
while true;
do
ping -c 4 $IP > /dev/null 2>&1
if [ "$?" = "0" ]; then
if [ "$STATE" = "offline" ];
then
STATE="online"
show_state
fi
else
if [ "$STATE" = "online" ];
then
STATE="offline"
show_state
fi
fi
sleep 10
done
