[ale] Monitor Internet Traffic

Michael B. Trausch mike at trausch.us
Wed Aug 12 14:42:02 EDT 2015


On Wed, 2015-08-12 at 11:31 -0700, Darrell Golliher wrote:
> Anybody have a easy to use way to listen in on a network connection
> that uses a line based text protocol?  In other words something that
> taps into a telnet connection, but on a custom port.    I’m looking
> for something to show me exactly what is transpiring between my
> networked Sharp TV and the Sharp remote control app.   
> 
> I tried wireshark, though I’m completely unskilled in its use.  What
> it produces for me does not look like the text based traffic I’m
> looking for.
If you know the <ip:port> tuple you wish to monitor, just use tcpdump
(which you can use to save a file to later analyze in Wireshark).
Also, common mistake: Telnet and raw TCP stream are *NOT* the same. 
 Telnet specifies a network virtual terminal on top of the TCP socket,
and a Telnet link isn't wholly binary clean.  A raw TCP stream is just
that.  It just so happens that you can often use a telnet client to
connect to a raw TCP stream because the Telnet commands are often
ignored by ASCII/UTF-8 based layer 7 protocols.  If you want to use a
binary-safe method that doesn't inject any extra bytes into the stream,
use netcat, socat, or similar tools.
However, you should note that you may not find what you're looking
for... commands over sockets are typically encoded and/or encrypted. 
 Many first-screen/second-screen device pairings use HTTPS for the RPC
communications.  They often use text-based protocols for the RPC
itself, but that information is wrapped in an encrypted session.  In
order to analyze that successfully, you'll have to find a way to insert
a MITM between the remote and the TV.  Even for an expert that can be
difficult to impossible; you have to get both sides to trust your MITM
before you can successfully capture and analyze, because in some cases
the only way to MITM is to brute-force the ability to forge a CA
signature (infeasible) or modify the software on both ends to disregard
the trust checks (likely also infeasible).
No matter how you go about it, you've quite a bit of learning to do in
order to do network taps well, even if you're just looking for a
solution to a one-off problem.  Today's operating systems and
components are so chatty and much of the traffic is signed, encrypted,
or both, meaning you have to have high confidence in what you're
looking at before you start making sense of it.  I highly recommend
practicing with tcpdump before moving on to Wireshark.  You'll have a
much better understanding of the capabilities of Wireshark then, and be
able to use it better.
	— Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20150812/cad565da/attachment.html>


More information about the Ale mailing list