trafr tool to capture packets send by Microtik sniffer doesn’t work. Tested with Ubuntu Linux 6.06.1, i386. It seems to me that trafr was compiled for Linux with kernel 2.2; that is history now as most modern Linux distributions are based on kernel 2.6. Other problem is, that trafr is binary only package (no source code), and it is DYNAMICALY linked; that is really bad.
oem@scenic:~$ uname -a
Linux scenic 2.6.15-28-686 #1 SMP PREEMPT Thu May 10 09:56:30 UTC 2007 i686 GNU/Linux
oem@scenic:~$ ls -l trafr
-rwxr-xr-x 1 oem oem 4764 2004-03-17 11:35 trafr
oem@scenic:~$ file trafr
trafr: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.0, dynamically linked (uses shared libs), for GNU/Linux 2.2.0, stripped
It doesn’t work, it captures just few bytes and it finish.
It can help to release source code for the trafr package. It can help to release description of TZSP used for sending packets to the stream server. Ifound several notices from users running other OS (Mac OSx, NetBSD, etc) that trafr doesn’t work on their system tool. Realeasing source code can help them. Is there any rocket sience in trafr code that source code has to be kept secret? I don’t think so…
Manual could be updated with fresh information on this topic too, it is possible that trafr was replaced with better tool already.
I have found it fails (quits early) when capturing wireless listening. It works fine for ethernet/vpn interface capturing though. Haven’t tried it for a couple months. I too would like source to be able to recompile it.
The TZSP protocol is quite simple. It’s only a basic header in front of the actual data.
I’ve been thinking of writing my own trafr implementation, since I need some extra features. I’ll release it as open source when I do.
I’m thinking of doing it as a perl script, but I need to find a smart way of doing it. I need to some how open a udp socket pop some bytes in the beginning of the stream and then output it as pcap data…
I wrote perl script like trafr.
It take packets from pcap file, saved with tcpdump or tshark, headoff tzsp from packets and put them to another pcap file.
There is no problem to make it listen traffic online from interface, but I have no such task yet.
Yeah, I have a ruby script that does that as well, but I want to open a udp socket and grab the stream there. I haven’t quite got the time to work on it until the weekend though. If you come up with anything faster than me, please give me a shout.
did you have a look at netcat ? would that do the trick for you to listen on the desired UDP port ? i am really interested in a solution that i can rebuild from source for a different architecture as well but i am not the scripting guru or programmer at all.
is there any progress with making this sniffer capturing solution work on other platforms ? i really like to use it on my mac but so far i don’t know how. does anyone possibly know a way with nc (netcat) ? it works well with tcpdump but the sniffer tool on ROS is different from what i gathered and i can not make the stream to work with wireshark if i have netcat listening to it. to clarify, i don’t capture traffic with wireshark, i like it in a file and after work with it in wireshark after.
I haven’t finished my script. I had a proof of concept running though, that would just strip out the extra headers until the encapsulated traffic. However, wireshark handles TZSP fine, so what I normally do is use tcpdump to dump everything with a dst-port that equals the TZSP port (37008?) and save that to a file. I can then load it up in wireshark and it will show me the encapsulated data.
tcpdump -s0 -w captured-data.pcap -nieth0 port 37008
While the tcpdump or wireshark capture works, it makes certain analysis (like finding only UDP packets) almost impossible with filters. It would immensely helpful if someone could point to an online reference of a tool that would strip the packets off the tzsp headers.
#!/usr/bin/env ruby
require 'rubygems'
require 'socket'
t = Time.now
time_now = t.strftime("%Y-%m-%d %H:%M:%S").to_s
puts "begining connection at #{time_now}"
begin # emulate blocking connect
s = UDPSocket.new
s.bind(nil, '5678')
rescue IOError, SystemCallError => udperror
puts "Error: #{udperror}"
#ensure
# s.close if s
end
100.times do
puts " to -> #{s.recvfrom(1024)[1][2]}"
data = s.recvfrom(1024)[0].unpack("L1 H8 H12 H8 Z* H6 Z*") # <- important
next if data[1] != "00010006"
mac = data[2]
identity = data[4]
version = data[6]
end
puts "closing connections..."
s.close if s
this part “L1 H8 H12 H8 Z* H6 Z*” is for a perl api scan that I found time ago; I’m not a ruby programmer