This method even worked for Wiresharking all PS3 traffic in real time for a GTA Online session, running the tcpdump on a little plastic old mipsel SoC OpenWrt router that was also doing all the routing (not a passive sniffing box), without noticeable effect on gameplay. (I was trying to detect cheaters.)
BTW, for anyone new to tcpdump, you can also specify selectors/filtering on the command line, to reduce the traffic. The filtering in Wireshark is on top of that.
online games are pretty low volume though, data is usually transmitted at a few Kbps per player. Just out of interest, how did you try to spot cheaters doing that?
Correct, not working for Rockstar. And I'm pretty sure R* stopped caring about cheaters ruining Online for last-gen console, shortly after that could push people to buy the game again, for current-gen. :)
Perhaps he was looking for an abnormal amount of traffic, attempting to resend the same message, and hoping the server will do it multiple times in the same frame. I would guess trying to find spots where the client is overly trusted.
Indeed, this method is cool. It allowed me to sniff the traffic between some poorly documented IoT device and a remote server (unencrypted, what else) via OpenWrt:
This seems useful. Are there other good recent tools for analyzing network traffic? For example something more high-level than Wireshark? A common use is to zero in on the flow you're interested in, and see which party is saying what. And maybe zoom back out and pick another flow. The flow choosing part could use better UI, maybe in the form of a more high level view.
My first port of call tends to be tcpdump, with various filters and greps to pick out what I want. Usually I'm looking at RTP streams [0], so I run it through some perl to decode [1]
For wider monitoring, at key points on the network I use ntop [2] to see what's
If I want a quick overview of a given machine I load up iftop [3], which isn't very thrilling on my desktop at the moment
All of these are trivial to install (except for the RTP perl script which I have as a custom apt-gettable package) and don't require non-standard interpreters and package managers.
Nethertheless I went to get this. I had to install 540MB of support files just to run "go get github.com/gcla/termshark/cmd/termshark". Still it compliles. Then I run it, and it shows bugger all, I suspect I need to find and install more libraries (tcell, gowid), which themselves require massive downloads.
It's simply not worth it, it's like going back in time 20 years.
How is that different from compiling other software with build dependencies? I mean, if you consider libc etc most applications have quite a large tree of build deps if you need to download _all_ libraries from scratch - it's just that in most cases you already have those deps.
Next time you need to build a golang project you most likely won't have to download all of those libs again, unless you remove them for some reason.
hi isostatic - sorry for the trouble :( I had hoped that compiling it would be quick and reliable. By default termshark will be installed in ~/go/bin/ - though it sounds like you have it compiled, it's just not running. Send me a message if you like and I'll see if I can get it working for you. There are also pre-compiled binaries at https://github.com/gcla/termshark/releases
As an old fart I expect to type "./configure; make", however it did seem to compile.
It runs, just doesn't look like it's reading anything from "sudo ./termshark -i eno1 icmp". Works fine when reading a pcap file, works fine when launching from a root session (rather than via sudo)
Riverbed Pilot[0] (or whatever it's called now) may be what you're looking for. It works incredibly well to help drill down the haystack, and then export that particular part to Wireshark. Do like.
There was some discussion about opening a new wireshark window at the current location so you could navigate like in a browser more or less. It didn't go anywhere https://seclists.org/wireshark/2015/Apr/97
I seem to remember a really old gtk1.x app that would show network flows as blobs representing local/remote hosts on the left and right of the screen, and ribbons connecting the blobs scaled to the amount of traffic per stream. Don't remember the name though.
I need to admit, I have a lot of respect for someone that can keep a project going for so long. I assume there are contributors, but it wouldn't surprise me if it's a one-person lead. People who also tend to have other side projects going. I have trouble maintaining a bunch of GitHub side repo's and keeping Ubuntu installations on a bunch of VPS's up to date.
I'm using Wireshark filters to automatically categorize traces (using tshark) and compile a HTML overview. “Wireshark://“ will open the corresponding PCAP then.
Having this integrated in some tool would be great.
Charles is an http proxy only - it does not capture any other protocols. Good for general app debugging, but did not fit the bill when I recently tried to dig into traffic coming out of my shady ip camera.
I recently used this method (wireshark/windows) [1] with the cam vendors app on an old iPhone to get more insight into what was going on (particularly outside the HTTP space).
Drat; this was my best idea for a portfolio Rust app!
The more we do of this kind of tool in a memory-safe language, the better.
For a while, it seemed like Wireshark dissectors were second only to 2D image format libraries, for memory exploits. I joked that one way to locate and compromise a network admin's workstation would be to create a simple network anomaly that would prompt them to fire up Wireshark. :)
While GP wanted to write it in rust, I think they just meant it's not as useful of a thing to write (in any language) now that this implementation exists.
I typically write my code as a library that can then be called by an interface (or other program) rather than as a monolithic unit. Also makes it easier to run on diferent devices.
I have some students who are really going to dig this. I teach an introductory networking course with students that have significantly less technical background than the typical CS networks course.
A lot of the students are already feeling stretched, as this is their first deep dive into the terminal. Though I do teach them how to run a remote capture through SSH, I can imagine them finding some relief in this.
Wireshark is very good and this definitely looks like a nice tool, that could be a good alternative to ngrep that I usually rely on on the command line.
Thanks to everyone for the kind words and encouragement. It's been very gratifying. Now I have a good number of suggestions, and a handful of bugs to fix!
It works very well on low volume captures.
wirelive.sh:
BTW, for anyone new to tcpdump, you can also specify selectors/filtering on the command line, to reduce the traffic. The filtering in Wireshark is on top of that.
It's one of best guarded secrets in gaming industry.
- On Linux, flush buffer at wrong places, breaking last (few) packet(s);
- On Windows, flush buffer after every byte (which gives acceptable result, but is very inefficient).
With "-w", always use "-U" instead.
[0] https://openwrt.org/docs/guide-user/firewall/misc/tcpdump_wi...
For wider monitoring, at key points on the network I use ntop [2] to see what's
If I want a quick overview of a given machine I load up iftop [3], which isn't very thrilling on my desktop at the moment
[0] https://i.imgur.com/O9ekuPt.png [1] https://i.imgur.com/x9l0UNd.png [2] https://i.imgur.com/gFXAxwa.png [3] https://i.imgur.com/vmpgR6i.png
All of these are trivial to install (except for the RTP perl script which I have as a custom apt-gettable package) and don't require non-standard interpreters and package managers.
Nethertheless I went to get this. I had to install 540MB of support files just to run "go get github.com/gcla/termshark/cmd/termshark". Still it compliles. Then I run it, and it shows bugger all, I suspect I need to find and install more libraries (tcell, gowid), which themselves require massive downloads.
It's simply not worth it, it's like going back in time 20 years.
Next time you need to build a golang project you most likely won't have to download all of those libs again, unless you remove them for some reason.
It runs, just doesn't look like it's reading anything from "sudo ./termshark -i eno1 icmp". Works fine when reading a pcap file, works fine when launching from a root session (rather than via sudo)
[0] https://www.riverbed.com/gb/products/steelcentral/steelcentr...
https://etherape.sourceforge.io
I remember using that as well many years ago. Fun times.
> EtherApe now is a pure GTK 3 application, with canvas supplied by GooCanvas.
It's still in active development! Will have some fun with it :).
Having this integrated in some tool would be great.
I recently used this method (wireshark/windows) [1] with the cam vendors app on an old iPhone to get more insight into what was going on (particularly outside the HTTP space).
[1]https://blog.jjhayes.net/wp/2019/02/28/capture-iphone-networ...
The more we do of this kind of tool in a memory-safe language, the better.
For a while, it seemed like Wireshark dissectors were second only to 2D image format libraries, for memory exploits. I joked that one way to locate and compromise a network admin's workstation would be to create a simple network anomaly that would prompt them to fire up Wireshark. :)
It's not retrofitting. If you make it work for the terminal it will always work from now on.
It comes outside the reaches from the graphical designers. Nothing with a graphical design survives more than 10 years.
I typically write my code as a library that can then be called by an interface (or other program) rather than as a monolithic unit. Also makes it easier to run on diferent devices.
A lot of the students are already feeling stretched, as this is their first deep dive into the terminal. Though I do teach them how to run a remote capture through SSH, I can imagine them finding some relief in this.
[0] https://github.com/gcla/termshark
This went immediately to my personal /bin/
But handles custom rules well :)
https://github.com/jpr5/ngrep