|Feeding the Shark - Turning the Freakduino into a Realtime Wireless Protocol Analyzer with Wireshark||| Print ||
|Written by Akiba|
|Wednesday, 29 December 2010|
One of the most powerful tools to have when doing any type of design that involves communication protocols is a protocol analyzer. It allows you to see exactly what the communicating devices are seeing which is very useful for troubleshooting many types of problems that might come up. This is especially important for wireless communications because this is often the only way to see what type of data is going over the air. It also allows the user to see if there are any rogue frames, check for breaches of the communication protocol, analyze traffic, or reverse engineer a proprietary protocol. And of course, it’s extremely useful for learning about how a protocol operates and behaves in real-life.
Wireshark is probably one of the most well-known of all protocol analyzers. It’s widely used in the IT world for analyzing network problems, bottlenecks, failed hardware, and a host of other things. It’s also used in the security world for snooping, packet analysis, and reverse engineering. Over the past 2-3 years, wireshark support for the IEEE 802.15.4 protocol has been growing and improving due to contributions from the wireless sensor network community and the increased interest and usage of protocols that ride on top of 802.15.4 such as Zigbee and 6LoWPAN (IPv6 over 802.15.4). However it has always been a challenge to get raw 802.15.4 data frames fed into Wireshark.
So anyways, there is an actual point to this post. I though it would be interesting to convert the Freakduino boards into a wireless sniffer and feed the raw data into wireshark. It also demonstrates how Arduino-based boards can be turned into powerful, low-cost tools for communications software development and security research.
One of the benefits of an open source protocol stack is that you can configure it however you want. In the case of chibi and chibiArduino, the main modification was to put the radio into promiscuous mode. In this mode, the radio is just a listener that accepts all packets and dumps them out to the serial port. The modifications to the stack were actually very minimal. The protocol stack relies on the hardware features of the Atmel radio to do a lot of the 802.15.4 protocol handling. To enable promiscuous mode, all the extended hardware features such as address filtering and auto-ACK were disabled. The associated Arduino sketch is minimal, almost shorter than the hello_world example, and just waits for received data and dumps it out the serial port. The Chibi promiscuous mode demo is also mainly a two line change from the original demo. Before proceeding, you'll want to get the Chibi stack (from v0.91) or chibiArduino stack (from v0.51) from the project pages .
Once you have access to the raw data, the next step is to figure out how to get it into Wireshark. There are three main ways to feed the shark: capture data via a network interface, open a static packet capture file, or piping the data into the program. I chose the last option which is probably the least common way to get data into wireshark and deserves a bit more explanation.
I’ve also put together a little tutorial on how to use it with the Freakduino . I’ve made the firmware modifications in the chibi and chibiArduino stack so either one can be used to capture the raw data and output it via the serial port. You'll need to enable the promiscuous mode feature inside the stack. Don't forget to disable it after you're done :)
Also, I wrote both applications as console programs so that they can be used in a batch file. That way, you don’t need to manually open both programs each time you want to capture data. The location of the pipes are different on Windows and Linux. Windows puts their named pipes in the \\.\pipe\ location by default. I put the location of the named pipe in the /tmp/ directory on Linux since it's universally writeable by applications. Notice that on Windows, backslashes are used but on Linux, forward slashes are used. You can change the locations and names of the pipes in the source code, too.
The tutorial is below. One thing to note is that the tutorial assumes that Wireshark is installed, the Chibi or chibiArduino release supporting promiscuous mode has been downloaded, and you're using hardware that supports the protocol stacks. Also, please feel free to post any comments, questions, or suggestions about the tutorial.
That’s about it. Hope you enjoy it and happy sniffing :)
written by Mariano Alvira, December 29, 2010
written by noonv, December 29, 2010
written by Tim B, December 30, 2010
written by Nicolas, December 31, 2010
written by Nicolas, January 03, 2011
written by Mariano Alvira, December 05, 2011
written by Rob, January 31, 2012
written by jonatan, June 07, 2012
written by draythomp, October 20, 2012
written by draythomp, October 23, 2012
written by mikew, February 11, 2013
|< Prev||Next >|