Hi all. Just a quick post about UNetLab and Wireshark.
I have been meaning to get around to this for some time, and finally had some free minutes.
I originally posted about this back in September, and this is an updated version for integrating UNetLab and Wireshark. The first version ran fine unless you wanted to run the same capture again. Because there was no form of capture numbering, the capture would fail as the original file could not be overwritten.
I have now implemented some versioning (basically appending the date and time to the capture).
Now it *should* be a bit smoother!
Please test it out and let me know if there are any issues.
The link is below, it should be a simple extract, replace job:
Download link
https://www.802101.com/unl_wiresharkv2/
Enjoy!
Hi Stuart,
Would you be willing to share the source code?
The way you have this configured (using root@server) doesn't suit my setup and I'd like to tweak it a little bit.
Thanks,
Cameron
Hey Cameron
If you download it, you can use Finder to show the contents of the file, and amend it as you need to.
If you make any changes that other could benefit from, then please feel free to share! 🙂
Thanks for your help!
I just wanted to change the username, as I'm working with a shared server and don't allow root login via ssh. Nor do I want to change this or give my users root access!
To get around this, I've created a user (called capture) and will request my users public keys so they won't need the password for said user. I also needed to add 'capture ALL = NOPASSWD: /usr/sbin/tcpdump' to my sudoers file.
Now that I've adjusted the script, how did you adjust the link handler (capture://) to bind to your script? Did you compile the script with Xcode?
Thanks,
Cameron
Hey Cameron,
I just used AppleScript (Script Editor from finder). That makes the application (when you export to type application). Hope this helps!
Interesting, I'm unable to find any options that would indicate the script will be called when opening a capture://unet.lab/cap link.
Cameron
Thats handle separately, by changing the URL handlers: https://www.802101.com/changing-url-handlers-in-osx/
hello mate!
Please update for eve-ng. wiresharkv2 doesnt work for me correct. It works for IP but doesnt work with domain name. Can not connect via ssh coz i have “-” in my domainname.
“ssh root@eve tcpdump -U -i ng.ddns.net -s 0 -w – > /tmp/ng.ddns.net-20170321-151120”
instead
“ssh [email protected] tcpdump -U -i vunl0_11_0 -s 0 -w – > /tmp/ng.ddns.net-20170321-151120″
of cause i can change domain name and interface by hand. But will be great if you fix my problem!
Oh. I’ve made some changes in your script to correct read URLs capture://some-site.uk.co/vunl0_11_32
set AppleScript’s text item delimiters to {“/”}
set new_cap_HOST to text item 3 of cap_URL
set new_cap_INT to text item 4 of cap_URL
Cool!
I can confirm this works with EVE-NG (my hostname is eve-ng). However, I had a problem copying/pasting the above code due to formatting issues with ” and ‘ characters. I just had to retype the quotes in the AppleScript editor.
I also made a change so each “do script” runs the command in a separate tab instead of separate terminal window.
My changes can be found here:
https://gist.github.com/matthaedo/9d971b1f7f18ea74692711a296dd2ee8
In addition, it’s worth mentioning that you can use SSH key-based authentication so you are not prompted for the EVE-NG root password:
On your Mac, create an SSH key using ssh-keygen.
Copy the generated .pub file to eve-ng:~root/.ssh/authorized_keys.
Matt, this is excellent, thank you very much!
Glad to contribute! However, I went to use this today and for some reason my revision didn’t work anymore. The script created multiple tabs but only ran the command in the first tab. While troubleshooting, I realized that separate tabs aren’t needed anyway. I updated the script accordingly. It now spawns a single new tab, so it won’t run in a tab that you’re already using. It then runs all of the relevant commands in that tab. Confirmed working again.
https://gist.github.com/matthaedo/9d971b1f7f18ea74692711a296dd2ee8
folks, I’ve noticed there are some issues too! I have been playing with the eve-ng, and the only issue I have is that I get a problem opening wireshark!
wireshark -k -i /tmp/vunl0_12_16-20170331-193506
rdm-imac:~ rdm$ wireshark -k -i /tmp/vunl0_12_16-20170331-193506
-bash: wireshark: command not found
Just to comment…additionally this is within the script.
hi Stuart, I’m running a MACOS 10.12.6 and WireShark 2.4.1. Now the script seems work cause I start WireShark from EVE-NG successfully. While the problem is that the captured packets seem not to be seen on WireShark. I can’t see anything from WIreShark.
Could you tell me what the problem is ?
Thx.
How many windows pop up? Are you putting in the password?
VERY grateful for this! I’m a dunce with coding, so the fact that you’d give this out for folks like me is wonderful. I’m capturing packets in EVE, straight into Wireshark with no problems 🙂