Jump to content
Peter Luykx

TCPDump half / more packets dropped by Kernel

Recommended Posts

Hello,

I'm new to PS. when testing the TCPdump function, i see that not all packets are captured by PS.

I ran the TCPDump in armed mode and after a minute i stopped the process, i see a lot of packets are dropped by the kernel.
I did the same in bridged mode with the same result.

anybody an idea how i can collect all the packets?
Maybe a better method? or is PS to lightweight to capture all packets?

thanks in advanced,

Peter

 

Share this post


Link to post
Share on other sites

Can you give me a few examples and I can try to repeat the process with mine?  I've only done a packet capture a few times and it seemed like it was all there...but that was several years ago.  Thanks.

Share this post


Link to post
Share on other sites

Hello Bob123,

Thank you for your reply. 

I will try to explain it. if you would like i could make a video screen next time. 

i did the following. 

I have connected my computer to the Ethernet IN of the PS and  Ethernet OUT to my router. 

I putted the PS in army mode. 
I opened SSH and typed tcpdump -i eth0 -s 65535 -w /mnt/loot/tcpdump/traces.pcap in the terminal window. 

I started downloaded a file that is 700mb big. Offcourse i didn't actually downloaded the whole file. i interrupted it at approximately 50MB. 
When i look at my loot folder, i see that my traces.pcap is only 7MB. 

When you stop the tcpdump command in the terminal window, i see the following message. 

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
8077 packets captured
66286 packets received by filter
58208 packets dropped by kernel

I have downloaded the payload from github and adapt it a bit so tcpdump would make x files of y mb and loop. 
but the result stays the same. i have the idea that not all packets are captured, but dropped by the kernel. 

 

#!/bin/bash

# Title:        TCPDump
# Description:    Dumps networking-data to USB storage. Completes on button-press or storage full.
# Author:         Hak5
# Version:        1.0
# Category:        sniffing
# Target:         Any
# Net Mode:        TRANSPARENT

# LEDs
# SUCCESS:        Dump complete
# FAIL:            No USB storage found

function monitor_space() {
    while true
    do
        [[ $(df | grep /mnt | awk '{print $4}') -lt 10000 ]] && {
            kill $1
            LED G SUCCESS
            sync
            break
        }
        sleep 5
    done
}

function finish() {
    # Kill TCPDump and sync filesystem
    kill $1
    wait $1
    sync

    # Indicate successful shutdown
    LED R SUCCESS
    sleep 1

    # Halt the system
    LED OFF
    halt
}

function run() {
    /etc/init.d/sshd start &

    # Create loot directory
    mkdir -p /mnt/loot/tcpdump &> /dev/null
    
    # Set networking to TRANSPARENT mode and wait five seconds
    NETMODE BRIDGE
    sleep 5
    
    C2CONNECT
    
    # Start tcpdump on the bridge interface
    #tcpdump -i br-lan -s 0 -w /mnt/loot/tcpdump/dump_$(date +%Y-%m-%d-%H%M%S).pcap &>/dev/null &
    tcpdump -i br-lan -s 65535 -w /mnt/loot/tcpdump/traces.pcap -W 50 -C 75 &>/dev/null &
    tpid=$!
    
    # Wait for button to be pressed (disable button LED)
    NO_LED=true BUTTON
    finish $tpid
}


# This payload will only run if we have USB storage
[[ ! -f /mnt/NO_MOUNT ]] && {
    LED ATTACK
    run &
    monitor_space $! &
} || {
    LED FAIL
}
 

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...