一半君的总结纸

听话只听一半君

rpcapd tcpdump tshark asus rt-n16 remote capture | entware

如果想研究下路由器,也许需要用到wireshark这个工具,他需要一些辅助工具

Remote Capture

  • cross compile rpcapd
    wget https://www.winpcap.org/install/bin/WpcapSrc_4_1_3.zip
    cd winpcap/wpcap/libpcap/
    
    # 使用之前编译的crosstools-ng 1.22 tool chain,TARGET_DIR不设也行,因为我不用安
    export PATH=/home/oglop/x-tools/mipsel-unknown-linux-uclibc/bin:$PATH
    export TARGET_DIR=/home/oglop/Downloads/libpcap-install
    CC=mipsel-unknown-linux-uclibc-gcc CXX=mipsel-unknown-linux-uclibc-g++ AR=mipsel-unknown-linux-uclibc-ar RANLIB=mipsel-unknown-linux-uclibc-ranlib ac_cv_linux_vers=2 ./configure --prefix=$TARGET_DIR --host=mipsel-uclibc-linux --with-pcap=linux
    
    # 如果想安装到单独的目录的话,其实不用安装
    mkdir -p /home/oglop/Downloads/libpcap-install/bin/
    
    cd rpcapd
    
    # make之前打开Makefile,第一行改成 CC      = mipsel-unknown-linux-uclibc-gcc
    # winpcap/wpcap/libpcap/pcap-int.h 里加上一行 #include <string.h>
    make
    

    tcpdump

    export PATH=/home/oglop/x-tools/mipsel-unknown-linux-uclibc/bin:$PATH
    export TARGET_DIR=/home/oglop/Downloads/tcpdump-install
    wget http://www.tcpdump.org/release/tcpdump-4.7.4.tar.gz
    tar xvf tcpdump-4.7.4.tar.gz
    cd tcpdump-4.7.4
    CC=mipsel-unknown-linux-uclibc-gcc CXX=mipsel-unknown-linux-uclibc-g++ AR=mipsel-unknown-linux-uclibc-ar RANLIB=mipsel-unknown-linux-uclibc-ranlib  ./configure --prefix=$TARGET_DIR  --host=mipsel-uclibc-linux
    make
    make install
    
  • wireshark repo里的有点老,只有1.0,如果想用新点的2.0,以及capture的时候查看capture的系统想用linux的时候,用不了rpcapd的remote capture功能,因为linux版wireshark没做这功能进去,想试试看编译下新点的wireshark,然后把tshark放到路由器上去运行,用pipe通过ssh传到笔记本,这样..(tshark也能换成tcpdump)先来装笔记本上的(centos7.1系统)
    # 我的libpcap是repo里装的1.5.3不知道可不可以
    [oglop@t450s resources]$ rpm -qa | grep libpcap
    libpcap-1.5.3-8.el7.x86_64
    libpcap-1.5.3-8.el7.i686
    libpcap-devel-1.5.3-8.el7.x86_64
    libpcap-devel-1.5.3-8.el7.i686
    
    # 我的tcpdump也是repo里的,有点老 新版的是
    # Version: 4.7.4 / 1.7.4
    # Release Date: April 22, 2015 / June 26, 2015 (libpcap 1.7.4)
    [oglop@t450s resources]$ rpm -qa | grep tcpdump
    tcpdump-4.5.1-3.el7.x86_64
    

    第一次试的时候错误如下,所以我大概该先装比较新的tcpdump网站的libpcap1.7.4?

    make[2]: Entering directory `/home/oglop/Downloads/wireshark-2.0.0/caputils'
      CC       libcaputils_a-capture-pcap-util-unix.o
      CC       libcaputils_a-airpcap_loader.o
      CC       libcaputils_a-capture-pcap-util.o
    capture-pcap-util.c:578:1: error: static declaration of ‘pcap_datalink_name_to_val’ follows non-static declaration
     pcap_datalink_name_to_val(const char *name)
     ^
    In file included from /usr/include/pcap.h:45:0,
                     from ../caputils/capture-pcap-util.h:32,
                     from capture-pcap-util.c:46:
    /usr/include/pcap/pcap.h:401:5: note: previous declaration of ‘pcap_datalink_name_to_val’ was here
     int pcap_datalink_name_to_val(const char *);
         ^
    capture-pcap-util.c:593:1: error: static declaration of ‘pcap_datalink_val_to_name’ follows non-static declaration
     pcap_datalink_val_to_name(int dlt)
     ^
    In file included from /usr/include/pcap.h:45:0,
                     from ../caputils/capture-pcap-util.h:32,
                     from capture-pcap-util.c:46:
    /usr/include/pcap/pcap.h:402:13: note: previous declaration of ‘pcap_datalink_val_to_name’ was here
     const char *pcap_datalink_val_to_name(int);
                 ^
    make[2]: *** [libcaputils_a-capture-pcap-util.o] Error 1
    make[2]: Leaving directory `/home/oglop/Downloads/wireshark-2.0.0/caputils'
    make[1]: *** [all-recursive] Error 1
    make[1]: Leaving directory `/home/oglop/Downloads/wireshark-2.0.0'
    make: *** [all] Error 2
     
    
    下面试装libpcap1.7.4
    
    wget http://www.tcpdump.org/release/libpcap-1.7.4.tar.gz
    mkdir libpcap-1.7.4-pc
    tar xvf libpcap-1.7.4.tar.gz  -C libpcap-1.7.4-pc --strip-components=1
    cd libpcap-1.7.4-pc
    ./configure
    make
    make install
    

    下面的安装第一次失败了,所以后来又返回上面安装libpcap1.7.4,第二次也没成功

    wget https://1.na.dl.wireshark.org/src/wireshark-2.0.0.tar.bz2
    tar xvf wireshark-2.0.0.tar.bz2
    ./autogen.sh 
    ./configure
    make
    
    # 先试运行一下
    ./wireshark
    
    # 试试看能不能弄成rpm
    yum install qt5-qtbase-devel qt5-qtmultimedia-devel
    make rpm-package
    # 用yum装生成的rpm之前,先把从repo装的删掉
    yum remove  wireshark
    yum localinstall packaging/rpm/RPMS/x86_64/wireshark-*
    
    # 实在不行了再直接装
    make install
    

    结果:成功得到linux上的wireshark 2.0

  • 编译路由器上用的tshark(失败了)
    # libiconv
    wget http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.14.tar.gz
    tar xvf libiconv-1.14.tar.gz 
    cd libiconv-1.14/
    CC=mipsel-unknown-linux-uclibc-gcc CXX=mipsel-unknown-linux-uclibc-g++ AR=mipsel-unknown-linux-uclibc-ar RANLIB=mipsel-unknown-linux-uclibc-ranlib  ./configure --prefix=$HOME/Downloads/libiconv-1.14-install --host=mipsel-uclibc-linux
    make && make install
    
    # gettext
    wget http://ftp.gnu.org/pub/gnu/gettext/gettext-0.19.6.tar.gz
    tar xvf gettext-0.19.6.tar.gz
    cd gettext-*
    CPPFLAGS=-I$HOME/Downloads/libiconv-1.14-install/include LDFLAGS=-L$HOME/Downloads/libiconv-1.14-install/lib CC=mipsel-unknown-linux-uclibc-gcc CXX=mipsel-unknown-linux-uclibc-g++ AR=mipsel-unknown-linux-uclibc-ar RANLIB=mipsel-unknown-linux-uclibc-ranlib  ./configure --prefix=$HOME/Downloads/gettext-0.19.6-install --host=mipsel-uclibc-linux
    make && make install
    
    # glib2.0 configure的时候失败了,出不来
    wget http://ftp.gnome.org/pub/gnome/sources/glib/2.0/glib-2.0.7.tar.gz
    tar xvf glib-2.0.7.tar.gz
    cd glib-2.0.7/
    CPPFLAGS="-I$HOME/Downloads/libiconv-1.14-install/include -I$HOME/Downloads/gettext-0.19.6-install/include" LDFLAGS="-L$HOME/Downloads/libiconv-1.14-install/lib -L$HOME/Downloads/gettext-0.19.6-install/lib" CC=mipsel-unknown-linux-uclibc-gcc CXX=mipsel-unknown-linux-uclibc-g++ AR=mipsel-unknown-linux-uclibc-ar RANLIB=mipsel-unknown-linux-uclibc-ranlib  ./configure --prefix=$HOME/Downloads/glib-2.0.7-install --host=mipsel-uclibc-linux
    
    
    # --strip-components的意思是不要创建根目录wireshark-2.0.0,直接放到-C后面的目录里
    tar xvf wireshark-2.0.0.tar.bz2 -C wireshark-2.0.0-router --strip-components=1
    cd wireshark-2.0.0-router
    # toolchain用的还是crosstools-ng 1.22
    export PATH=/home/oglop/x-tools/mipsel-unknown-linux-uclibc/bin:$PATH
    CC=mipsel-unknown-linux-uclibc-gcc CXX=mipsel-unknown-linux-uclibc-g++ AR=mipsel-unknown-linux-uclibc-ar RANLIB=mipsel-unknown-linux-uclibc-ranlib ./configure --prefix=$HOME/Downloads/wireshark-2.0.0-router-install --host=mipsel-uclibc-linux  --disable-wireshark   --with-gcrypt=no  --enable-ipv6=no  --with-gtk3=no --with-qt=no --with-pcap=no --enable-static --disable-shared
    # 暂时放弃,缺glib2.0
    
    
  • 既然tshark失败了,那只好用之前cross compile出来的tcpdump了
    上面编译出来的似乎不对,instruction illegal

文件下载:
rpcapd.tar.gz
libpcap-install.tar.gz

tcpdump-4.7.4.tar.gz

如果路由器太烂,像磊科q3这样的,会不会跑不起来?lz其实现在用的是rt-n16,算了,如果cross compile搞不出来的话,还是像普通人那样,插个优盘,装个entware之类的然后从repo里装吧

刚好翻出一个旧优盘
sandisk cruser 4g

合体!( ¯▽¯;)
rt-n16

直接在路由器上保持合体状态分区

# 看看优盘哪去了
root@unknown:/tmp/home/root# fdisk -l

Disk /dev/sda: 4047 MB, 4047502848 bytes
255 heads, 63 sectors/track, 492 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks  Id System
/dev/sda1   *           1         493     3951615+  7 HPFS/NTFS
Partition 1 has different physical/logical endings:
     phys=(491, 254, 63) logical=(492, 20, 39)

# lz建了个512mb的swap,剩下的空间都用来装软件
Device Boot      Start         End      Blocks  Id System
/dev/sda1               1          63      506016  82 Linux swap
/dev/sda2              64         492     3445942+ 83 Linux

# 格式化
mkfs.ext3 -m 1 -L data /dev/sda2
mkswap -L swap /dev/sda1

# 完成后的效果
root@unknown:/tmp/home/root# fdisk -l

Disk /dev/sda: 4047 MB, 4047502848 bytes
255 heads, 63 sectors/track, 492 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks  Id System
/dev/sda1               1          63      506016  82 Linux swap
/dev/sda2              64         492     3445942+ 83 Linux

# tomato webui里要打开自动挂载,重启后
root@unknown:/tmp/home/root# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                19.1M     19.1M         0 100% /
tmpfs                    61.9M    432.0K     61.5M   1% /tmp
devfs                    61.9M         0     61.9M   0% /dev
/dev/mtdblock3           11.5M      1.6M      9.9M  14% /jffs
/dev/sda2                 3.2G     64.1M      3.1G   2% /tmp/mnt/data

此外如果重启后swap没启用,可以去/etc/fstab里加上

#device Mountpoint FStype Options Dump Pass#
LABEL=swap none swap sw 0 0

然后将此文件存在nvram里

nvram setfile2nvram /etc/fstab
nvram commit
reboot

也可以运行

swapon /dev/sda1

临时启用

总之如果swap激活后,overview里看起来是这样的

swapon_tomato

USB and NAS -> USB Support里看起来是这样的

swapon_tomato_usb

下面按之前总结过的备忘录安装entware,有些改变

wget -O - http://entware.zyxmon.org/binaries/mipsel/installer/upgrade.sh | sh

似乎有 tcpdump

root@unknown:/opt# opkg list | grep tcpdump
tcpdump - 4.5.1-4 - Network monitoring and data acquisition tool

# 装
opkg install tcpdump

在pc上运行

ssh root@your-router tcpdump -w - 'port !22' | sudo /usr/local/bin/wireshark -k -i -

wireshark_centos

ps:

这个解释看下面参考链接
wireshark_dofile

btw还是路由器高级点好阿,都不用自己折腾了

root@unknown:/tmp/home/root# opkg list | grep shadowsocks
shadowsocks-libev - 2.4.1-1 - Shadowsocks-libev is a lightweight secured socks5 proxy for embedded devices and low end boxes.
shadowsocks-libev-polarssl - 2.4.1-1 - Shadowsocks-libev is a lightweight secured socks5 proxy for embedded devices and low end boxes.

参考:
WinPcap: Remote Capture
CaptureSetup/WinPcapRemote - The Wireshark Wiki
analyze traffic remotely over ssh w/ wireshark
Autotools FAQ
Re: [Wireshark-users] [Wireshark-dev] T-Shark Cross Compilation issue
running wireshark “Lua: Error during loading”
error when running wireshark on Ubuntu as non root user
Running tshark as a root, dofile file is disabled problem

Platform-Specific information about capture privileges
Privilege Separation

Advertisements

发表评论

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / 更改 )

Twitter picture

You are commenting using your Twitter account. Log Out / 更改 )

Facebook photo

You are commenting using your Facebook account. Log Out / 更改 )

Google+ photo

You are commenting using your Google+ account. Log Out / 更改 )

Connecting to %s

%d 博主赞过: