Wiresharksniffing

paalsteek edited this page Jan 20, 2013 · 15 revisions
Clone this wiki locally

If you want to observe the traffic within the network, there's one excellent tool: Wireshark. This page shows how to use it with the HexaBus devices.

Putting the USB Stick into promiscuous mode

The Hexabususbstick can be put into Contiki's sniffer mode. Usually, the stick filters network packets based on the PAN ID - the id of your local network. In sniffer mode, this filter gets deactivated -- you can receive all packets, which is what we need for Wireshark.

To activate the sniffer mode, connect to the serial endpoint of the USB device. On my MacOS machine, the endpoint is available at /dev/cu.usbmodem413, but this can vary for your machine. You can simply use screen to connect to it:

$ screen /dev/cu.usbmodem413

You will see a blank screen window. To get help, just press the h key. This is what you should see:

*********** Jackdaw Menu **********
        [Built Jul  7 2011]       
*  m        Print current mode    *
*  s        Set to sniffer mode   *
*  n        Set to network mode   *
*  r        Set to raw mode       *
*  f        Flash a Socket        *
*  c        Change PAN ID         *
*  R        Reset (via WDT)       *
*  h,?      Print this menu       *
*                                 *
* Make selection at any time by   *
* pressing your choice on keyboard*
***********************************

Obviously, by pressing s, you can activate the sniffer mode. The USB stick responds with

Jackdaw now in sniffer mode

Since the traffic is AES128 encrypted the USB stick will discard most of the packets. However, to capture all packets it is needed to set the USB stick in raw mode by pressing r. The response will be

Jackdaw now in raw mode

Important: for encrypted networks, you need to be both in sniffer mode and in raw mode. In essence, this is what m should print:

Currently Jackdaw:
  * Will send data over RF
  * Will change link-local addresses inside IP messages
  * Will decompress 6lowpan headers
  * Will Output raw 802.15.4 frames
  * USB Ethernet MAC: 02:50:c4:04:00:09
  * 802.15.4 EUI-64: 02:50:c4:ff:fe:04:00:09
  * Configuration: 130, USB<->ETH is active
  * Promiscuous mode is not active

Start Wireshark

Wireshark is available from http://www.wireshark.org/. On my MacOS machine, I need to run the Wireshark software as root. This can easily accomplished by starting the application manually:

$ sudo /Applications/Wireshark.app/Contents/MacOS/Wireshark

Go to "Capture"->"Interfaces...". You will see a list of the currently available interfaces:

Start Capture Dialog

In my case, en6 is the interface of the usb stick. If your usb stick doesn't show up here, chances are that it has not been configured as a network card by your operating system. Fix this.

You should be able to observe the traffic on the network. There is a 6LoWPAN syntax highlighting already built into Wireshark.

Disabling encryption in HexaBus

Usually, you want your production network to be encrypted. But for development it is handy to be able to incercept messages. To turn encryption off, you have to

  1. edit contiki-hexabus-main.c in firmware/contiki-2.x/platform/Hexabus-Socket: Replace

    uint8_t encryption_enabled = 1; //global variable for AES encryption

with

uint8_t encryption_enabled = 0; //global variable for AES encryption

in the source code (around line 109). There is no run-time switch for this.

  1. Recompile the firmware and flash the socket.

Do the same for the USB-Stick. The network is now unencrypted.

Note: the Sockets still have to be paired with the USB-Stick so that they use the same PAN-ID.

The Hexabus Packet Dissector

As searching for the right byte in a packet is quite annoying there is also a dissector for the hexabus protocol. The code can be found at http://github.com/paalsteek/wireshark. The dissector now allow to inspect the 8bit-EID-format (current master branch) as well as the new 32bit-EID-format (packet format used in development and newer branches).