Monday 6 August 2012

Wireshark on AWS EC2

Updated on 28th Mars 2014, thanks Imran Hayder for suggestions! In some cases you may need to run wireshark on remote machine, especially if you want to in depth to understand what is going on.
Without any further blah blah, amusing you are using Ubuntu here is how to:

  1. Create EBS, make sure to un-check "delete on termination"
  2. Create and start Ubuntu 12.04 EC2
  3. Log in to it
  4. Check disk name 
    5. sudo fdisk -l
  5. Format disk
    6. sudo mkfs -t ext4 /device/path
  6. Create mount directory
    7. sudo mkdir /home/data-storage
  7. Mount disk
    8. sudo mount /dev/DEVICE /home/data-storage
  8. Make wireshark folder
    9. sudo mkdir /home/data-storage/wireshark
#important change ownership!
sudo chown root:ubuntu /home/data-storage/wireshark
#allow group to read
sudo chmod -R 774 wireshark
  9. Install wireshark
    10. sudo apt-get install wireshark tshark
  10. Run example
    11. sudo su
cd /home/data-storage/wireshark
#tshark will capture eth0 for 10 seconds and save file to my.pcap
tshark -i eth0 -a duration:10 -w my.pcap
  11. Copy file to local
    12. #from your local machine, note intentional line brake due to layout of the blog.
cd wireshark
scp -i your.pem 
   ubuntu@your_ec2_dns.compute.amazonaws.com:/path-to/my.pcap .
Read the comments bellow for trouble shooting. Note, it is not advisable to copy paste commands since you may bet the html representation, and not what you should type in the terminal.

Posted by at
Labels: , , , , , , , ,

2 comments:

  1. Imran Hayder27 March 2014 at 15:26

    Hi Laurynas. Thanks for the great article on working with wireshark on amazon ec2 instances. )
    I guess this is the only article i found on internet that explains wireshark with aws.
    im glad to find it.
    that said, I would like to suggest couple of mistakes- which i am certain you didnoy mean to commit but happens accidentally.
    1=> you have created the folder "data-store" but later referred as ''data-storage''
    in some of commands. If its ''data-store'' then it has to be used with this name in every command followed. .?
    2=> Step 5 is followup of step 4, where we figure out device name. Its even evident on our EBS volume under "volume'' tab of our EC2 dashboard. if we have attached it correctly to our instance, we can see the volume description and its name.
    normally its written as ''xvda1'' or ''xvda2" etc.
    if its ''xvda1'' to anyone reading this , you should execute step 5 as:
    sudo mkfs -t ext4 /dev/xvda1

    3=> step 7, if you found out step 4 that your device name is ''xvda1'' then do this step as
    sudo mount /dev/xvda1 /home/data-store
    4=> later on might face issue of ''permission denied'' while using scp. it happens most of time.
    first : ALWAYS sudo and then scp .
    also, my.pcap has to be followed by two spaces and a . otherwise this doesnt work
    but then again you see error 'permission denied' thats because you dont have permission set on my.pcap for reading..do .
    cd /home/data-store/wireshark
    sudo su
    chmod u+rwx,g+rwx,o+rwx my.pcap
    now execute the scp command to download file into your local machine
    NOTE: your terminal should be existing at address where your .pem file is , and thats where you use scp command and thats where your my.pcap file is downloaded
    Hope it helps!

    ReplyDelete
  2. Unknown28 March 2014 at 03:38

    thank you Irman for the input! Your comments will definitely help other. I would disagree with usage of sudo. One should rather make sure that you have read-write permission on the file. This can be achieved that EC2 user get permissions to use wireshark without sudo, or to read sudo created pcap file.

    ReplyDelete

Subscribe to: Post Comments (Atom)