Capture, Filter, Extract Traffic using Wireshark and PF_RING

Posted · Add Comment

Last year we introduced our new nBPF library able to:
1. Convert a BPF filter to hardware rules for offloading traffic filtering to the network card, making it possible to analyse traffic at 100G.
2. Accelerate traffic extraction from an indexed dump set produced by n2disk, our traffic recording application able to produce multiple PCAP files together with an index.

Along with that library we released a tool n2if, able to create virtual interfaces to be used in Wireshark for implementing line-rate hardware packet filtering at 100G with Wireshark and filtering terabytes of pcaps with Wireshark.

In the last months we have decided to take another step forward towards a better integration with Wireshark creating an extcap module. The extcap interface is a plugin-based mechanism to allow external executables to be used as traffic source in case the capture interface is not a standard network interface directly recognised by Wireshark. This means that there is no more need for using external tools for creating special virtual interfaces, and linking Wireshark to our libpcap is no longer necessary, being everything based on plugins.

The ntopdump extcap module can be used to both open PF_RING interfaces (i.e. even those that are not listed by ifconfig) and extract traffic from a n2disk dumpset in Wireshark with a few clicks inside the Wireshark GUI.

In order to get started with the ntopdump module, you need to compile and copy the module to the extcap path where Wireshark will look for the extcap plugins. This unless you are using the PF_RING binary package, that contains it pre-packaged and that is installed in the directory where Wireshark will search it for.

cd PF_RING/userland/wireshark/extcap/
make
cp ntopdump /usr/lib/x86_64-linux-gnu/wireshark/extcap/

In the example above the extcap folder is /usr/lib/x86_64-linux-gnu/wireshark/extcap/, if you install Wireshark from sources it will probably be /usr/local/lib/wireshark/extcap/. However you
can read the actual extcap folder from the Wireshark menu:

“Help” -> “About Wireshark” -> “Folders” -> “Extcap path”

At this point you are ready to start Wireshark and start using the ntopdump module. Once you open Wireshark, you will see two additional interfaces, “PF_RING interface” and “n2disk timeline”. Before running the capture, please configure the interface you want to use by clicking on the “configuration” icon of the corresponding interface.

We will present this and other ntop technologies usable in Wireshark at the upcoming Sharkfest ’17 US in Pittsburg where we will organise a ntop meetup open to all of our users willing to hear about the latest things we have developed and future roadmap items.