AWS and Wireshark



Overview:

Getting Wireshark to work with AWS Cloud9 involves a number of steps, but the result is worth it, and Wireshark will be used often as you work with all kinds of network issues.


Flask setup

To make this work, you need to create a Flask program in Python, then get the external address of the Cloud9 instance and open the 8080 port (using the AWS dashboard)

  1. This is a simple Flask program, we will explain what is going on later.
    For the moment, you can just copy/paste this program into a Cloud9 Python file and run it.
  2. The Program:

    # File: minFlask.py
    from flask import Flask
    app = Flask (__name__)

    @app.route ("/")
    def reply () :
      r  = "<h1>This is a simple web page</h1>"
      r += "<h2>Your Name Here 001</h2>"
      r += "<h3>more stuff</h3>"
      return r
     
    if __name__ == "__main__": 
      app.run (host="0.0.0.0", port=8080)

  3. When you run this program, the lower panel should show the following:
  4. Now get the external IP address and open the 8080 port - using an EC2 service in AWS:
  5. View the page from any browser - note the IP address and port:


Command Line

Now to view some of the information exchanged over the network between the client (web browser) and server (the Flask/Python program).
We will focus on just two packets, and a very limited amount of the information Wireshark is going to display about those two packets.

  1. First, let's see if Wireshark is already installed - probably not if you haven't already done it:
    > rpm -qa | grep -i wireshark
  2. Installing Wireshark using a package manager, depending the version Linux being used, either yum, dnf or app-get.
    1. this is the command that worked at one point - note that this is going into supervisor mode:
      > sudo yum install wireshark
  3. Wireshark cannot be run from a command line since it is a GUI program, but packets can be captured using the command tshark in supervisor mode:
    > sudo tshark
    1. If your server Flask/Python code is running, step 3 above, and you have viewed the web page in your browser, RELOADING the page should produce a lot of captured network traffic -
    2. STOP this eventually using ctrl-C in the bash panel.
    3. At this point, all the elements are working, but the resulting display is rather confusing, overkill and ugly.
    4. The rest of these commands are designed to capture the packet information and display it in more aesthically pleasing way.
  4. First: write the captured packets to a file rather than dumping them to the screen:
    You probably want to use a different file name than a002:
    > sudo tshark -r a002
    1. Again, execute this command, then reload the web page in your browser, then stop tshark using ctrl-C.
  5. There are all kinds of ways to look at the information captured in this file, so we will focus on the packets using the HTTP protocol - one requesting the web page, and the other replying with the page. There are a lot of other packets involved, but we will ignore those for the present.
    1. Create a postscript file:
      > sudo tshark -r a002 -R "http" -T ps > a002.ps
    2. Create a short text output:
      > sudo tshark -r a002 -R "http" -T text
    3. Create a long text output - showing the internal structure of each of the two packets:
      > sudo tshark -r a002 -R "http" -T text -V
    4. Create a hex dump of the two packets:
      > sudo tshark -r a002 -R "http" -x

That's it - a little complicated, a fair number of steps, but this should be a great basis for exploring network security issues!

Now let's take a look at the output text file:


GUI



End - Jun 30, 2020