Making the tcpdump moduleSubmitted by mtesauro on Sun, 04/26/2009 - 00:12 |
Get the source for tcpdump
Go to the tcpdump site and find your way to the latest release section. Grab the latest source distribution which is a tar.gz file. At the time of this writing that is tcpdump-4.0.0.tar.gz. There is also a signature file as well. The file is named tcpdump-4.0.0.tar.gz.sig.
Say no to bad downloads and check the digital signature demonstrated below and explained in Checking sources. [PAGE NOT MADE]
$ cd temp/
$ gpg --verify tcpdump-4.0.0.tar.gz.sig tcpdump-4.0.0.tar.gz
gpg: Signature made Mon 27 Oct 2008 09:06:02 PM CDT using DSA key ID 89E917F3
gpg: Can't check signature: public key not found
$ gpg keyserver wwwkeys.pgp.net --recv-keys 89E917F3
usage: gpg [options] [filename]
$ gpg --keyserver wwwkeys.pgp.net --recv-keys 89E917F3
gpg: requesting key 89E917F3 from hkp server wwwkeys.pgp.net
gpg: key 89E917F3: public key "tcpdump.org (SIGNING KEY) <tcpdump-workers@tcpdump.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
$ gpg --verify tcpdump-4.0.0.tar.gz.sig tcpdump-4.0.0.tar.gz
gpg: Signature made Mon 27 Oct 2008 09:06:02 PM CDT using DSA key ID 89E917F3
gpg: Good signature from "tcpdump.org (SIGNING KEY) <tcpdump-workers@tcpdump.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0227 54EB 4C30 9185 FD31 33A3 464D 3CEB 89E9 17F3
The above indicates a valid download - the warning tells me that I've not marked the tcpdump key as trusted. However, me trusting (or not) that key has nothing to do with the validity of the download. So now that we know the source hasn't been diddled with...
Compile the source and complete the package
Since we're doing this from source, its best to download the source into a running version of the Live CD. We can then do the compilation there to make sure the Live CD has all the necessary dependencies.
First get the source into the Live CD. Since you've verified the signatures, scp them over from your primary box and then extract both files in the same directory
# mkdir build
# cd build
# scp matt@matt-box.example.com:/home/matt/download/tcpdump-4.0.0.tar.gz ./
# tar -xzvf tcpdump-4.0.0.tar.gz
# cd tcpdump-4.0.0
So far so good. Now to get this guy install, all we really need to do is the 3 step Linux install dance - with a special variation I've come to prefer - two finds and a diff. We'll also specify some configure directives to get the architecture-dependent files into /opt/owasp/tcpdump.
# ./configure --exec-prefix=/opt/owasp/tcpdump --prefix=/opt/owasp/tcpdump --mandir=/usr/share/man
[bunch of output - hopefully ending on a happy note]
OK. We got the the ./configure without failure. Let try make:
# make
[bunch of junk]
print-enc.o: In function `enc_if_print':
print-enc.c:(.text+0xbe): undefined reference to `ip6_print'
collect2: ld returned 1 exit status
make: *** [tcpdump] Error 1
#
Hmm. Make is failing. I tried adding --disable-ipv6 to no avail. Did some digging and found a patch here called noINET6.patch. It looks harmless and applies cleanly so lets see what happens:
# cat ../noINET6.patch
--- tcpdump-4.0.0.orig/print-enc.c 2008-09-01 09:44:22.000000000 +0700
+++ tcpdump-4.0.0/print-enc.c 2008-11-10 21:40:52.000000000 +0700
@@ -77,9 +77,11 @@
case AF_INET:
ip_print(gndo, p, length);
break;
+#ifdef INTE6
case AF_INET6:
ip6_print(p, length);
break;
+#endif
}
out:
# patch --dry-run -p1 -i ../noINET6.patch
patching file print-enc.c
# patch -p1 -i ../noINET6.patch
patching file print-enc.c
# make clean
# ./configure --exec-prefix=/opt/owasp/tcpdump --prefix=/opt/owasp/tcpdump --mandir=/usr/share/man
# make
Yippie! That did the trick, lets continue:
# find / > ../pre-tcpdump
# make install
# find / > ../post-tcpdump
# cd ../
# diff pre-tcpdump post-tcpdump > tcpdump-diff
# cat tcpdump-diff | grep changes | grep -v build > tcpdump-install
# vi tcpdump-install
[remove any cruft and modify to copy the installed files to /root/fakeroot]
# cat tcpdump-install
mkdir -p /root/fakeroot/opt/owasp
cp -a /opt/owasp/tcpdump /root/fakeroot/opt/owasp
mkdir -p /root/fakeroot/usr/man/man1
cp -a /usr/man/man1/tcpdump.1 /root/fakeroot/usr/man/man1
# chmod u+x tcpdump-install
# ./tcpdump-install
Create support files in the fakeroot directory
Because tcpdump is a command line tool, we're going to create two startup scripts to be used by the menu item:
$ mkdir -p fakeroot/usr/bin
$ vi fakeroot/usr/bin/startup-tcpdump
[create script]
$ cat fakeroot/usr/bin/startup-tcpdump
#/bin/sh
echo " _ _ "
echo " | |_ ___ _ __ __| |_ _ _ __ ___ _ __ "
echo " | __/ __| '_ \ / _\` | | | | '_ \` _ \| '_ \ "
echo " | || (__| |_) | (_| | |_| | | | | | | |_) | "
echo " \__\___| .__/ \__,_|\__,_|_| |_| |_| .__/ "
echo " |_| |_| "
echo " "
echo " tcpdump - Quick and dirty packet capture"
echo " (part of the OWASP Live CD)"
echo " "
echo " Type \"tcpdump -h\" for brief help or \"man tcpdump\" for extended help"
echo " "
echo " Usage: tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [ -C file_size ] "
echo " [ -E algo:secret ] [ -F file ] [ -i interface ] [ -M secret ] "
echo " [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] "
echo " [ -W filecount ] [ -y datalinktype ] [ -Z user ] "
echo " [ expression ] "
echo " "
# chmod 775 fakeroot/usr/bin/startup-tcpdump
We'll also have to make a simple script to put tcpdump into our path:
$ vi fakeroot/usr/bin/tcpdump
[create script]
$ cat fakeroot/usr/bin/tcpdump
#!/bin/sh
cd /opt/owasp/tcpdump/sbin
./tcpdump "$@"
Now a menu item:
$ mkdir fakeroot/usr/share/applications
$ vi fakeroot/usr/share/applications/tcpdump.desktop
[create the file]
$ cat fakeroot/usr/share/applications/tcpdump.desktop
[Desktop Entry]
Categories=Application;Network;
Comment=
Encoding=UTF-8
Exec[$e]=startup-tcpdump; bash
GenericName=tcpdump
Icon=/usr/share/pixmaps/tcpdump-icon.png
MimeType=text/html
Name=Packet Capture
Path[$e]=
StartupNotify=false
Terminal=1
TerminalOptions=-T "tcpdump 4.0.0 - Command line packet capture"
Type=Application
X-KDE-StartupNotify=true
X-KDE-SubstituteUID=false
X-KDE-Username=
For the icon, I wasn't sure what to do. I ended up searching for "internet cloud" and came up with what I used - after a bit of gimp-foo. Then, I moved that into fakeroot.
mkdir fakeroot/usr/share/pixmaps
$ cp temp/tcpdump-icon.png fakeroot/usr/share/pixmaps/tcpdump-icon.png
We should now have everything we need in fakeroot. Give it a final sanity check, then create a new module based on what's in fakeroot:
# find fakeroot/ | less
# dir2lzm fakeroot/ tcpdump-4.0.0.lzm
Test the new modules
SLAX will allow you to add modules to a running system. Before going on, you should install the module and make sure it works like expected. Check out the page Add modules to a running system [PAGE NOT MADE] to see how to do this. Since I had to do a make install before I created the module, I used a freshly booted Live CD to test the module. Verify that tcpdump works as expected.
# tcpdump -i eth0
If everything goes as expected, you'll need to add this module to the ISO image. Since we've created the module in the Live CD, you'll need to move it off to a "real" computer. You can use a USB drive, scp or whatever to get the files off the Live CD.
Add the modules to the ISO build directory
Also cake
$ cp -i tcpdump-4.0.0.lzm ../contents/slax/base/
$ chmod 775 ../contents/slax/base/tcpdump-4.0.0.lzm
This assumes your tcpdump module was moved into your working directory. See Creating the base Live CD from SLAX (Create a Working Directory section)
Clean up and archive
Once you've got a working module, lets clean up a bit.
$ $ mkdir ./completed_modules/tcpdump
$ mv tcpdump-4.0.0 ./completed_modules/tcpdump/
$ mv temp/tcpdump-4.0.0.tar.gz completed_modules/tcpdump/
$ mv temp/tcpdump-4.0.0.tar.gz.sig completed_modules/tcpdump/
$ mv temp/install-tcpdump completed_modules/tcpdump/
$ rm -rf ./temp/*