Remote TCPDUMP

PROLOGUE

One of the WCTF SDR challenges at Shmoocon 2014 involved decoding an ICMP packet that had been converted into base64. The end goal is to get to doing live tcpdump capture via SDR and using the PiFM as the x-mitter, much like a remote bug would exist. In preparation for future cons, here is how you can replicate something simple for now.

Tools Needed

A Raspberry Pi with pifm loaded. Get pifm here: http://www.icrobotics.co.uk/wiki/index.php/Turning_the_Raspberry_Pi_Into_an_FM_Transmitter
A nice box for your pi: http://www.amazon.com/gp/product/B00CJSOYMG/ref=oh_details_o07_s01_i00?ie=UTF8&psc=1
A respectiful antenna to connect: http://www.amazon.com/gp/product/B0083Y3L2O/ref=oh_details_o00_s00_i01?ie=UTF8&psc=1
The commands:

#install tcpdump and minimodem
apt-get install tcpdump minimodem
#start grabbing packets in 10 second intervals
timeout 10 tcpdump -A 'port not 22' | minimodem --tx -f -8 1200 -f send.wav && ./pifm send.wav 80.0
#shutdown the x-mit
touch /tmp/empty && /home/pi/pifm /tmp/empty

What’s Happening

Here, we’re simple capturing all ASCII characters that tcpdump has grabbed, kicking it out to minimodem and then transmit. Simple enough. For the reception, and if you’re lame like me (using Ubuntu), you can use the following commands to demod it.

sudo pavucontrol &
MONITOR=$(ctl list | grep -A2 '^Source #' | grep 'Name: .*\.monitor$' | awk '{print $NF}' | tail -n1)
parec -d "$MONITOR" | sox -traw -r48k -es -b16 -c1 -V1 - -twav - | minimodem --rx -8 1200 -f -

Stay tuned for an all in one script and eventual app. Here’s a hint of what’s working in my head.

mkfifo /tmp/tcpdumper
tcpdump -s0 -U -n -w /tmp/tcpdumper 'not port 22' &
cat /tmp/tcpdumper | minimodem --tx -f -8 1200 -f send.wav