Monitor Phone Packets

Posted on February 1, 2015
Tags: hackhard

1 Monitoring Phone packets

1.1 On router

  • ~/phonePCAP/
    • scrape
    • close
    • sendfile
    • capfile0
#!/bin/sh
tcpdump -i igb1 host 192.168.1.101 -W 10 -C 1G -w /root/phonePCAP/capfile
#!/bin/sh
tar cv ./capfile0 | nc 192.168.1.245 7676
#!/bin/sh
pkill -f ./scrape
pkill -f tcpdump
58      7       *       *       *       /root/phonePCAP/close
59      7       *       *       *       /root/phonePCAP/sendfile
0       8       *       *       *       /root/phonePCAP/scrape

1.2 On Server

  • ~/0PhonePackets/
    • ncServer
    • 2022-09-22-11./
      • capfile0
    • 2022-09-23-11./
      • capfile0
#!/bin/zsh
wae=$(date '+%Y-%m-%d-%H')
ncat -l -p 7676  | tar xv --transform "s,^,$wae,"
58 7 * * * timeout 120s /home/rhel/0PhonePackets/ncServer

2 Manually

from server

timeout 20s ./ncServer

from router

./sendfile

3 Scripts

3.1 Sizelimit sends to tftp server

#!/bin/sh

SERVER_IP="192.168.1.243"
THEFILE="capfile.pcap"
PHONE_IP="192.168.1.101"
INTERFACE="igb1"
CLIENTDIR="$HOME/phonePCAP"
SIZELIM=3 #in bytes; 1000000 byte is 1MB
DUMPLIM="10B" #ideally less than file sizelim


if [ $(stat -f%z "$CLIENTDIR/$THEFILE") -gt $SIZELIM ]; then
    echo "$THEFILE file exists and is greater than $SIZELIM"
    
    # Using tftp to put the CA file to server 192.168.1.243
    ( echo put "$CLIENTDIR/$THEFILE" "$THEFILE" ) | tftp $SERVER_IP
    
    # Check if tftp put completed successfully

    echo "File transfer completed successfully."
    
    # Empty the CA file
    truncate -s 0 "$CLIENTDIR/$THEFILE"
    
    # Start tcpdump
    tcpdump -i $INTERFACE host $PHONE_IP -C $DUMPLIM -w "$CLIENTDIR/$THEFILE" 
    
    # Store the PID of tcpdump process
    echo $! > /var/run/tcpdump.pid

else
    echo "$THEFILE file either does not exist or is not greater than $SIZELIM"
fi

3.2 Duration sends to tftp server

  • igb0 is the igb for your LAN network
#!/bin/sh

SERVER_IP="192.168.1.243"
THEFILE="capfile.pcap"
PHONE_IP="192.168.1.101"
INTERFACE="igb0"
MYHOME="/root" #rc.d service runs as its own user so it wont always be $HOME
CLIENTDIR="$MYHOME/phonePCAP"
#SIZELIM=3 #in bytes; 1000000 byte is 1MB
#DUMPLIM="10B" #ideally less than file sizelim
DURATION="1800s" #in seconds

    pkill -f tcpdump
    # Using tftp to put the CA file to server 192.168.1.243
    ( echo put "$CLIENTDIR/$THEFILE" "$THEFILE" ) | tftp $SERVER_IP
    
    echo "File transfer completed successfully."
    
    # Empty the CA file
    truncate -s 0 "$CLIENTDIR/$THEFILE"
    
    # Start tcpdump
    timeout $DURATION tcpdump -i $INTERFACE host $PHONE_IP -W 1 -w "$CLIENTDIR/$THEFILE" -q 
    
    # Store the PID of tcpdump process
    echo $! > /var/run/tcpdump.pid

#!/bin/sh

# PROVIDE: monPhoneService
# REQUIRE: LOGIN
# KEYWORD: monPhone

. /etc/rc.subr

name="monPhoneService"
rcvar="monPhoneService_enable"

# Adjust the path to your script
command="$HOME/phonePCAP/monPhone"
pidfile="/var/run/${name}.pid"

start_cmd="${name}_start"
stop_cmd="${name}_stop"
restart_cmd="${name}_restart"

monPhoneService_start() {
    echo "Starting ${name}."
    /bin/sh ${command} &
    echo $! > ${pidfile}
}

monPhoneService_stop() {
    echo "Stopping ${name}."
    kill `cat ${pidfile}`
    rm -f ${pidfile}
}

monPhoneService_restart() {
    ${name}_stop
    ${name}_start
}

load_rc_config $name
run_rc_command "$1"
sysrc monPhoneService_enable="YES"
service monPhoneService start
service -e
#show service enabled
service -l
#show service running