Hello Qubes users,
This is my first time posting. Hope i get it right.
I’ve been running qubes on a thinkpad T420 for the past 3~4 years.
I run wireshark on a dedicated & isolated(no NetVM) “wireshark” vm.
The VM gets it’s traffic from a SharkTapUSB line-tap over a usb cable to the usb “A” bus, and that is assigned directly to the “wireshark” vm.
The Tap device can receive the traffic from inside or outside my LAN.
( moving it to above and below my router), it has it’s uses.
It’s been working fine for years.
The “A” bus is only used for this vm, there is also a “B” bus.
I have’nt felt the need to link the sys-usb vm to the wireshark vm.
I’m hesitant to have it “provide network”, I only use it as a controller container.
Sharktap site say’s it’s s 1 way traffic port-mirroring device, so maybe it would’nt be a problem anyway, right?
With /rw/config, i have written scripts in “wireshark” vm to make the SharkTap device (It’s linux interface does’nt make it appear as a transparent tap device), and Wireshark itself, behave as they should. Implementing this in the disposable sys-usb seemed too messy.
My question: Is it safe to run the tapped traffic directly into the WS vm ?
1 Like
Welcome @todasco ,
I think you will find much tolerance here, especially for interesting questions.
I am not expert in such things, but I am pleased to discover the SharkTap devices - can you confirm it is these ones : https://www.midbittech.com/ ? They look very cool. It is interesting to see that even the enterprise-grade version may not be fully undetectable for a local observer (I think). It shows how complex such a simple idea can be.
My only thought is that if WS and its qube get “pwned”, then you would maybe not have a record of the packets which caused it. Maybe it is interesting to capture using something simple like tcpdump in one qube, and analyse in another one. Kind of “split wireshark”? [Edit: of course, I am assuming you mean “safe” for your Qubes computer… WS-vm is very exposed]
Now I will keep my not-an-expert ideas quiet - I hope to learn from better informed voices.
What is your threat model/what security goals do you want to achieve?
Wireshark had a few vulnerabilities as is expected with the huge attack surface when parsing many different data formats.
Under the assumptions that your SharkTap will not be able to send packets received from the TAP port this is the most secure setup i could think of, besides additionaly converting it to a disposable.
@phceac: Yessir, that is the model of said title. SharkTapUSB.
I bought it ~4 years ago, for $100, now it’s $269. Rock solid, portable.
I like tapping “above” the router to keep an eye on the synners (scanners).
BTW, your read of “may not be fully undectable”, is a bit of an understatement.
It’s supposedly transparent, but I spent a long time configuring the interface that my debian linux put up for it. It was hardly “transparent”.
I stopped all the IPv6 chatter through /proc/sys/net.
Using /rw/config scripts i changed it’s mac to a listed OUI, not invalid random.
zero’d out the hostname, and more… it’s just a tap, why does it need to talk?
I verified it’s transparency watching the system boot on wireshark.
Not sure if Sharktap was creating all the noise or linux, (by way of the Interface).
It still comes up on ip / ifconfig, but it’s quiet now.
I love wireshark, i live on it 
I did have some trouble with that last qubes update /upgrade (4.2.2 → 4.2.4),
could’nt finish booting WS vm, if any of the usb controllers were attached,
turned out to be a xen bug, qubes /marek had a patch. Fixed it (2-3 reboots
i’m prolly not one of the “better informed voices”. Just an old carpenter that found a new tool box {:~ ]
@HardcodedNonce,
Re threat models / goals. I gave it some thought, and to arrive at specific values and labels for these murky metrics is harder than i expected.
There is likely some specific targeting at a low level, requiring physical security improvements and some at rest encryption.
At the Corp level the cia triad is all i can reasonably reference. Non-specific, but with org’s like Palantir & Axis entering the fray with their 24-7, super granular, specifically tuned AI models, tossing your cookies could slide you into the crosshairs.
I have just finished browsing the *fingerprint.com" website. They actively seek out and enumerate ANY privacy enhancing feature, vm implementation, or “browser tampering” in a user or visitor’s browser, app, etc.
With AI assisted rotating memberships in global scale anonymity pools, and semantically coherent 2nd level Encryption algos, we just might barely stay out from under.
Re Wireshark. Both you and @phceac are right, it is completely exposed.
The SharkTapUSB device sits upstream from the router (usually), I suppose an upstream firewall blocking All Inbound → device, but allow All Forwarding → LAN might be helpfull to protect the device itself.
I hav’nt been able to find anything on it’s firmware.
Found a CVE for an MS proto on my 4.0.17 wireshark version.
What’er gonna do. It’s already patched.
Yeah, disposable is probably prudent. I’ll copy the scripts into a dvm template.
I appreciate your input.