Hello Qubes users,
This is my first time posting. Hope i get it right.
I’ve been running qubes on a thinkpad T420 for the past 3~4 years.
I run wireshark on a dedicated & isolated(no NetVM) “wireshark” vm.
The VM gets it’s traffic from a SharkTapUSB line-tap over a usb cable to the usb “A” bus, and that is assigned directly to the “wireshark” vm.
The Tap device can receive the traffic from inside or outside my LAN.
( moving it to above and below my router), it has it’s uses.
It’s been working fine for years.
The “A” bus is only used for this vm, there is also a “B” bus.
I have’nt felt the need to link the sys-usb vm to the wireshark vm.
I’m hesitant to have it “provide network”, I only use it as a controller container.
Sharktap site say’s it’s s 1 way traffic port-mirroring device, so maybe it would’nt be a problem anyway, right?
With /rw/config, i have written scripts in “wireshark” vm to make the SharkTap device (It’s linux interface does’nt make it appear as a transparent tap device), and Wireshark itself, behave as they should. Implementing this in the disposable sys-usb seemed too messy.
My question: Is it safe to run the tapped traffic directly into the WS vm ?
1 Like
Welcome @todasco ,
I think you will find much tolerance here, especially for interesting questions.
I am not expert in such things, but I am pleased to discover the SharkTap devices - can you confirm it is these ones : https://www.midbittech.com/ ? They look very cool. It is interesting to see that even the enterprise-grade version may not be fully undetectable for a local observer (I think). It shows how complex such a simple idea can be.
My only thought is that if WS and its qube get “pwned”, then you would maybe not have a record of the packets which caused it. Maybe it is interesting to capture using something simple like tcpdump in one qube, and analyse in another one. Kind of “split wireshark”? [Edit: of course, I am assuming you mean “safe” for your Qubes computer… WS-vm is very exposed]
Now I will keep my not-an-expert ideas quiet - I hope to learn from better informed voices.
What is your threat model/what security goals do you want to achieve?
Wireshark had a few vulnerabilities as is expected with the huge attack surface when parsing many different data formats.
Under the assumptions that your SharkTap will not be able to send packets received from the TAP port this is the most secure setup i could think of, besides additionaly converting it to a disposable.