Raw network traffic can be captured and stored for later analysis via a process called packet capture. This a format that captures all network traffic from a given source, and organizes it by time and packet number so that all details of the traffic, from contents to metadata, can be parseable for analysis.
Raw packet captures are a staple for security analysis since they can be a complete log source, potentially storing all traffic traversing a device/interface at a given time. This granular level of detail can provide answers that no other log source can. The drawback to packet captures, is the storage. When capturing all data from a given device/interface, the data can total to incredible volumes in a short time, which can cause issues when working with limited storage capacity.
PCAP - Standard file format for packet captures.
BPF - Stands for Berkeley Packet Filters. BPF syntax is used in packet analyzers like Wireshark to filter out specific packets from a capture during network analysis. It can also be used in a Linux terminal through tools like tcpdump.
Libpcap - The most common library used by other programs to read packet capture files.
Arkime (Moloch) - Arkime augments your current security infrastructure to store and index network traffic in standard PCAP format, providing fast, indexed access.
Stenographer by Google - A full-packet-capture utility for buffering packets to disk for intrusion detection and incident response purposes. It provides a high-performance implementation of NIC-to-disk packet writing, handles deleting those files as disk fills up, and provides methods for reading back specific sets of packets quickly and easily.
CapMe - The Web Interface for easy interaction with packet captures, located within Security Onion.
NTOP - Handy an flexible tool stack that can create packet captures, netflow logs, and network probes for recording traffic of different types.
Dumpcap - Tool included with Wireshark for simple capture of packet data and writing to a disk.
The world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions.
You can further filter the packets using the -tfields and -e option. With these you can specify different layers of filters using Wireshark syntax. -T determines the format of the text output of tshark, -e will allow you to specify different fields of a packet to be printed.
TCPDump for NSM Analysis - Applied Network Security Monitoring, pg.355
Command line packet analysis tool which enables users to search for words and phrases at the network layer.
#ngrep -I [pcapfile]
#ngrep -I ngrep.pcap "POST"
Filters - ngrep understands BPF syntax, which can be applied alongside the pattern match.
#ngrep -I ngrep.pcap "POST" host ‘192.168.1.1’
Online Packet Capture Analyzers
APackets - Web utility that can analyze pcap files to view HTTP headers and data, extract transferred binaries, files, office documents, pictures.
PacketTotal - PacketTotal is an engine for analyzing, categorizing, and sharing .pcap files. The tool was built with the InfoSec community in mind and has applications in malware analysis and network forensics.
Powershell Packet Capture
*Note: Script and pcap should be located under: C:\Windows\System32 or your user directory.
Brim - Desktop application to efficiently search large packet captures and Zeek logs.
BruteShark - BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files, but it also capable of directly live capturing from a network interface). It includes: password extracting, building a network map, reconstruct TCP sessions, extract hashes of encrypted passwords and even convert them to a Hashcat format in order to perform an offline Brute Force attack.
Net-creds - Sniffs sensitive data from interface or pcap
PCredz - This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.
chaosreader - Chaosreader traces TCP/UDP/others sessions and fetches application data from snoop or tcpdump logs (or other libpcap compatible programs). This is a type of “any-snarf” program, as it will fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG etc) and SMTP emails from the captured data inside network traffic logs.
PacketTotal — .pcap files (Packet Capture of network data) search engine and analyze tool. Search by URL, IP, file hash, network indicator, view timeline of dns-queries and http-connections, download files for detailed analyze.