Packet Analysis

Basics of Packet capture

Raw network traffic can be captured and stored for later analysis via a process called packet capture. This a format that captures all network traffic from a given source, and organizes it by time and packet number so that all details of the traffic, from contents to metadata, can be parseable for analysis.
Raw packet captures are a staple for security analysis since they can be a complete log source, potentially storing all traffic traversing a device/interface at a given time. This granular level of detail can provide answers that no other log source can. The drawback to packet captures, is the storage. When capturing all data from a given device/interface, the data can total to incredible volumes in a short time, which can cause issues when working with limited storage capacity.
Terms
  • PCAP - Standard file format for packet captures.
  • BPF - Stands for Berkeley Packet Filters. BPF syntax is used in packet analyzers like Wireshark to filter out specific packets from a capture during network analysis. It can also be used in a Linux terminal through tools like tcpdump.
  • Libpcap - The most common library used by other programs to read packet capture files.

Capture and Indexing

  • ​Arkime (Moloch) - Arkime augments your current security infrastructure to store and index network traffic in standard PCAP format, providing fast, indexed access.
  • ​Stenographer by Google - A full-packet-capture utility for buffering packets to disk for intrusion detection and incident response purposes. It provides a high-performance implementation of NIC-to-disk packet writing, handles deleting those files as disk fills up, and provides methods for reading back specific sets of packets quickly and easily.
  • ​CapMe - The Web Interface for easy interaction with packet captures, located within Security Onion.
  • ​NTOP - Handy an flexible tool stack that can create packet captures, netflow logs, and network probes for recording traffic of different types.
  • ​Dumpcap - Tool included with Wireshark for simple capture of packet data and writing to a disk.
  • ​Daemon Logger - Simple packet logging & soft tap daemon.
  • ​Netsniff-ng - A fast network analyzer based on packet mmap(2) mechanisms. It can record pcap files to disc, replay them and also do an offline and online analysis.
  • Attacking Network Protocols: Ch.2 Capturing Application Traffic - pg.11

Decrypting Encrypted Packets

This can be done in a few ways:
Man-in-the-middle (MITM)

​Wireshark

The world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions.

TShark

tshark - command line version of Wireshark

Basic Commands

  • #tshark -r [file]
  • #tshark -r [file] -Y [wireshark display filter]
    • The -Y options specifies a display filter to help organize packet captures and filter out specific data such as protocols or host information.
  • #tshark- r [file] -Y [wireshark display filter] -T fields -e [field]
    • You can further filter the packets using the -tfields and -e option. With these you can specify different layers of filters using Wireshark syntax. -T determines the format of the text output of tshark, -e will allow you to specify different fields of a packet to be printed.
  • #tshark -r [file] tcp.port == 80 || udp.port == 80
    • Display filters also use BPF syntax, can be applied after the capture and can be extremely useful when used correctly. Display/BPF filters use primitives in the arguments (&&, ||, !).
  • BTFM: tshark - pg. 43
  • Operator Handbook: TShark - pg.304
  • Tshark for Packet Analysis - Applied Network Security Monitoring, pg.359

Merging multiple pcap files

Note: mergecap​
1
mergecap /<directory>/*.pcap -w /<directory>/capture.pcap
Copied!

List Unique IP Sources in Pcap

1
tshark -T fields -r 'capture.pcap' -e ip.src | sort -u
Copied!

List Unique IP Sources and Destination for HTTP traffic

1
tshark -T fields -r 'capture.pcap' -e ip.src -e ip.dst -Y "http" | sort -u
Copied!

Live DNS Request and Responses on WiFi

1
tshark -i wlan0 -T fields -f "src port 53" -n -e dns.qry.name -e dns.resp.addr
Copied!

Extract All Objects/Files from Supported Protocols

Note: This will create a folder called β€˜exported’ and put the results in there
1
tshark -r 'capture.pcap' --export-objects http,exported
2
tshark -r 'capture.pcap' --export-objects dicom,exported
3
tshark -r 'capture.pcap' --export-objects imf,exported
4
tshark -r 'capture.pcap' --export-objects smb,exported
5
tshark -r 'capture.pcap' --export-objects tftp,exported
Copied!

List URIs Accessed

1
tshark -T fields -r capture.pcap -e http.host -e ip.dst -e http.request.full_uri -Y "http.request"
Copied!

Get HTTP POST Requests and Output to JSON

1
tshark -T json -r capture.pcap -Y "http.request.method == POST"
Copied!

TCPDump

TCPDump - tcpdump is a command line packet analysis tool.

Basic Commands

  • #tcpdump -r [filename.pcapng] host [IPADDRESS]
    • display all packets transferred to and from a specified IP address.
  • #tcpdump -r [filename.pcapng] -w [filename]
    • output your results into a specified file type such as csv or txt

Filtering Traffic

NGREP

Command line packet analysis tool which enables users to search for words and phrases at the network layer.
  • Basic use
    • #ngrep -I [pcapfile]
    • #ngrep -I ngrep.pcap "POST"
  • Filters - ngrep understands BPF syntax, which can be applied alongside the pattern match.
    • #ngrep -I ngrep.pcap "POST" host β€˜192.168.1.1’

Online Packet Capture Analyzers

  • ​APackets - Web utility that can analyze pcap files to view HTTP headers and data, extract transferred binaries, files, office documents, pictures.
  • ​PacketTotal - PacketTotal is an engine for analyzing, categorizing, and sharing .pcap files. The tool was built with the InfoSec community in mind and has applications in malware analysis and network forensics.

Powershell Packet Capture

PCAP collection

*Note: Script and pcap should be located under: C:\Windows\System32 or your user directory.
1
Invoke-Command -ScriptBlock {ipconfig} -Session $s1
2
​
3
Invoke-Command -ScriptBlock {
4
$url = "https://raw.githubusercontent.com/nospaceships/raw-socket-sniffer/master/raw-socket-sniffer.ps1"
5
Invoke-WebRequest -Uri $url `
6
-OutFile "raw-socket-sniffer.ps1"
7
PowerShell.exe -ExecutionPolicy bypass .\raw-socket-sniffer.ps1 `
8
-InterfaceIp "[RemoteIPv4Address]
9
-CaptureFile "capture.cap"
10
} -Session $s1
Copied!

Other Tools

  • ​Brim - Desktop application to efficiently search large packet captures and Zeek logs.
  • ​BruteShark - BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files, but it also capable of directly live capturing from a network interface). It includes: password extracting, building a network map, reconstruct TCP sessions, extract hashes of encrypted passwords and even convert them to a Hashcat format in order to perform an offline Brute Force attack.
  • ​Net-creds - Sniffs sensitive data from interface or pcap
  • ​PCredz - This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.
  • ​chaosreader - Chaosreader traces TCP/UDP/others sessions and fetches application data from snoop or tcpdump logs (or other libpcap compatible programs). This is a type of β€œany-snarf” program, as it will fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG etc) and SMTP emails from the captured data inside network traffic logs.
  • ​PacketTotal β€” .pcap files (Packet Capture of network data) search engine and analyze tool. Search by URL, IP, file hash, network indicator, view timeline of dns-queries and http-connections, download files for detailed analyze.

Resources

​