Packet Analysis
Basics of Packet capture
Raw network traffic can be captured and stored for later analysis via a process called packet capture. This a format that captures all network traffic from a given source, and organizes it by time and packet number so that all details of the traffic, from contents to metadata, can be parseable for analysis.
Raw packet captures are a staple for security analysis since they can be a complete log source, potentially storing all traffic traversing a device/interface at a given time. This granular level of detail can provide answers that no other log source can. The drawback to packet captures, is the storage. When capturing all data from a given device/interface, the data can total to incredible volumes in a short time, which can cause issues when working with limited storage capacity.
Terms
PCAP - Standard file format for packet captures.
BPF - Stands for Berkeley Packet Filters. BPF syntax is used in packet analyzers like Wireshark to filter out specific packets from a capture during network analysis. It can also be used in a Linux terminal through tools like tcpdump.
Libpcap - The most common library used by other programs to read packet capture files.
Capture and Indexing Tools
Decrypting Encrypted Packets
PCAP Analysis Tools
The world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions.
TShark
Command line version of Wireshark
TCPDump
A command line packet analysis tool.
NGREP
Command line packet analysis tool which enables users to search for words and phrases at the network layer.
Basic use
#ngrep -I [pcapfile]
#ngrep -I ngrep.pcap "POST"
Filters - ngrep understands BPF syntax, which can be applied alongside the pattern match.
#ngrep -I ngrep.pcap "POST" host ‘192.168.1.1’
Online Packet Capture Analyzers
APackets - Web utility that can analyze pcap files to view HTTP headers and data, extract transferred binaries, files, office documents, pictures.
PacketTotal - PacketTotal is an engine for analyzing, categorizing, and sharing .pcap files. The tool was built with the InfoSec community in mind and has applications in malware analysis and network forensics.
Powershell Packet Capture
PCAP collection
*Note: Script and pcap should be located under: C:\Windows\System32 or your user directory.
Other Tools
Brim - Desktop application to efficiently search large packet captures and Zeek logs.
BruteShark - BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files, but it also capable of directly live capturing from a network interface). It includes: password extracting, building a network map, reconstruct TCP sessions, extract hashes of encrypted passwords and even convert them to a Hashcat format in order to perform an offline Brute Force attack.
Net-creds - Sniffs sensitive data from interface or pcap
PCredz - This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.
chaosreader - Chaosreader traces TCP/UDP/others sessions and fetches application data from snoop or tcpdump logs (or other libpcap compatible programs). This is a type of “any-snarf” program, as it will fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG etc) and SMTP emails from the captured data inside network traffic logs.
PacketTotal — .pcap files (Packet Capture of network data) search engine and analyze tool. Search by URL, IP, file hash, network indicator, view timeline of dns-queries and http-connections, download files for detailed analyze.
NetworkMiner - NetworkMiner is an open source Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
Resources
Sans cheatsheets for analyzing packet captures - https://wiki.sans.blue/#!Packets.md
Hack-the-box Packet Analysis Course - https://academy.hackthebox.eu/course/preview/intro-to-network-traffic-analysis
Packet Analysis - Applied Network Security Monitoring, pg.341
Last updated