Network Forensics

capinfos

F:\>"c:\Program Files\Wireshark\capinfos.exe" ben-owa-test.pcap

File name: ben-owa-test.pcap

File type: Wireshark/tcpdump/... - libpcap

File encapsulation: Ethernet

Packet size limit: file hdr: 65535 bytes

Number of packets: 1623

File size: 735037 bytes

Data size: 709045 bytes

Capture duration: 63 seconds

Start time: Wed Nov 16 15:29:57 2011

End time: Wed Nov 16 15:31:00 2011

Data byte rate: 11336.22 bytes/sec

Data bit rate: 90689.74 bits/sec

Average packet size: 436.87 bytes

Average packet rate: 25.95 packets/sec

SHA1: b511f6faddfdbf2f521ee26490299b2c991a9655

RIPEMD160: cd5bda6585fe341f6ee57837102d9e7081e1c913

MD5: 8fef9dcedabcc5b0c1137ea69ce50e41

Strict time order: True

Tshark

tshark -d brings up interface info

capture interface 6, saving bad-guy's ip, -b multiple files 1000 bytes -S see on screen

tshark -i 6 host IPADDRESS -b filesize:1000 -S -w d:\bad-guy.pcap

bad-guy_00001_20120617114419.pcap

TShark IIS

D:\tshark -r IIS-PacketCapture.pcap -T fields -e http.user_agent -e http.request.uri -e http.resp |grep -i INTERESTING-Data

Display filter

IP address

tshark -r bigPCAPfile.pcap -R ip.addr==172.16.1.10 -w 10.pcap

tshark -r bigPCAPfile.pcap -R tcp.port==3333 -w 3333.pcap

TCPDUMP

In unix you can take advantage of sort, grep, uniq, cut and other commands

Syn 'tcp[13] & 2!=0'

SynAck 'tcp[13]=18'

Ack 'tcp[13] & 16!=0'

Rst 'tcp[13] & 4!=0'

Fin 'tcp[13] & 1!=0'

PSH 'tcp[13] & 8!=0'

Below example will show Sorce IP and Port of Syn packets

tcpdump -r test2.pcap 'tcp[13]&2!=0' |cut -f 3 -d " "

Show Destination IP use cut -f 5

tcpdump -r test2.pcap 'tcp[13]&2!=0' |cut -f 5 -d " "

To get just the IP use another cut cut -f 1-4 -d "."

tcpdump -r test2.pcap 'tcp[13]&2!=0' |cut -f 3 -d " " | cut -f 1-4 -d "."

Add | uniq to get the Uniq IPs

tcpdump -r test2.pcap 'tcp[13]&2!=0' |cut -f 3 -d " " | cut -f 1-4 -d "." | uniq

To view the ASCII portion of the packet use -Ann

tcpdump -Ann -r test2.pcap

TCPXtract

Use tcpxtract in linux to pull files out of a pcap

tcpxtract -f demo.pcap

To split a large pcap use editcap the -F tells it what file type to save

C:\Program Files\Wireshark>editcap.exe d:\packets\large d:\packets\test.pcap -c 500000 -F pcap

NetworkMinor

http://sourceforge.net/projects/networkminer/

Page updated

Google Sites

Report abuse