Saturday, 05 March 2016 15:01

Packet Capture Analysis

Written by 
Rate this item
(1 Vote)

Packet Capture tools for analysis

Collection of network forensics tools and applications

This page is always updated and may change without any notice.  It is a personal collection of links, information, tips & tricks, and guides for the given subject as I explore new ideas and projects.

 

Commands

 

remove raiotap headers

from scapy.all import rdpcap, wrpcap

pkts = rdpcap('h264_file.pcap')
stripped_pkts =[pkt.payload for pkt in pkts]# strip the RadioTap header; extract just its payload
wrpcap('stripped_h264_file.pcap', stripped_pkts)

Play packet capture and pipeoutput to other program

 

 

view rtp ssrc in a capture file

tshark -n -r Desktop/sip_calls.pcapng -R rtp -T fields -e rtp.ssrc | sort -u

 

 

 

 

Mkfifo / tmp / pipe
sshpass -p 'passwd' ssh This email address is being protected from spambots. You need JavaScript enabled to view it. "sudo tcpdump -s0 -U -n -w - port not 22"> / tmp / pipe
sudo tcpreplay -i lo / tmp / pipe
sudo driftnet -i lo

 

Background collection

$ Sudo driftnet -a -d / dev / shm -i eth0

Open your browser and browse the non-https: // pages, / dev / shm image files will appear

Advanced Usage

Real-time analysis distal Linux Host Packet

$ Mkfifo / tmp / pipe
$ Sshpass -p 'passwd' ssh This email address is being protected from spambots. You need JavaScript enabled to view it. "sudo tcpdump -s0 -U -n -w - port not 22"> / tmp / pipe
$ Sudo tcpreplay -i lo / tmp / pipe
$ Sudo driftnet -i lo

Collect 640x480 image above

# Vi / tmp / go

01 #!/bin/bash
02  
03 cd /dev/shm
04 test -d ok || mkdir ok
05 while [ true ]; do
06     for i in driftnet-*; do
07         identify $i || rm -f $i
08         if [ -e "$i" ]; then
09             size="$(identify $i | awk '{print $3}')"
10             while read w h; do
11                 if [ $w -lt 640 ] || [ $h -lt 480 ]; then
12                     rm -f $i
13                 else
14                     mv $i ok/
15                 fi ## $w < 640 || $h < 480
16             done <<< $(echo $size | awk -Fx '{print $1 " " $2}')
17         fi ## -e "$i"
18     done ## for i in driftnet-*
19     sleep 10
20 done ## while true

# driftnet -a -d /dev/shm -i eth0 > /dev/null 2>&1 &
# sh /tmp/go

 

 

 

 

 

 

Another option on linux would be to create a gstreamer pipeline that captures rtp, decodes using ffmpeg and displays on screen using ximageview.

 

Manipulate

Airdecap - With airdecap-ng you can decrypt WEP/WPA/WPA2 capture files. As well, it can also be used to strip the wireless headers from an unencrypted wireless capture.

http://www.aircrack-ng.org/doku.php?id=airdecap-ng

Remove WiFi headers from passive packet capture, to create capture other tools can use (such as tcpreplay)

airdecap-ng capture_20160201.pcap

Creates: capture_20160201-dec.pcap

 

TCPRewrite

dump.pcap > temp1.pcap > temp2.pcap > final.pcap

Rewrite any destination IP address and MAC address in traffic dump to 192.168.1.20 and E0:DB:55:CC:13:F1, respectively

tcprewrite --infile=dump.pcap --outfile=temp1.pcap --dstipmap=0.0.0.0/0:192.168.1.20 --enet-dmac=E0:DB:55:CC:13:F1

 Rewrite any source IP address and MAC address in traffic dump to 192.168.1.10 and 84:A5:C8:BB:58:1A, respectively

tcprewrite --infile=temp1.pcap --outfile=temp2.pcap --srcipmap=0.0.0.0/0:192.168.1.10 --enet-smac=84:A5:C8:BB:58:1A

Update the Checksum

tcprewrite --infile=temp2.pcap --outfile=final.pcap --fixcsum

After you are done with packet rewriting, you can go ahead and replay the finalized packet dump as follows 

sudo tcpreplay --intf1=eth0 final.pcap

 

VoIP Tools

Most of these tools are designed for voip, but may have other uses.

VoIPong - VoIPong is a utility which detects all Voice Over IP calls on a pipeline, and for those which are G711 encoded, dumps actual conversation to seperate wave files. It supports SIP, H323, Cisco's Skinny Client Protocol, RTP and RTCP.

http://www.enderunix.org/voipong/

Vomit - The vomit utility converts a Cisco IP phone conversation into a wave file that can be played with ordinary sound players. Vomit requires a tcpdump output file.  Vomit works only for G.711

http://vomit.xtdnet.nl/

Oreka - Oreka is an enterprise telephony recording and retrieval system with web based user interface. The project currently supports recording voice from VoIP SIP, Cisco Skinny (aka SCCP), raw RTP and audio sound device and runs on multiple operating systems and database systems.

http://oreka.sourceforge.net/

Sipomatic - Sipomatic is primilarly a test tool for linphone. It waits for incoming sip calls, and answer to them by playing a wav sound file on disk. The sended stream is encoded using the preferred codec of the calling sip-phone.

http://manpages.ubuntu.com/manpages/dapper/man1/sipomatic.1.html

TFTP TheftTFTP Theft is a tool which allows one to quickly scan/bruteforce a tftp server for files and download them instantly

https://github.com/sandrogauci/tftptheft

SipVicious - SIPVicious suite is a set of tools that can be used to audit SIP based VoIP systems.

https://github.com/sandrogauci/sipvicious

 

 

 

 

Tools

TCPReplay - Tcpreplay is a suite of free Open Source utilities for editing and replaying previously captured network traffic. Originally designed to replay malicious traffic patterns to Intrusion Detection/Prevention Systems, it has seen many evolutions including capabilities to replay to web servers.

http://tcpreplay.appneta.com/

Play capture in local interface

sudo tcpreplay -i lo capture_20160201-editcap-fixed.pcap

5 times faster

sudo tcpreplay --multiplier=5.0 -i lo capture_20160201-dec.pcap

Top Speed

sudo tcpreplay --topspeed -i lo capture_20160201-editcap-fixed.pcap

Loop 100 times (--loop=0 for infintate times)

sudo tcpreplay --loop=100 -i lo capture_20160201-editcap-fixed.pcap

 

Driftnet - Driftnet is a program which listens to network traffic and picks out images from TCP streams it observes.

http://www.ex-parrot.com/~chris/driftnet/

sudo driftnet -i wlan0 

 

sudo tcpreplay -i lo capture_20160201-editcap-fixed.pcap

sudo driftnet -i lo

 

Netsniff-ng - netsniff-ng is a free Linux networking toolkit, a Swiss army knife for your daily Linux network plumbing if you will.

http://netsniff-ng.org/

 

TCPFlow - TCP/IP packet demultiplexer.  Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. tcpflow can also process stored 'tcpdump' packet flows.

https://github.com/simsong/tcpflow

 

TCPTrace

It can take as input the files produced by several popular packet-capture programs, including tcpdump, snoop, etherpeek, HP Net Metrix, and WinDump. tcptrace can produce several different types of output containing information on each connection seen, such as elapsed time, bytes and segments sent and recieved, retransmissions, round trip times, window advertisements, throughput, and more. It can also produce a number of graphs for further analysis.

http://www.tcptrace.org/

 

TCPXtract

Tcpxtract is a tool for extracting files from network traffic based on their file signatures. Based on libpcap, it can be used live or against an offline capture file (tcpdump format). Extracts hundreds of filetypes including jpg, gif, doc, ppt,

https://sourceforge.net/p/tcpxtract/wiki/Home/

 

Xplico

The goal of Xplico is extract from an internet traffic capture the applications data contained.
For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT).

http://www.xplico.org/download

 

NetworkMiner

NetworkMiner is a network forensics tool primarily developed for Windows OS's, but it actually runs just fine also in other operating systems with help of the Mono Framework.

http://www.netresec.com/?page=Blog&month=2014-02&post=HowTo-install-NetworkMiner-in-Ubuntu-Fedora-and-Arch-Linux

 

Dsniff

dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

http://www.monkey.org/~dugsong/dsniff/

 

Bro

While focusing on network security monitoring, Bro provides a comprehensive platform for more general network traffic analysis as well

https://www.bro.org/

 

Chaos Reader

A freeware tool to trace TCP/UDP/... sessions and fetch application data from snoop or tcpdump logs. This is a type of "any-snarf" program, as it will fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG, ...), SMTP emails, ... from the captured data inside network traffic logs.

http://chaosreader.sourceforge.net/

 

Foremost

Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery.

http://foremost.sourceforge.net/

 

Pyflag

FLAG was designed to simplify the process of log file analysis and forensic investigations. FLAG facilitates efficient analysis of large quantities of data within an interactive environment. PyFlag is the reimplementation of FLAG in Python.

https://sourceforge.net/p/pyflag/wiki/Home/

https://github.com/py4n6/pyflag

http://dfrws.org/2008/proceedings/p112-cohen.pdf

 

TCPick

tcpick is a textmode sniffer libpcap-based that can track, reassemble and reorder tcp streams. Tcpick is able to save the captured flows in different files or displays them in the terminal, and so it is useful to sniff files that are transmitted via ftp or http.

http://tcpick.sourceforge.net/

 

Scipt to extract images and create animated gif

Using tools like foremost and tcpflow, the script will extract and create an animated gif

https://julianoliver.com/output/log_2014-04-23_21-12

 

TFTPGrab

TFTPgrab is a TFTP (Trivial File Transfer Protocol) stream extractor. It reads from tcpdump/libpcap capture files and attempts to reconstruct data that has been transferred via TFTP.

http://pseudo-flaw.net/content/tftpgrab/

 

NSM-Console

NSM-Console (Network Security Monitoring Console) is a framework for performing analysis on packet capture files. It implements a modular structure to allow for an analyst to quickly write modules of their own without any programming language experience. Using these modules a large amount of pcap analysis can be performed quickly using a set of global (as well as per-module) options.

http://writequit.org/projects/nsm-console/

 

SecTools.Org: Top 125 Network Security Tools

Not specifically forensics, but a very detailed lists of tools

http://sectools.org/ 

 

 

Read 4255 times Last modified on Friday, 18 March 2016 16:09
Algis Salys

Creator and owner of algissalys.com.  Linux enthusiast, electronics tinkerer, and likes to spend time in the workshop building and creating new projects.