Network analysis and Monitoring
The pcap file format is usually the one used for network capture files.
Once saved into a file, or a set of files (more on this later), it can be searched for traffic patterns from a source-ip of a "speaker" to a string that could be present in the payload.
(From now on, I am not talking about Windows gears, but Linux/Unix ones)
Several programs can be used for investigating a capture file: tcpdump, tshark, and the famous Wireshark.
Although Wireshark is very helpful and efficient in analyzing network captures, it suffers from a very annoying limitation: it crashes or hangs when processing large amount of data. Note that tshark can also crash but less often (to be honest, myself I never had any crash with tshark so far).
Why is it crashing (or freezing)? See these posts:
The second link is very interesting in the sense that it gives us workarounds:
- capturing packets into multiple files (a "set of files" that can be then processed one after the other)
- dumpcap <-- This is the one to use ! :-)
Dumpcap
Example grabbed from my MAC OS X workstation
First off, find the interface number that you will use to capture traffic:
$ dumpcap -D
1. en0 (Ethernet)
2. bbptp0
3. fw0 (FireWire)
4. en1 (Wi-Fi)
5. lo0 (Loopback)
Then capture:
(i.e. using the LAN interface "en0 (Ethernet)" number 1, and writing to /tmp/mycapture.pcap):
$ dumpcap -i 1 -w /tmp/mycapture.pcap
Capturing on 'Ethernet'
File: /tmp/mycapture.pcap
Packets captured: 3
(Here I interrupted the capture with Ctrl-C)
Packets received/dropped on interface 'Ethernet': 3/0 (pcap:0/dumpcap:0/flushed:0) (100.0%)
$ ls -l /tmp/mycapture.pcap
-rw------- 1 raskal wheel 952 1 déc 17:45 /tmp/mycapture.pcap
$ file /tmp/mycapture.pcap
/tmp/mycapture.pcap: data <-- Hardly readable...
Displaying the captured data:
You can of course launch Wireshark which will be able to open dumpcap captures but it is not the topic of this post, so better switch to command-line tools like tcpdump and tshark.
tcpdump
$ tcpdump -ntttt -r /tmp/mycapture.pcap
reading from file /tmp/mycapture.pcap, link-type EN10MB (Ethernet)
2013-12-01 17:45:15.330323 IP 192.168.n.123.50001 > 239.255.255.250.1900: UDP, length 266
2013-12-01 17:45:15.581695 IP 123.194.40.201.443 > 192.168.n.34.57457: Flags [P.], seq 3285364457:3285364542, ack 1625208647, win 661, options [nop,nop,TS val 1691606617 ecr 740941036], length 85
2013-12-01 17:45:15.581796 IP 192.168.n.34.57457 > 123.194.40.201.443: Flags [.], ack 85, win 9604, options [nop,nop,TS val 740956026 ecr 1691606617], length 0
tshark
$ tshark -ntud -r /tmp/mycapture.pcap
1 2013-12-01 16:45:15.330323000 192.168.n.123 -> 239.255.255.250 SSDP 308 NOTIFY * HTTP/1.1
2 2013-12-01 16:45:15.581695000 123.194.40.201 -> 192.168.n.34 TLSv1.2 151 Application Data
3 2013-12-01 16:45:15.581796000 192.168.n.34 -> 123.194.40.201 TCP 66 57457 > 443 [ACK] Seq=1 Ack=86 Win=9604 Len=0 TSval=740956026 TSecr=1691606617
To grab or search for specific information you must use filters. These are based on the BPF syntax and are different from the Wireshark Display Filters. BPF are capture filters, and you must used them when reading files with tcpdump or tshark.
Filters references:
Some useful filters
Extract packet from within a certain time frame:
$ tshark -tad -r spoof-tcp.pcap 'frame.time>="Sep 11, 2012 15:27:40" and frame.time<="Sep 11, 2012 15:28:00"'
5 2012-09-11 15:27:40.606131 68.178.232.100 -> 192.168.11.66 TCP http > 33349 [SYN, ACK] Seq=0 Ack=0 Win=8190 Len=0 MSS=1380
6 2012-09-11 15:27:41.608768 68.178.232.100 -> 192.168.11.67 TCP http > 33349 [SYN, ACK] Seq=0 Ack=0 Win=8190 Len=0 MSS=1380
No comments:
Post a Comment