Packet Captures: Difference between revisions
Content added Content deleted
m (→Misc: m) |
|||
(9 intermediate revisions by the same user not shown) | |||
Line 64: | Line 64: | ||
|- |
|- |
||
|[[Media:OSPF_LSA_types.cap|OSPF LSAs]] || ||[[OSPF]] |
|[[Media:OSPF_LSA_types.cap|OSPF LSAs]] || ||[[OSPF]] |
||
⚫ | |||
|[[Media:OSPF_LSA_Route_Add_Delete.cap|OSPF LSA Route Add Delete]] || Add - #101; Delete - #130 ||[[OSPF]] |
|||
|- |
|- |
||
|[[Media:Ospf over gre tunnel.cap|OSPF over GRE Tunnel]] || ||[[OSPF]] |
|[[Media:Ospf over gre tunnel.cap|OSPF over GRE Tunnel]] || ||[[OSPF]] |
||
Line 115: | Line 117: | ||
|} |
|} |
||
== |
== HTTP - HTTPS == |
||
{| class="wikitable" |
|||
⚫ | |||
!Packet Type !! Description !! Page Link |
|||
⚫ | |||
⚫ | |||
⚫ | |||
|[[Media:SSL.cap|SSL]], [[Media:Key.zip|Key]] || Sack Used ||[[SSL]] |
|||
|} |
|||
== TCP/IP == |
|||
Line 122: | Line 135: | ||
!Packet Type !! Description !! Page Link |
!Packet Type !! Description !! Page Link |
||
|- |
|- |
||
|[[Media:TCP SACK.cap|TCP SACK]] || SACK(frame #31), Timestamp ||[[TCP/IP#TCP_SACK|TCP/IP]] |
|[[Media:TCP SACK.cap|TCP SACK]] || SACK(frame #31), Timestamp, WSF ||[[TCP/IP#TCP_SACK|TCP/IP]] |
||
|- |
|||
⚫ | |||
|- |
|||
⚫ | |||
|- |
|||
⚫ | |||
|- |
|||
|[[Media:ICMP.pcap|ICMP]] || || [[ICMP]] |
|||
|} |
|||
== Misc Captures == |
|||
{| class="wikitable" |
|||
|- |
|||
!Packet Type !! Description !! Page Link |
|||
|- |
|- |
||
|[[Media:Smtp.pcap|Smtp]] || || |
|[[Media:Smtp.pcap|Smtp]] || || |
||
Line 131: | Line 162: | ||
|- |
|- |
||
|[[Media:Portscan.pcap|Port Scan]] || || |
|[[Media:Portscan.pcap|Port Scan]] || || |
||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
|- |
|- |
||
|[[Media:Nat.pcap|NAT]] ||Ping Packet with & without NAT || |
|[[Media:Nat.pcap|NAT]] ||Ping Packet with & without NAT || |
||
Line 166: | Line 191: | ||
|[[Media:Hsrp-and-ospf-in-LAN.pcap|Hsrp-and-ospf-in-LAN]] || || |
|[[Media:Hsrp-and-ospf-in-LAN.pcap|Hsrp-and-ospf-in-LAN]] || || |
||
|- |
|- |
||
|[[Media:RADIUS2.cap|RADIUS2]] || || |
|[[Media:RADIUS2.cap|RADIUS2]] || Using Access-Challenge (EAP) || |
||
|- |
|- |
||
|[[Media:SSHv2.cap|SSHv2]] || || |
|[[Media:SSHv2.cap|SSHv2]] || || |
||
Line 173: | Line 198: | ||
|- |
|- |
||
|[[Media:Bittorrent.pcap|Bittorrent]] || || |
|[[Media:Bittorrent.pcap|Bittorrent]] || || |
||
⚫ | |||
⚫ | |||
|- |
|- |
||
|[[Media:Vnc-sample.pcap|Vnc-sample]] || || |
|[[Media:Vnc-sample.pcap|Vnc-sample]] || || |
||
Line 191: | Line 214: | ||
== Advanced Packet Filtering == |
|||
Use Case: |
|||
I am analyzing an SMB issue. I have 50 PCAP files, each of 100 MB, generated by the intermediate devices. |
|||
I am not sure which all files contain the interesting traffic. Searching each file manually using wireshark is hectic. |
|||
Client addresses are 1.1.1.1 and 2.2.2.2. Server address is 3.3.3.3. Protocol is SMB2 (port 445). |
|||
We can use Tshark or TCPDump for this exercise. Tshakr is slow in Linux & TCPDump is very fast. |
|||
Wireshark Filter: |
|||
((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb |
|||
List all Pcap files using any of the below commands: |
|||
find . -type f | egrep "All.pcap" |
|||
find . -type f | egrep ".pcap" |
|||
find . -type f | egrep "*.pcap" |
|||
find . -type f | grep ".pcap" |
|||
find . -type f | grep "pcap" |
|||
List interesting traffic from all the PCAP files: |
|||
<pre style="width: 2000px; overflow-x: scroll;"> |
|||
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb' ; echo -e "\n"; done |
|||
</pre> |
|||
Filter out errors: |
|||
<pre style="width: 2000px; overflow-x: scroll;"> |
|||
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb2' ; echo -e "\n"; done | grep -E '(error|unknown|denied)' |
|||
</pre> |
|||
Filter out errors and save output to text file in backgroup: |
|||
<pre style="width: 2000px; overflow-x: scroll;"> |
|||
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb2' ; echo -e "\n"; done | grep -E '(error|unknown|denied)' > errors.txt & |
|||
</pre> |
|||
Show Timestamps in the output and save it to a text file: |
|||
<pre style="width: 2000px; overflow-x: scroll;"> |
|||
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -t ad -r $i '((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb2' ; echo -e "\n"; done > smb-time.txt |
|||
a absolute time (local time in your time zone, actual time the packet was captured) |
|||
ad absolute with date |
|||
u Absolute UTC time |
|||
ud Absolute UTC time with date |
|||
</pre> |
|||
Search for keyworks in hte text files created along with traces: |
|||
for i in `find . -type f | egrep ".txt"`; do echo $i; cat $i ; echo -e "\n"; done | grep smb2.lock |
|||
Using TCPDump instead of Tshark |
|||
<pre style="width: 2000px; overflow-x: scroll;"> |
|||
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tcpdump -r $i '((host 1.1.1.1 or host 2.2.2.2) and host 3.3.3.3) and port 445' ; echo -e "\n"; done |
|||
</pre> |
|||
Latest revision as of 13:58, 6 October 2019
Various Pcap files for studies are as follows:
PCAP files
Common packet captures files used across the site and for studies are below:
VPN Captures
Packet Type | Description | Page Link |
---|---|---|
ScreenOS Site to Site VPN | Main Mode VPN negotiations (FW1 is Responder; FW2 is Initiator) | VPN Lab, Debug |
Dialup VPN | Aggressive mode Dailup VPN | VPN Lab, Debug |
Aggressive Mode VPN | ||
Dailup Xauth IP VPN | Aggressive mode Dailup VPN with XAuth IP Assignment | VPN Lab, Debug |
Dailup Xauth IP VPN | Aggressive mode Dailup VPN with XAuth User login | VPN Lab, Debug |
NAT Traversal | NAT Traversal on Cisco Routers | VPN Lab, Debug |
Manual Key VPN | Manual Key or Static VPN captures | Manual Key VPN |
FTP-TFTP
Packet Type | Description | Page Link |
---|---|---|
Active Mode FTP | FTP in Active Mode | Active FTP |
Passive Mode FTP | FTP in Passive Mode | Passive FTP |
TFTP RRQ | TFTP Read Request | TFTP |
TFTP WRQ | TFTP Write Request | TFTP |
Routing Protocols
Packet Type | Description | Page Link |
---|---|---|
BGP | BGP | |
eBGP | BGP | |
BGP Notification | BGP | |
BGP MD5 | BGP | |
OSPF | OSPF | |
OSPF MD5 | OSPF | |
OSPF LSAs | OSPF | |
OSPF LSA Route Add Delete | Add - #101; Delete - #130 | OSPF |
OSPF over GRE Tunnel | OSPF | |
EIGRP Neighbors | EIGRP | |
EIGRP adjacency | EIGRP | |
EIGRP goodbye | EIGRP | |
EIGRPv2 adjacency | EIGRP | |
RIPv1 | ||
RIPv2 |
ARP
Packet Type | Description | Page Link |
---|---|---|
ARP | ARP | |
ARP Storm | ARP | |
Gratuitous ARP | ARP | |
Gratuitous ARP HSRP | ARP | |
RARP Request | ARP |
DNS-DHCP
Packet Type | Description | Page Link |
---|---|---|
DNS Capture | Contains TXT, MX, LOC, PTR, A, AAAA, Any, NS, SRV queries | DNS |
DHCP | All packets broadcast implementation | DHCP |
DHCP 2 | Unicast packets implementation | DHCP |
DHCP Inter VLAN | DHCP | |
Dhcp-auth | DHCP |
HTTP - HTTPS
Packet Type | Description | Page Link |
---|---|---|
HTTP | Sack Used | HTTP |
SSL, Key | Sack Used | SSL |
TCP/IP
Packet Type | Description | Page Link |
---|---|---|
TCP SACK | SACK(frame #31), Timestamp, WSF | TCP/IP |
Traceroute | Traceroute | |
Path MTU | Fragmentation Needed message in packet #6 | Path MTU Discovery |
IPv6 | ||
ICMP | ICMP |
Misc Captures
Packet Type | Description | Page Link |
---|---|---|
Smtp | ||
Teardrop | ||
Telnet | ||
Port Scan | ||
NAT | Ping Packet with & without NAT | |
IP Fragmentation | ||
SNMP | ||
SIP | ||
GRE Encapsulated Ping | ||
RADIUS | ||
DTP | ||
Slammer Worm | ||
GLBP election | ||
HDLC | ||
HSRP | ||
HSRP election | ||
HSRP failover | ||
Hsrp-and-ospf-in-LAN | ||
RADIUS2 | Using Access-Challenge (EAP) | |
SSHv2 | ||
TACACS+ | ||
Bittorrent | ||
Vnc-sample | ||
Blaster Worm | ||
OS Fingerprinting | ||
STP | ||
MySQL |
{{#widget:DISQUS
|id=networkm
|uniqid=Packet Captures
|url=https://aman.awiki.org/wiki/Packet_Captures
}}