Packet Captures: Difference between revisions
Content added Content deleted
m (→Filtering Packets: m) |
|||
(11 intermediate revisions by the same user not shown) | |||
Line 64: | Line 64: | ||
|- |
|- |
||
|[[Media:OSPF_LSA_types.cap|OSPF LSAs]] || ||[[OSPF]] |
|[[Media:OSPF_LSA_types.cap|OSPF LSAs]] || ||[[OSPF]] |
||
|- |
|||
|[[Media:OSPF_LSA_Route_Add_Delete.cap|OSPF LSA Route Add Delete]] || Add - #101; Delete - #130 ||[[OSPF]] |
|||
|- |
|- |
||
|[[Media:Ospf over gre tunnel.cap|OSPF over GRE Tunnel]] || ||[[OSPF]] |
|[[Media:Ospf over gre tunnel.cap|OSPF over GRE Tunnel]] || ||[[OSPF]] |
||
Line 114: | Line 116: | ||
|[[Media:Dhcp-auth.pcap|Dhcp-auth]] || || [[DNS#DHCP|DHCP]] |
|[[Media:Dhcp-auth.pcap|Dhcp-auth]] || || [[DNS#DHCP|DHCP]] |
||
|} |
|} |
||
== HTTP - HTTPS == |
|||
{| class="wikitable" |
|||
|- |
|||
!Packet Type !! Description !! Page Link |
|||
|- |
|||
|[[Media:http.cap|HTTP]] || Sack Used ||[[HTTP]] |
|||
|- |
|||
|[[Media:SSL.cap|SSL]], [[Media:Key.zip|Key]] || Sack Used ||[[SSL]] |
|||
|} |
|||
== TCP/IP == |
|||
{| class="wikitable" |
|||
|- |
|||
!Packet Type !! Description !! Page Link |
|||
|- |
|||
|[[Media:TCP SACK.cap|TCP SACK]] || SACK(frame #31), Timestamp, WSF ||[[TCP/IP#TCP_SACK|TCP/IP]] |
|||
|- |
|||
|[[Media:Tracert.pcap|Traceroute]] || || [[ICMP#Traceroute|Traceroute]] |
|||
|- |
|||
|[[Media:Path MTU discovery.cap|Path MTU]] ||Fragmentation Needed message in packet #6 || [[ICMP#Path_MTU_Discovery|Path MTU Discovery]] |
|||
|- |
|||
|[[Media:IPv6.pcap|IPv6]] || || |
|||
|- |
|||
|[[Media:ICMP.pcap|ICMP]] || || [[ICMP]] |
|||
|} |
|||
== Misc Captures == |
== Misc Captures == |
||
Line 121: | Line 154: | ||
|- |
|- |
||
!Packet Type !! Description !! Page Link |
!Packet Type !! Description !! Page Link |
||
|- |
|||
|[[Media:TCP SACK.cap|TCP SACK]] || SACK(frame #31), Timestamp ||[[TCP/IP#TCP_SACK|TCP/IP]] |
|||
|- |
|- |
||
|[[Media:Smtp.pcap|Smtp]] || || |
|[[Media:Smtp.pcap|Smtp]] || || |
||
Line 131: | Line 162: | ||
|- |
|- |
||
|[[Media:Portscan.pcap|Port Scan]] || || |
|[[Media:Portscan.pcap|Port Scan]] || || |
||
|- |
|||
|[[Media:Tracert.pcap|Traceroute]] || || [[ICMP#Traceroute|Traceroute]] |
|||
|- |
|||
|[[Media:Path MTU discovery.cap|Path MTU]] ||Fragmentation Needed message in packet #6 || [[ICMP#Path_MTU_Discovery|Path MTU Discovery]] |
|||
|- |
|||
|[[Media:http.cap|HTTP]] || Sack Used ||[[HTTP]] |
|||
|- |
|- |
||
|[[Media:Nat.pcap|NAT]] ||Ping Packet with & without NAT || |
|[[Media:Nat.pcap|NAT]] ||Ping Packet with & without NAT || |
||
Line 166: | Line 191: | ||
|[[Media:Hsrp-and-ospf-in-LAN.pcap|Hsrp-and-ospf-in-LAN]] || || |
|[[Media:Hsrp-and-ospf-in-LAN.pcap|Hsrp-and-ospf-in-LAN]] || || |
||
|- |
|- |
||
|[[Media:RADIUS2.cap|RADIUS2]] || || |
|[[Media:RADIUS2.cap|RADIUS2]] || Using Access-Challenge (EAP) || |
||
|- |
|- |
||
|[[Media:SSHv2.cap|SSHv2]] || || |
|[[Media:SSHv2.cap|SSHv2]] || || |
||
Line 173: | Line 198: | ||
|- |
|- |
||
|[[Media:Bittorrent.pcap|Bittorrent]] || || |
|[[Media:Bittorrent.pcap|Bittorrent]] || || |
||
|- |
|||
|[[Media:IPv6.pcap|IPv6]] || || |
|||
|- |
|- |
||
|[[Media:Vnc-sample.pcap|Vnc-sample]] || || |
|[[Media:Vnc-sample.pcap|Vnc-sample]] || || |
||
Line 191: | Line 214: | ||
== Advanced Packet Filtering == |
|||
Use Case: |
|||
I am analyzing an SMB issue. I have 50 PCAP files, each of 100 MB, generated by the intermediate devices. |
|||
I am not sure which all files contain the interesting traffic. Searching each file manually using wireshark is hectic. |
|||
Client addresses are 1.1.1.1 and 2.2.2.2. Server address is 3.3.3.3. Protocol is SMB2 (port 445). |
|||
We can use Tshark or TCPDump for this exercise. Tshakr is slow in Linux & TCPDump is very fast. |
|||
Wireshark Filter: |
|||
((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb |
|||
List all Pcap files using any of the below commands: |
|||
find . -type f | egrep "All.pcap" |
|||
find . -type f | egrep ".pcap" |
|||
find . -type f | egrep "*.pcap" |
|||
find . -type f | grep ".pcap" |
|||
find . -type f | grep "pcap" |
|||
List interesting traffic from all the PCAP files: |
|||
<pre style="width: 2000px; overflow-x: scroll;"> |
|||
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb' ; echo -e "\n"; done |
|||
</pre> |
|||
Filter out errors: |
|||
<pre style="width: 2000px; overflow-x: scroll;"> |
|||
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb2' ; echo -e "\n"; done | grep -E '(error|unknown|denied)' |
|||
</pre> |
|||
Filter out errors and save output to text file in backgroup: |
|||
<pre style="width: 2000px; overflow-x: scroll;"> |
|||
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb2' ; echo -e "\n"; done | grep -E '(error|unknown|denied)' > errors.txt & |
|||
</pre> |
|||
Show Timestamps in the output and save it to a text file: |
|||
<pre style="width: 2000px; overflow-x: scroll;"> |
|||
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -t ad -r $i '((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb2' ; echo -e "\n"; done > smb-time.txt |
|||
a absolute time (local time in your time zone, actual time the packet was captured) |
|||
ad absolute with date |
|||
u Absolute UTC time |
|||
ud Absolute UTC time with date |
|||
</pre> |
|||
Search for keyworks in hte text files created along with traces: |
|||
for i in `find . -type f | egrep ".txt"`; do echo $i; cat $i ; echo -e "\n"; done | grep smb2.lock |
|||
Using TCPDump instead of Tshark |
|||
<pre style="width: 2000px; overflow-x: scroll;"> |
|||
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tcpdump -r $i '((host 1.1.1.1 or host 2.2.2.2) and host 3.3.3.3) and port 445' ; echo -e "\n"; done |
|||
</pre> |
|||
= Misc = |
|||
* In IE, disable HTTP1.1 in Advanced options to see the traffic being sent in HTTP1.0 version. Now you will be able to see traffic in Clear text in wireshark captures. HTTP1.1 uses gzip to compress html, so it is not read in clear text. You will find multiple connections for a single webpage. |
|||
* In Wireshark, anyting you see in square brackets - [bla bla] is the wireshar analysis of the information & is not the part of the packet captured. |
|||
==Non-Root Capture in Ubuntu== |
|||
sudo apt-get install libcap2-bin |
|||
sudo groupadd wireshark |
|||
sudo usermod -a -G wireshark kirat |
|||
newgrp wireshark |
|||
sudo chgrp wireshark /usr/bin/dumpcap |
|||
sudo chmod 750 /usr/bin/dumpcap |
|||
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap |
|||
Verification: |
|||
getcap /usr/bin/dumpcap => /usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip |
|||
If still unable to capture: |
|||
sudo dpkg-reconfigure wireshark-common |
|||
sudo chmod +x /usr/bin/dumpcap |
|||
==Tshark== |
|||
apt-get install tshark |
|||
tshark -r lotsapackets.cap -R dns -w dns.cap |
|||
tshark -r lotsapackets.cap -R "dns or tcp.port==80" -w web.cap |
|||
capinfos web.cap |
|||
editcap -c 50000 lotsapackets.cap fewerpackets.cap |
|||
Latest revision as of 13:58, 6 October 2019
Various Pcap files for studies are as follows:
PCAP files
Common packet captures files used across the site and for studies are below:
VPN Captures
Packet Type | Description | Page Link |
---|---|---|
ScreenOS Site to Site VPN | Main Mode VPN negotiations (FW1 is Responder; FW2 is Initiator) | VPN Lab, Debug |
Dialup VPN | Aggressive mode Dailup VPN | VPN Lab, Debug |
Aggressive Mode VPN | ||
Dailup Xauth IP VPN | Aggressive mode Dailup VPN with XAuth IP Assignment | VPN Lab, Debug |
Dailup Xauth IP VPN | Aggressive mode Dailup VPN with XAuth User login | VPN Lab, Debug |
NAT Traversal | NAT Traversal on Cisco Routers | VPN Lab, Debug |
Manual Key VPN | Manual Key or Static VPN captures | Manual Key VPN |
FTP-TFTP
Packet Type | Description | Page Link |
---|---|---|
Active Mode FTP | FTP in Active Mode | Active FTP |
Passive Mode FTP | FTP in Passive Mode | Passive FTP |
TFTP RRQ | TFTP Read Request | TFTP |
TFTP WRQ | TFTP Write Request | TFTP |
Routing Protocols
Packet Type | Description | Page Link |
---|---|---|
BGP | BGP | |
eBGP | BGP | |
BGP Notification | BGP | |
BGP MD5 | BGP | |
OSPF | OSPF | |
OSPF MD5 | OSPF | |
OSPF LSAs | OSPF | |
OSPF LSA Route Add Delete | Add - #101; Delete - #130 | OSPF |
OSPF over GRE Tunnel | OSPF | |
EIGRP Neighbors | EIGRP | |
EIGRP adjacency | EIGRP | |
EIGRP goodbye | EIGRP | |
EIGRPv2 adjacency | EIGRP | |
RIPv1 | ||
RIPv2 |
ARP
Packet Type | Description | Page Link |
---|---|---|
ARP | ARP | |
ARP Storm | ARP | |
Gratuitous ARP | ARP | |
Gratuitous ARP HSRP | ARP | |
RARP Request | ARP |
DNS-DHCP
Packet Type | Description | Page Link |
---|---|---|
DNS Capture | Contains TXT, MX, LOC, PTR, A, AAAA, Any, NS, SRV queries | DNS |
DHCP | All packets broadcast implementation | DHCP |
DHCP 2 | Unicast packets implementation | DHCP |
DHCP Inter VLAN | DHCP | |
Dhcp-auth | DHCP |
HTTP - HTTPS
Packet Type | Description | Page Link |
---|---|---|
HTTP | Sack Used | HTTP |
SSL, Key | Sack Used | SSL |
TCP/IP
Packet Type | Description | Page Link |
---|---|---|
TCP SACK | SACK(frame #31), Timestamp, WSF | TCP/IP |
Traceroute | Traceroute | |
Path MTU | Fragmentation Needed message in packet #6 | Path MTU Discovery |
IPv6 | ||
ICMP | ICMP |
Misc Captures
Packet Type | Description | Page Link |
---|---|---|
Smtp | ||
Teardrop | ||
Telnet | ||
Port Scan | ||
NAT | Ping Packet with & without NAT | |
IP Fragmentation | ||
SNMP | ||
SIP | ||
GRE Encapsulated Ping | ||
RADIUS | ||
DTP | ||
Slammer Worm | ||
GLBP election | ||
HDLC | ||
HSRP | ||
HSRP election | ||
HSRP failover | ||
Hsrp-and-ospf-in-LAN | ||
RADIUS2 | Using Access-Challenge (EAP) | |
SSHv2 | ||
TACACS+ | ||
Bittorrent | ||
Vnc-sample | ||
Blaster Worm | ||
OS Fingerprinting | ||
STP | ||
MySQL |
{{#widget:DISQUS
|id=networkm
|uniqid=Packet Captures
|url=https://aman.awiki.org/wiki/Packet_Captures
}}