Packet Captures: Difference between revisions
Content added Content deleted
m (→Misc: m) |
m (→Advanced Packet Filtering: m) |
||
Line 191: | Line 191: | ||
== Advanced Packet Filtering == |
|||
Use Case: |
|||
I am analyzing an SMB issue. I have 50 PCAP files, each of 100 MB, generated by the intermediate devices. |
|||
I am not sure which all files contain the interesting traffic. Searching each file manually using wireshark is hectic. |
|||
Client addresses are 1.1.1.1 and 2.2.2.2. Server address is 3.3.3.3. Protocol is SMB2 (port 445). |
|||
We can use Tshark or TCPDump for this exercise. Tshakr is slow in Linux & TCPDump is very fast. |
|||
Wireshark Filter: |
|||
((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb |
|||
List all Pcap files using any of the below commands: |
|||
find . -type f | egrep "All.pcap" |
|||
find . -type f | egrep ".pcap" |
|||
find . -type f | egrep "*.pcap" |
|||
find . -type f | grep ".pcap" |
|||
find . -type f | grep "pcap" |
|||
List interesting traffic from all the PCAP files: |
|||
<pre style="width: 2000px; overflow-x: scroll;"> |
|||
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb' ; echo -e "\n"; done |
|||
</pre> |
|||
Filter out errors: |
|||
<pre style="width: 2000px; overflow-x: scroll;"> |
|||
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb2' ; echo -e "\n"; done | grep -E '(error|unknown|denied)' |
|||
</pre> |
|||
Filter out errors and save output to text file in backgroup: |
|||
<pre style="width: 2000px; overflow-x: scroll;"> |
|||
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -r $i '((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb2' ; echo -e "\n"; done | grep -E '(error|unknown|denied)' > errors.txt & |
|||
</pre> |
|||
Show Timestamps in the output and save it to a text file: |
|||
<pre style="width: 2000px; overflow-x: scroll;"> |
|||
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tshark -t ad -r $i '((ip.addr==1.1.1.1 or ip.addr==2.2.2.2) and ip.addr==3.3.3.3) and smb2' ; echo -e "\n"; done > smb-time.txt |
|||
a absolute time (local time in your time zone, actual time the packet was captured) |
|||
ad absolute with date |
|||
u Absolute UTC time |
|||
ud Absolute UTC time with date |
|||
</pre> |
|||
Search for keyworks in hte text files created along with traces: |
|||
for i in `find . -type f | egrep ".txt"`; do echo $i; cat $i ; echo -e "\n"; done | grep smb2.lock |
|||
Using TCPDump instead of Tshark |
|||
<pre style="width: 2000px; overflow-x: scroll;"> |
|||
for i in `find . -type f | egrep "All.pcap"`; do echo $i; tcpdump -r $i '((host 1.1.1.1 or host 2.2.2.2) and host 3.3.3.3) and port 445' ; echo -e "\n"; done |
|||
</pre> |
|||
Revision as of 22:41, 12 July 2017
Various Pcap files for studies are as follows:
PCAP files
Common packet captures files used across the site and for studies are below:
VPN Captures
Packet Type | Description | Page Link |
---|---|---|
ScreenOS Site to Site VPN | Main Mode VPN negotiations (FW1 is Responder; FW2 is Initiator) | VPN Lab, Debug |
Dialup VPN | Aggressive mode Dailup VPN | VPN Lab, Debug |
Aggressive Mode VPN | ||
Dailup Xauth IP VPN | Aggressive mode Dailup VPN with XAuth IP Assignment | VPN Lab, Debug |
Dailup Xauth IP VPN | Aggressive mode Dailup VPN with XAuth User login | VPN Lab, Debug |
NAT Traversal | NAT Traversal on Cisco Routers | VPN Lab, Debug |
Manual Key VPN | Manual Key or Static VPN captures | Manual Key VPN |
FTP-TFTP
Packet Type | Description | Page Link |
---|---|---|
Active Mode FTP | FTP in Active Mode | Active FTP |
Passive Mode FTP | FTP in Passive Mode | Passive FTP |
TFTP RRQ | TFTP Read Request | TFTP |
TFTP WRQ | TFTP Write Request | TFTP |
Routing Protocols
Packet Type | Description | Page Link |
---|---|---|
BGP | BGP | |
eBGP | BGP | |
BGP Notification | BGP | |
BGP MD5 | BGP | |
OSPF | OSPF | |
OSPF MD5 | OSPF | |
OSPF LSAs | OSPF | |
OSPF over GRE Tunnel | OSPF | |
EIGRP Neighbors | EIGRP | |
EIGRP adjacency | EIGRP | |
EIGRP goodbye | EIGRP | |
EIGRPv2 adjacency | EIGRP | |
RIPv1 | ||
RIPv2 |
ARP
Packet Type | Description | Page Link |
---|---|---|
ARP | ARP | |
ARP Storm | ARP | |
Gratuitous ARP | ARP | |
Gratuitous ARP HSRP | ARP | |
RARP Request | ARP |
DNS-DHCP
Packet Type | Description | Page Link |
---|---|---|
DNS Capture | Contains TXT, MX, LOC, PTR, A, AAAA, Any, NS, SRV queries | DNS |
DHCP | All packets broadcast implementation | DHCP |
DHCP 2 | Unicast packets implementation | DHCP |
DHCP Inter VLAN | DHCP | |
Dhcp-auth | DHCP |
Misc Captures
Packet Type | Description | Page Link |
---|---|---|
TCP SACK | SACK(frame #31), Timestamp | TCP/IP |
Smtp | ||
Teardrop | ||
Telnet | ||
Port Scan | ||
Traceroute | Traceroute | |
Path MTU | Fragmentation Needed message in packet #6 | Path MTU Discovery |
HTTP | Sack Used | HTTP |
NAT | Ping Packet with & without NAT | |
IP Fragmentation | ||
SNMP | ||
SIP | ||
GRE Encapsulated Ping | ||
RADIUS | ||
DTP | ||
Slammer Worm | ||
GLBP election | ||
HDLC | ||
HSRP | ||
HSRP election | ||
HSRP failover | ||
Hsrp-and-ospf-in-LAN | ||
RADIUS2 | ||
SSHv2 | ||
TACACS+ | ||
Bittorrent | ||
IPv6 | ||
Vnc-sample | ||
Blaster Worm | ||
OS Fingerprinting | ||
STP | ||
MySQL |
{{#widget:DISQUS
|id=networkm
|uniqid=Packet Captures
|url=https://aman.awiki.org/wiki/Packet_Captures
}}