Pcap Inspection
Online tools for pcaps
If the header of your pcap is broken you should try to fix it using: http://f00l.de/hacking/pcapfix.php****
Extract information and search for malware inside a pcap in PacketTotal****
Search for malicious activity using www.virustotal.com and www.hybrid-analysis.com****
Extract Information
The following tools are useful to extract statistic, files...
Wireshark
You can find some Wireshark trick in:
Wireshark tricksXplico Framework
Xplico can analyze a pcap and extract information from it. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on.
Install
sudo bash -c 'echo "deb http://repo.xplico.org/ $(lsb_release -s -c) main" /etc/apt/sources.list'
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 791C25CE
sudo apt-get update
sudo apt-get install xplico
Run
/etc/init.d/apache2 restart
/etc/init.d/xplico start
Access to 127.0.0.1:9876 with credentials xplico:xplico
Then create a new case, create a new session inside the case and upload the pcap file.
NetworkMiner
Like Xplico it is a tool to analyze and extract objects from pcaps. It has a free edition that you can download here.
Extracting and encoding usernames and passwords (HTTP, FTP, Telnet, IMAP, SMTP...)
Extract authentication hashes and crack them using Hashcat (Kerberos, NTLM, CRAM-MD5, HTTP-Digest...)
Build visual network diagram (Network nodes & users)
Extract DNS queries
Reconstruct all TCP & UDP Sessions
File Carving
Capinfos
capinfos capture.pcap
Ngrep
If you are looking for something inside the pcap you can use ngrep. And example using the main filters:
ngrep -I packets.pcap "^GET" "port 80 and tcp and host 192.168 and dst host 192.168 and src host 192.168"
Carving
Using common carving techniques can be useful to extract files and information from the pcap:
File/Data Carving & Recovery ToolsCheck Exploits/Malware
Suricata
Install and setup
apt-get install suricata
apt-get install oinkmaster
echo "url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz" >> /etc/oinkmaster.conf
oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
Check pcap
suricata -r packets.pcap -c /etc/suricata/suricata.yaml -k none -v -l log
YaraPcap
****YaraPCAP is a tool that
Reads a PCAP File and Extracts Http Streams.
gzip deflates any compressed streams
Scans every file with yara
writes a report.txt
optionally saves matching files to a Dir
Malware Analysis
Check if you can find any fingerprint of a known malware:
Malware AnalysisOther pcap analysis tricks
DNSCat pcap analysisUSB Keyboard pcap analysisWifi Pcap AnalysisLast updated