# Pcap Inspection {% hint style="info" %} A note about **PCAP** vs **PCAPNG**: there are two versions of the PCAP file format; P**CAPNG is newer and not supported by all tools**. You may need to convert a file from PCAPNG to PCAP using Wireshark or another compatible tool, in order to work with it in some other tools. {% endhint %} ## Online tools for pcaps * If the header of your pcap is **broken** you should try to **fix** it using: [http://f00l.de/hacking/**pcapfix.php**](http://f00l.de/hacking/pcapfix.php)\*\*\*\* * Extract **information** and search for **malware** inside a pcap in [**PacketTotal**](https://packettotal.com/)\*\*\*\* * Search for **malicious activity** using [**www.virustotal.com**](https://www.virustotal.com/) and [**www.hybrid-analysis.com**](https://www.hybrid-analysis.com/)\*\*\*\* ## Extract Information The following tools are useful to extract statistic, files... ### Wireshark {% hint style="info" %} **If you are going to analyze a PCAP you basically must to know how to use Wireshark** {% endhint %} You can find some Wireshark trick in: {% content-ref url="pcap-inspection/wireshark-tricks" %} [wireshark-tricks](https://chinnidiwakar.gitbook.io/githubimport/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks) {% endcontent-ref %} ### Xplico Framework Xplico can **analyze** a **pcap** and extract information from it. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. #### Install ```bash sudo bash -c 'echo "deb http://repo.xplico.org/ $(lsb_release -s -c) main" /etc/apt/sources.list' sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 791C25CE sudo apt-get update sudo apt-get install xplico ``` #### Run ``` /etc/init.d/apache2 restart /etc/init.d/xplico start ``` Access to ***127.0.0.1:9876*** with credentials ***xplico:xplico*** Then create a **new case**, create a **new session** inside the case and **upload the pcap** file. ### NetworkMiner Like Xplico it is a tool to analyze and extract objects from pcaps. It has a free edition that you can download [here](https://www.netresec.com/?page=NetworkMiner). ### [BruteShark](https://github.com/odedshimon/BruteShark) * Extracting and encoding usernames and passwords (HTTP, FTP, Telnet, IMAP, SMTP...) * Extract authentication hashes and crack them using Hashcat (Kerberos, NTLM, CRAM-MD5, HTTP-Digest...) * Build visual network diagram (Network nodes & users) * Extract DNS queries * Reconstruct all TCP & UDP Sessions * File Carving ### Capinfos ``` capinfos capture.pcap ``` ### Ngrep If you are **looking** for **something** inside the pcap you can use **ngrep**. And example using the main filters: ``` ngrep -I packets.pcap "^GET" "port 80 and tcp and host 192.168 and dst host 192.168 and src host 192.168" ``` ### Carving Using common carving techniques can be useful to extract files and information from the pcap: {% content-ref url="partitions-file-systems-carving/file-data-carving-recovery-tools" %} [file-data-carving-recovery-tools](https://chinnidiwakar.gitbook.io/githubimport/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools) {% endcontent-ref %} ## Check Exploits/Malware ### Suricata #### Install and setup ``` apt-get install suricata apt-get install oinkmaster echo "url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz" >> /etc/oinkmaster.conf oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules ``` #### Check pcap ``` suricata -r packets.pcap -c /etc/suricata/suricata.yaml -k none -v -l log ``` ### YaraPcap \*\*\*\*[**YaraPCAP**](https://github.com/kevthehermit/YaraPcap) is a tool that * Reads a PCAP File and Extracts Http Streams. * gzip deflates any compressed streams * Scans every file with yara * writes a report.txt * optionally saves matching files to a Dir ### Malware Analysis Check if you can find any fingerprint of a known malware: {% content-ref url="malware-analysis" %} [malware-analysis](https://chinnidiwakar.gitbook.io/githubimport/forensics/basic-forensic-methodology/malware-analysis) {% endcontent-ref %} ## Other pcap analysis tricks {% content-ref url="pcap-inspection/dnscat-exfiltration" %} [dnscat-exfiltration](https://chinnidiwakar.gitbook.io/githubimport/forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration) {% endcontent-ref %} {% content-ref url="pcap-inspection/usb-keyboard-pcap-analysis" %} [usb-keyboard-pcap-analysis](https://chinnidiwakar.gitbook.io/githubimport/forensics/basic-forensic-methodology/pcap-inspection/usb-keyboard-pcap-analysis) {% endcontent-ref %} {% content-ref url="pcap-inspection/wifi-pcap-analysis" %} [wifi-pcap-analysis](https://chinnidiwakar.gitbook.io/githubimport/forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis) {% endcontent-ref %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://chinnidiwakar.gitbook.io/githubimport/forensics/basic-forensic-methodology/pcap-inspection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.