Pcap Inspection
Last updated
Was this helpful?
Last updated
Was this helpful?
If the header of your pcap is broken you should try to fix it using: ****
Extract information and search for malware inside a pcap in ****
Search for malicious activity using and ****
The following tools are useful to extract statistic, files...
You can find some Wireshark trick in:
****(only linux) **can analyze a pcap** and extract information from it. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on.
Access to 127.0.0.1:9876 with credentials xplico:xplico
Then create a new case, create a new session inside the case and upload the pcap file.
Extracting and encoding usernames and passwords (HTTP, FTP, Telnet, IMAP, SMTP...)
Extract authentication hashes and crack them using Hashcat (Kerberos, NTLM, CRAM-MD5, HTTP-Digest...)
Build visual network diagram (Network nodes & users)
Extract DNS queries
Reconstruct all TCP & UDP Sessions
File Carving
If you are looking for something inside the pcap you can use ngrep. And example using the main filters:
Using common carving techniques can be useful to extract files and information from the pcap:
Reads a PCAP File and Extracts Http Streams.
gzip deflates any compressed streams
Scans every file with yara
writes a report.txt
optionally saves matching files to a Dir
Check if you can find any fingerprint of a known malware:
Zeek is a passive, open-source network traffic analyzer. Many operators use Zeek as a network security monitor (NSM) to support investigations of suspicious or malicious activity. Zeek also supports a wide range of traffic analysis tasks beyond the security domain, including performance measurement and troubleshooting.
Basically, logs created by zeek
aren't pcaps. Therefore you will need to use other tools to analyse the logs where the information about the pcaps are.
Like Xplico it is a tool to analyze and extract objects from pcaps. It has a free edition that you can download . It works with Windows. This tool is also useful to get other information analysed from the packets in order to be able to know what was happening there in a quick way.
You can download (It works in Windows). This is another useful tool that analyse the packets and sort the information in a useful way to know what is happening inside.
You can us tools like to parse credentials from a pcap or a live interface.
**** is a tool that