Network Forensics Tools - Usage & Examples

How to obtain multiple files during a capture:

$ tethereal -i -a filesize:3000 -b 14 -s 96 -w
(3MB files of 96 bytes length)

NOTE: tcpdump defaults to 96 bytes length, also, but I am not sure if it supports ring buffer?!?

******

If multiple files matching the regexp FOOBAR are to be merged :

$ mergecap -w bigfile.cap `ls FOOBAR`

******

Determine the type and length of capture:

$ file
capture_file: tcpdump capture file (big-endian) - version 2.4 (Ethernet, capture length 96)

******

Analysis of capture file by reading the file in ntop, for statistics

# ntop -f -m

# ntop -c -m 10.10.10.0/24 -n -q -O -r 30 -u root

where: subnet considered local was 10.10.10.0

then connect to http://localhost:3000

******

Analysis of capture file through snort (create config file, first!), with the following command:

$ sudo snort -r -c -X -d -A full

******

Determine the number of connections in a capture file:

./tcptrace -t -n

******

Stats w/tethereal:

# tethereal -i eth2 -z “io,stat,60,tcp&&tcp.port==21&&tcp.flags==0×02,\
COUNT(tcp.flags)tcp,flags&&tcp.port==21&&tcp.flags==0×02,\
AVG(tcp.flags)tcp.flags&&tcp.port==21&&tcp.flags==0×02,\
MIN(tcp.flags)tcp.flags&&tcp.port==21&&tcp.flags==0×02,\
MAX(tcp.flags)tcp.flags&&tcp.port==21&&tcp.flags==0×02″

******

Time:

# tcpdump -r ==> time LOCAL to where the trace is being read
# tcpdump -r -tt ==> UNIX epoch time
# date -r
# tcpdump -r -tttt ==> UTC time

So - we could potentially identify the location of the systems!

******

Example of usage - tcpflow accepts “expression” BPFs

#tcpflow -r -c “(src port 21 and host 172.16.4.4)” or “(src port 20 and host 172.16.4.4)” > flowfile.txt

NOTE: -c above forces tcpflow to combine the traffic into one file (otherwise - if omitted - tcpflow creates two files: one from source, one from destination)

******

Determine OS:

# p0f -s -x “expression” (usually “host ”)

NOTE: -x dumps the whole package content

******
Consolidate src-dst - see Honeynet challenge 23 - very, very useful!

$ tethereal -nr | ./sumsrcdst > file_with_conversations

******

TTL by IP conversation

$ tcpdump -vvvr |awk ‘{print $2, $5, $6, $15, $17}’ |sed ’s/,//;s/://;s/\./ /4′ |sed ’s/\./ /7′ |grep IP |awk ‘{print $3, $4, $6}’ |sort |uniq > ttl-by-ip-conv.txt

******

ngrep (-q) -> string searches inside network captures:

$ ngrep -I -q -x ‘passwd’ ‘tcp port 21′ –> reveals the attempts for passwd file retrieval or processing via ftp

also: $ ngrep -q -I passwd port 21

$ ngrep -I 2003.12.15.cap -q -x ’shadow’ ‘tcp port 21′ –> same with shadow file access attempts

******

Time-related splitting of files:

# tethereal -r -w -R ‘(frame.time >= “Jan 8, 2004 22:00:00.00″) && (frame.time <= “Jan 8, 2004 23:00:00.00″)’

******

Validate distance between networks as previously obtained w/ntop:

$ sudo p0f -l -s |sed ’s/>//g’ |awk -F “-” ‘{print $1,$3}’ |grep distance |sed ’s/:/ /g’ |awk ‘{print $1″”$3″==”$6}’ |sed ’s/,//’ |sort |uniq > distances.txt

******

TCP conversations, sorted and counted:

$ tcptrace -n -t |sed s/”:”/” “/g |awk ‘{print $2 $4 $5}’ |sort |uniq -c |sort -

******

Finding all hosts having been contacted by 10.10.10.195 on the SSH port:

$ tcpdump -r -X -s 1514 ‘host 10.10.10.195 and tcp port 22′ |grep ssh |awk ‘{print $3;}’ |awk -F. ‘{print $1″.”$2″.”$3″.”$4;}’ |sort |uniq

******

MAC address connections:

$ tcpdump -neqr |awk ‘{print $2″ “$3″ “$4;}’ |sed ’s/,//g’

******

MAC and IP connections in one line:

$ tcpdump -neqr |awk ‘