Author Archives: Chris Sanders

Sanitizing PCAP Files for Public Distrubution

It happens pretty often that I’ll come across an interesting PCAP file that I want to share with others. Unfortunately, divulging these packet captures can give away certain sensitive information such as an organizations internal IP range, IP addresses of sensitive company assets, MAC addresses of critical hardware that could identify the product vendors, and more.

Fortunately, there is a tool which helps alleviate some of these issues. The tool is called Tcprewrite and is actually a part of the Tcpreplay suite. Tcpreplay is used to send packets from a PCAP back across the wire, but the suite actually contains a few other useful tools.Tcprewrite itself can be used to add and modify packet fields within PCAP files. For example, if you wanted to replace the layer two addressing information within a PCAP so that all of the packets have a specified source and destination MAC address you could use the following syntax:

tcprewrite --enet-dmac=00:55:22:AF:C6:37 --enet-smac=00:44:66:FC:29:AF --infile=input.pcap --outfile=output.pcap

Tcprewrite can do neat things at layer four as well, including remapping ports used in sessions. The following example will remap all port 80 traffic to port 8080.

tcprewrite --portmap=80:8080 --infile=input.pcap --outfile=output.pcap

The examples shown above were taken directly from the tcprewrite wiki page (http://tcpreplay.synfin.net/wiki/tcprewrite) where you can find quite a few other usage examples.

The real value of tcprewrite, and the reason for this article, is its ability to randomize the addressing information in a PCAP file. This is done with the following syntax:

tcprewrite --seed=423 --infile=input.pcap --outfile=output.pcap

In this line, the seed option is used in the randomization of the addresses. This will replace all of the IP addresses in the IP headers of the packets and will also modify any ARP packets in the traffic accordingly.

From what I’ve been able to determine this option doesn’t randomize and rewrite and MAC addresses, which is a bit of a problem since MAC addresses can give away the vendor of a piece of hardware. The last thing I want is the entire world knowing that I use Cisco/Juniper/Enterasys/Etc based external firewalls. The ability to rewrite MAC addresses is there but its not random. What you can do in this case is to split a PCAP file into two separate files representing each direction of traffic. This can be done with tcpdump or tcpprep, which is a part of the tcprewrite suite as well. Using tcprewrite you can split the traffic like this:

tcpprep --auto=bridge --pcap=input.pcap --cachefile=input.cache

From there you can use syntax similar to what was shown above to replace the MAC addresses. This isn’t randomized so you will basically have to make something up. At the very least I’d recommend replacing the OUI section of the MACs. That syntax would look something like this:

tcprewrite --enet-dmac=00:44:66:FC:29:AF,00:55:22:AF:C6:37 --enet-smac=00:66:AA:D1:32:C2,00:22:55:AC:DE:AC --cachefile=input.cache --infile=input.pcap --outfile=output.pcap

It wouldn’t be too much of a stretch to write a python script that uses tcpprep and tcprewrite to automate the randomization of MAC addresses as well.

You can download tcprewrite as part of the tcpreplay suite at http://tcpreplay.synfin.net/ or just apt-get/yum install tcpreply. The tool is Unix only (or you can use Cygwin if you are tied to Windows).

Understanding Man-In-The-Middle Attacks

I’ve been slowly working through an article series entitled “Understanding Man-In-The-Middle Attacks” for the last few months. The last article of this series was published a couple of weeks ago so I thought I’d post a quick roundup of them all. This series covers four different types of attacks, how they work, how to execute them, and how to protect yourself from them. These articles are being hosted on WindowsSecurity.com, whom I write for on a monthly basis.

You can read each article at its corresponding link:

Viewing Packet Captures Online with CloudShark

I woke up this morning and was very excited to see a post on a blog a frequent, Packet Life. It looks like the folks at QA Cafe have just launched a new project called CloudShark. I’ve been playing with CloudShark all morning and I’m very impressed. A colleague of mine wrote something similar to this a while back with intentions of publishing it but never did, so I’m glad someone set forth on a similar project. I plan on using CloudShark as a component of this blog, so from now on any packet captures I post will have a “view online” link that should display the captures directly in your browser.

The best resource for more information on CloudShark seems to be their FAQ:

What is CloudShark?

CloudShark is a web site that displays network capture files right in your browser instead of running desktop tools such as Wireshark. You upload, link, or email your capture files and we’ll display them.

Why CloudShark?

We work with network capture files on a daily basis. After trying to view capture files on mobile devices without Wireshark support, we realized it was time to move packets to the cloud. The CloudShark idea was born. CloudShark was created to make viewing capture files easy from any device ranging from desktops to smart phones. After creating our own solution, we decided to make it available to everyone as CloudShark.org.

How does it work?

* Generate your capture file or use an existing capture file
* Email it, upload it, or link it
* CloudShark does the rest by providing a decode session
* If you email CloudShark with an attached capture file, we’ll email you back with a link to your decode session
* Send your capture files as an attachment to cap@cloudshark.org
* If you are in the browser already, we’ll drop you into your decode session

Are my capture files publicly accessible?

While the URLs to your decode session are not publicly shared, we make no claims that you data is not viewable by other CloudShark users. For now, if you want to protect sensitive data in your capture files, don’t use CloudShark.

Is there any limit to the size of the capture file I can upload?

Capture files are currently limited to 512 Kbytes. Larger files will be rejected.

Can I delete my decode session after I am done with it?

Not directly. Eventually it will be deleted when the disk space is recycled.

How long is my decode session available?

CloudShark is not a file storage site. We’ll try to keep your files around, but obviously there is a limit to the amount of files we can keep around. If the link to your decode session is no longer working, you may need to upload the capture file again. In the future we may provide persistent storage, but for now you should store your capture files somewhere else.

What capture formats are supported?

CloudShark uses tshark to do the actual decoding. tshark supports several capture files from other tools besides Wireshark. See http://wiki.wireshark.org/FileFormatReference.

I have a capture file hosted on my web site. Is there an easy way I can link a CloudShark decode session to this capture file?

Yes. You can create a CloudShark link that includes a URL to your capture file. Here is an example:

http://www.cloudshark.org/view?url=http://packetlife.net/captures/TCP_SACK.cap

Who are you?

CloudShark was created by QA Cafe. We are the creators of CDRouter, the leading CPE testing solution. We spend a lot of time working with capture files. You can visit us at qacafe.com.

Is this project connected to Wireshark.org?

No, not directly. We do use Wireshark, tshark actually, on our back end.

How can I contribute?

If you have any ideas, you can contact us at info@cloudshark.org.

Kudos to the folks at QA Cafe for putting this together! You can visit CloudShark at http://www.cloudshark.com and you can follow Cloudshark developments on Twitter at @Cloudshark.

Announcing the Rural Technology Fund

I wanted to take a moment and link over to a project I have been working on for quite some time. I’ve recently founded a 501(c)(3) non-profit organization called the Rural Technology Fund. Coming from a small rural area that really lacked in opporunities for those interested in technology, I know how challenging it can be to pursue a career in that field. The goal of the RTF is to provide opportunities to students from rural areas pursuing education in computer technology.

 

There are two main ways this is done –

 

Scholarships – This year the RTF is giving away two $500 scholarships. Hopefully we can give away much much more next academic year.

 

The Genesis program – Working with county youth service centers and local businesses, this program aims to utilize area volunteers to refurbish donated business PC’s for donation to students who do not have computers at home. The Genesis program gives birth to opportunities for these students and their families.

 

 

How can you help?

 

Packet Analysis Training – A portion of the income from EVERY training program I do goes directly to the RTF. This includes live training downloadable videos (coming soon).

 

Monetary Donations – The RTF is accepting donations, and all of those donations are tax deductible.

 

Computer and Equipment Donations – The Genesis Program is accepting donated computers to be refurbished and donated to students in needs. These computers should be in fairly decent condition and at least have a functioning motherboard and processor. We are also accepting monitor, keyboard, mouse, and software donations.

 

 

For more information on the Rural Technology Fund, check out www.ruraltechfund.org.

Keeping Capture Files Manageable

When you are capturing a lot of traffic the size of your capture files can grow really quickly. When this happens you are really going to have a hard time getting anything done when trying to sort through the file. There are a couple of things you can to do prevent this from happening.

Use an Effective Capture Filter

Capture filters are great when you know what you are looking for. If you ONLY want SMTP traffic, you can capture only that traffic. If you ONLY want to see HTTP POSTs, then you can capture only that traffic. If you aren’t sure what you are looking for then its bests to stick to capturing everything and using display filters, but when you have an eye on your target then capture filters are a great way to cut through the weeds. You will find this especially beneficial when capturing packets from a busy server or network segment.

Some of the things you can filter based upon include:

  • Specific Protocols
  • A Particular IP/MAC Address
  • Incoming/Outgoing Traffic Only

Split the Capture File as It’s Being Captured

Wireshark has some really great flexibility in allowing you to split a capture file as its being created. You can access this by selecting Capture from the main drop-down menu and selection Options, or by pressing Ctrl+K.

captureoptions

You have a couple of options here and they all become available to you when you place a check mark next to the Use Multiple Files box. There are two primary sections which I’ve creatively labeled the Multiple File and Stop Capture sections.

The multiple file section lets you specify a point at which a new file is created, either by reaching a certain size limit or at a certain time interval. I find that I typically use the size option for typical uses, but specifying a time interval for the packet capture can become very useful when you are trying to pinpoint when a certain event is happening. In this scenario you could start the capture at 12:00 and place and set the multiple file option to create the next file every 1 hour which should create a nice clean display of capture files by the hour.

It’s important to note that you can specify both of these criteria and in this case, a new file will be created when EITHER condition is met. In this top section you can also specify a maximum number of files to be created (don’t underestimate the value of this, I’ve accidentally filled up a hard drive on many occasions) and specify a ring buffer. A ring buffer uses a set number of files, and after the last file has been written it will begin overwriting the first file and cycling back through.

The stop capture section of this area is very straightforward and allows you to stop a capture after it reaches a certain point, either at a certain number of packets captured, a certain size limit, or a particular time interval. This comes in handy when you want to start a capture and run off to lunch or take a call.

Ensure You Are Capturing in the Best Location

One of the most overlooked parts of the packet analysis process is ensuring you are properly tapped into the network and getting the packets you need. Although the typical concern is whether or not you are getting enough packets, there are some cases in which you may be capturing TOO MUCH information. If you are having trouble weeding through a large capture file then you need to ask yourself if you really need to be where you are at. If it is a client/server issue, do you really need to capture from the server or would capturing from the client yield the traffic you need? If you are analyzing a slow network link, do you really need to be inside the router or would you be best suited to tap the outside interface of the router and get away from the internal networks broadcast domain?

Working with larger capture files is a real quick way to bog down your system and further complicate what may already be a long drawn out process. Using these techniques you should be able to keep tabs on your capture file size and make your analysis process quite a bit more efficient.