Welcome!

Industrial IoT Authors: Elizabeth White, Stackify Blog, Yeshim Deniz, SmartBear Blog, Liz McMillan

Related Topics: Cloud Security, Industrial IoT, Microservices Expo, Adobe Flex, Agile Computing

Cloud Security: Article

Capture File Filtering with Wireshark

Needle in a Haystack

Intrusion detection tools that use the libpcap C/ C++ library [1] for network traffic capture (such as Snort [2] and Tcpdump [1]) can output packet capture information to a file for later reference. The format of this capture file is known as pcap. By capturing packet data to a file, an investigator can return later to study the history of an intrusion attempt – or to turn up other important clues about clandestine activity on the network.

Of course, the traffic history data stored in a pcap file is much too vast to study by just viewing the file manually. Security experts use specialized filtering tools to search through the file for pertinent information. One way to look for clues in a pcap file is to use the Wireshark protocol analysis tool [3] and its accompanying command-line utility tshark.

Wireshark is included by default on many Linux distros, and if not, it is available through the leading package repositories. You can also download Wireshark through the project website [4]. In this article, I describe how to use Wireshark and tshark to search a pcap file for information on network activity. I will assume you already have a pcap file ready for investigation. For more on how to capture a pcap file with Tcp-dump, see my article “Intruder Detection with Tcpdump,” which is available online at the ADMIN magazine website [5].

tshark at the Command Line
The tshark utility is a simple tool included with the Wireshark package that lets you filter the contents of a pcap file from the command line. To get a view of the most significant activity, I use the following command:

$ tshark ‑nr dumpfile1.gz ‑qz "io,phs" > details.txt

The ‑n switch disables network object name resolution, ‑r indicates that packet data is to be read from the input file, in this case dumpfile1.gz. The ‑z allows for statistics to display after it finishes reading the capture file, the ‑q flag specifies that only the statistics are printed, and the > redirection
sends the output to the file called details.txt. See Figure 1 for the output of this information. To view a list of help commands used with tshark, type:

$ tshark ‑h

And for a list of ‑z arguments type:

$ tshark ‑z help

Figure 1

Say you would like to know whether a particular IP address appeared in a packet dump and what port it was connecting on. The following command line checks the dump file for the IP address 98.139.126.21:

$ tshark ‑V ‑nr dumpfile.gz ip.src == 98.139.126.21 | grep "Source port" | awk {'print $3'} | sort ‑n | uniq 80

The resulting output on the line following the command shows that the packet dump file recorded IP address 98.139.126.21 having connections on port 80.

If you were given a packet dump file and asked to find possible IRC traffic on your network, how would you do it? First, you would need to know what port numbers were associated with IRC traffic, and that could be accomplished with Google or by issuing the following command:

$ grep irc /usr/share/nmap/nmap‑services | grep tcp

Figure 2 shows the results of the preceding command.

Figure 2

Now I can search the packet dump and look for evidence of IRC traffic using the following commands:

$ tshark ‑nr dumpfile1.gz 'ip.addr==172.16.134.191 and tcp.port >=  6667 and tcp.port <= 6670 and irc' |  awk {'print $3,$4,$5,$6'} | sort ‑n | uniq ‑c

Figure 1: tshark statistics output.
Figure 2: Locating IRC port numbers with grep.
Figure 3: IRC connections found in the packet dump.
Figure 4: The Wireshark startup window.

The breakdown of this command is shown in Table 1, and the output is in Figure 3.

Figure 3

In the GUI
The Wireshark GUI application is easier on the eyes, and it provides some options that aren’t available at the command line. You can start Wireshark from the Application menu or from the terminal.  To load a capture file, select Open in the startup window (Figure 4) or select File | Open from the menubar.  Once you have a packet capture file loaded, you can start searching packet dumps within the Wireshark interface.

Figure 4

The Filter box below the Wireshark toolbar lets you enter criteria for the search. For instance, to search for all the Canonical Name records within the capture file, type in the following filter: dns.resp.type == CNAME (see Figure 5).  After you enter a filter, remember to clear the filter text to see the full file before starting a new search.

Figure 5

Table 1: Parts of a tshark Command

Option Description
‘ip.addr==172.16.134.191         This is my network
and tcp.port >= 6667                   Start of the port range
and tcp.port <= 6670                   End of the port range
and irc’                                           Searches for IRC traffic only
awk {‘print $3,$4,$5,$6’}             Prints the third through sixth patterns from each matching line
sort ‑n                                            Sorts according to string numerical value
uniq ‑c                                            Only prints the number of matches that are unique

Digging deeper, if I want to know how long a client resolver cached the IP address associated with the name cookex.amp.gapx.yahoodns.net (Figure 6), I would enter the following filter:

dns.resp.name == "cookex.amp.gapx. yahoodns.net"

Figure 6

The filter ip.addr == 10.37.32.97 gives information on all communications that involve 10.37.32.97 in the packet dump. If needed, use && to isolate to a specific protocol. The filter ip.dst == 10.37.32.97 or ip.src == 10.37.32.97 looks for a source or destination IP address.

How could I find the password used over Telnet between two IP addresses? For example, if a user at 172.21.12.5 is using Telnet to access a device at 10. 37. 140.160, I can enter:

ip.dst == 10.37.140.160 && ip.src == 172.21.12.5 && telnet.data contains "Password"

The preceding command will list the connections that meet the search requirement, and you can right-click on the packet and click Follow TCP Stream to view the password. (See Figures 7 and 8.)

Figure 7

Figure 8

Note: A much easier way to get the password on the network, if you were sniffing the traffic instead of reading from a capture file, would be to use ettercap, as follows:

$ ettercap ‑Tzq //23

To discover whether someone was viewing a suspicious web page, I can perform a filter search to find out what picture the person at IP address 10.225.5.107 was viewing at Yahoo (216.115.97.236) with the following filter:

ip.dst == 10.225.5.107 && ip.src == 216.115.97.236 && (image‑jfif || image‑gif)

Figure 9

Figure 9 shows the results. If you then right-click on a line in the output and select Follow TCP Stream for the results shown in Figure 10.
The second line in the Follow TCP Stream output specifies that wynn‑ rovepolitico.jpg is the image this person was viewing on the site.

Figure 10

Conclusion
Wireshark can do more than just watch the wires in real time. If you save a snapshot of network activity in a capture file in the pcap format, you can use Wireshark to search through the file to look for clues about nefarious activity.

In this article, I described how to search for information in a capture file using Wireshark and the tshark command-line tool.

Info

[1] Tcpdump and Libpcap: http://www.tcpdump.org/
[2] Snort: http://www..snort.org
[3] Wireshark: http://www.wireshark.org/
[4] Wireshark Download: http://www.wireshark.org/download.html
[5] “Intruder Detection with Tcpdump” by David J. Dodd: http://www.admin‑magazine.com/Articles/Intruder‑Detection‑with‑tcpdump/

More Stories By David Dodd

David J. Dodd is currently in the United States and holds a current 'Top Secret' DoD Clearance and is available for consulting on various Information Assurance projects. A former U.S. Marine with Avionics background in Electronic Countermeasures Systems. David has given talks at the San Diego Regional Security Conference and SDISSA, is a member of InfraGard, and contributes to Secure our eCity http://securingourecity.org. He works for Xerox as Information Security Officer City of San Diego & pbnetworks Inc. http://pbnetworks.net a Service Disabled Veteran Owned Small Business (SDVOSB) located in San Diego, CA and can be contacted by emailing: dave at pbnetworks.net.

IoT & Smart Cities Stories
SYS-CON Events announced today that IoT Global Network has been named “Media Sponsor” of SYS-CON's @ThingsExpo, which will take place on June 6–8, 2017, at the Javits Center in New York City, NY. The IoT Global Network is a platform where you can connect with industry experts and network across the IoT community to build the successful IoT business of the future.
CloudEXPO New York 2018, colocated with DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering Cloud Expo and @ThingsExpo will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at Cloud Expo. Product announcements during our show provide your company with the most reach through our targeted audiences.
DXWorldEXPO | CloudEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
Disruption, Innovation, Artificial Intelligence and Machine Learning, Leadership and Management hear these words all day every day... lofty goals but how do we make it real? Add to that, that simply put, people don't like change. But what if we could implement and utilize these enterprise tools in a fast and "Non-Disruptive" way, enabling us to glean insights about our business, identify and reduce exposure, risk and liability, and secure business continuity?
DXWorldEXPO LLC announced today that Telecom Reseller has been named "Media Sponsor" of CloudEXPO | DXWorldEXPO 2018 New York, which will take place on November 11-13, 2018 in New York City, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
In this Women in Technology Power Panel at 15th Cloud Expo, moderated by Anne Plese, Senior Consultant, Cloud Product Marketing at Verizon Enterprise, Esmeralda Swartz, CMO at MetraTech; Evelyn de Souza, Data Privacy and Compliance Strategy Leader at Cisco Systems; Seema Jethani, Director of Product Management at Basho Technologies; Victoria Livschitz, CEO of Qubell Inc.; Anne Hungate, Senior Director of Software Quality at DIRECTV, discussed what path they took to find their spot within the tec...
To Really Work for Enterprises, MultiCloud Adoption Requires Far Better and Inclusive Cloud Monitoring and Cost Management … But How? Overwhelmingly, even as enterprises have adopted cloud computing and are expanding to multi-cloud computing, IT leaders remain concerned about how to monitor, manage and control costs across hybrid and multi-cloud deployments. It’s clear that traditional IT monitoring and management approaches, designed after all for on-premises data centers, are falling short in ...