Welcome!

Industrial IoT Authors: Pat Romanski, Elizabeth White, SmartBear Blog, Cloud Best Practices Network, Derek Weeks

Related Topics: Cloud Security, Industrial IoT, Microservices Expo, Adobe Flex, Agile Computing

Cloud Security: Article

Capture File Filtering with Wireshark

Needle in a Haystack

Intrusion detection tools that use the libpcap C/ C++ library [1] for network traffic capture (such as Snort [2] and Tcpdump [1]) can output packet capture information to a file for later reference. The format of this capture file is known as pcap. By capturing packet data to a file, an investigator can return later to study the history of an intrusion attempt – or to turn up other important clues about clandestine activity on the network.

Of course, the traffic history data stored in a pcap file is much too vast to study by just viewing the file manually. Security experts use specialized filtering tools to search through the file for pertinent information. One way to look for clues in a pcap file is to use the Wireshark protocol analysis tool [3] and its accompanying command-line utility tshark.

Wireshark is included by default on many Linux distros, and if not, it is available through the leading package repositories. You can also download Wireshark through the project website [4]. In this article, I describe how to use Wireshark and tshark to search a pcap file for information on network activity. I will assume you already have a pcap file ready for investigation. For more on how to capture a pcap file with Tcp-dump, see my article “Intruder Detection with Tcpdump,” which is available online at the ADMIN magazine website [5].

tshark at the Command Line
The tshark utility is a simple tool included with the Wireshark package that lets you filter the contents of a pcap file from the command line. To get a view of the most significant activity, I use the following command:

$ tshark ‑nr dumpfile1.gz ‑qz "io,phs" > details.txt

The ‑n switch disables network object name resolution, ‑r indicates that packet data is to be read from the input file, in this case dumpfile1.gz. The ‑z allows for statistics to display after it finishes reading the capture file, the ‑q flag specifies that only the statistics are printed, and the > redirection
sends the output to the file called details.txt. See Figure 1 for the output of this information. To view a list of help commands used with tshark, type:

$ tshark ‑h

And for a list of ‑z arguments type:

$ tshark ‑z help

Figure 1

Say you would like to know whether a particular IP address appeared in a packet dump and what port it was connecting on. The following command line checks the dump file for the IP address 98.139.126.21:

$ tshark ‑V ‑nr dumpfile.gz ip.src == 98.139.126.21 | grep "Source port" | awk {'print $3'} | sort ‑n | uniq 80

The resulting output on the line following the command shows that the packet dump file recorded IP address 98.139.126.21 having connections on port 80.

If you were given a packet dump file and asked to find possible IRC traffic on your network, how would you do it? First, you would need to know what port numbers were associated with IRC traffic, and that could be accomplished with Google or by issuing the following command:

$ grep irc /usr/share/nmap/nmap‑services | grep tcp

Figure 2 shows the results of the preceding command.

Figure 2

Now I can search the packet dump and look for evidence of IRC traffic using the following commands:

$ tshark ‑nr dumpfile1.gz 'ip.addr==172.16.134.191 and tcp.port >=  6667 and tcp.port <= 6670 and irc' |  awk {'print $3,$4,$5,$6'} | sort ‑n | uniq ‑c

Figure 1: tshark statistics output.
Figure 2: Locating IRC port numbers with grep.
Figure 3: IRC connections found in the packet dump.
Figure 4: The Wireshark startup window.

The breakdown of this command is shown in Table 1, and the output is in Figure 3.

Figure 3

In the GUI
The Wireshark GUI application is easier on the eyes, and it provides some options that aren’t available at the command line. You can start Wireshark from the Application menu or from the terminal.  To load a capture file, select Open in the startup window (Figure 4) or select File | Open from the menubar.  Once you have a packet capture file loaded, you can start searching packet dumps within the Wireshark interface.

Figure 4

The Filter box below the Wireshark toolbar lets you enter criteria for the search. For instance, to search for all the Canonical Name records within the capture file, type in the following filter: dns.resp.type == CNAME (see Figure 5).  After you enter a filter, remember to clear the filter text to see the full file before starting a new search.

Figure 5

Table 1: Parts of a tshark Command

Option Description
‘ip.addr==172.16.134.191         This is my network
and tcp.port >= 6667                   Start of the port range
and tcp.port <= 6670                   End of the port range
and irc’                                           Searches for IRC traffic only
awk {‘print $3,$4,$5,$6’}             Prints the third through sixth patterns from each matching line
sort ‑n                                            Sorts according to string numerical value
uniq ‑c                                            Only prints the number of matches that are unique

Digging deeper, if I want to know how long a client resolver cached the IP address associated with the name cookex.amp.gapx.yahoodns.net (Figure 6), I would enter the following filter:

dns.resp.name == "cookex.amp.gapx. yahoodns.net"

Figure 6

The filter ip.addr == 10.37.32.97 gives information on all communications that involve 10.37.32.97 in the packet dump. If needed, use && to isolate to a specific protocol. The filter ip.dst == 10.37.32.97 or ip.src == 10.37.32.97 looks for a source or destination IP address.

How could I find the password used over Telnet between two IP addresses? For example, if a user at 172.21.12.5 is using Telnet to access a device at 10. 37. 140.160, I can enter:

ip.dst == 10.37.140.160 && ip.src == 172.21.12.5 && telnet.data contains "Password"

The preceding command will list the connections that meet the search requirement, and you can right-click on the packet and click Follow TCP Stream to view the password. (See Figures 7 and 8.)

Figure 7

Figure 8

Note: A much easier way to get the password on the network, if you were sniffing the traffic instead of reading from a capture file, would be to use ettercap, as follows:

$ ettercap ‑Tzq //23

To discover whether someone was viewing a suspicious web page, I can perform a filter search to find out what picture the person at IP address 10.225.5.107 was viewing at Yahoo (216.115.97.236) with the following filter:

ip.dst == 10.225.5.107 && ip.src == 216.115.97.236 && (image‑jfif || image‑gif)

Figure 9

Figure 9 shows the results. If you then right-click on a line in the output and select Follow TCP Stream for the results shown in Figure 10.
The second line in the Follow TCP Stream output specifies that wynn‑ rovepolitico.jpg is the image this person was viewing on the site.

Figure 10

Conclusion
Wireshark can do more than just watch the wires in real time. If you save a snapshot of network activity in a capture file in the pcap format, you can use Wireshark to search through the file to look for clues about nefarious activity.

In this article, I described how to search for information in a capture file using Wireshark and the tshark command-line tool.

Info

[1] Tcpdump and Libpcap: http://www.tcpdump.org/
[2] Snort: http://www..snort.org
[3] Wireshark: http://www.wireshark.org/
[4] Wireshark Download: http://www.wireshark.org/download.html
[5] “Intruder Detection with Tcpdump” by David J. Dodd: http://www.admin‑magazine.com/Articles/Intruder‑Detection‑with‑tcpdump/

More Stories By David Dodd

David J. Dodd is currently in the United States and holds a current 'Top Secret' DoD Clearance and is available for consulting on various Information Assurance projects. A former U.S. Marine with Avionics background in Electronic Countermeasures Systems. David has given talks at the San Diego Regional Security Conference and SDISSA, is a member of InfraGard, and contributes to Secure our eCity http://securingourecity.org. He works for Xerox as Information Security Officer City of San Diego & pbnetworks Inc. http://pbnetworks.net a Service Disabled Veteran Owned Small Business (SDVOSB) located in San Diego, CA and can be contacted by emailing: dave at pbnetworks.net.

@ThingsExpo Stories
SYS-CON Events announced today that Outlyer, a monitoring service for DevOps and operations teams, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Outlyer is a monitoring service for DevOps and Operations teams running Cloud, SaaS, Microservices and IoT deployments. Designed for today's dynamic environments that need beyond cloud-scale monitoring, we make monitoring effortless so you...
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend @CloudExpo | @ThingsExpo, June 6-8, 2017, at the Javits Center in New York City, NY and October 31 - November 2, 2017, Santa Clara Convention Center, CA. Learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
Have you ever noticed how some IT people seem to lead successful, rewarding, and satisfying lives and careers, while others struggle? IT author and speaker Don Crawley uncovered the five principles that successful IT people use to build satisfying lives and careers and he shares them in this fast-paced, thought-provoking webinar. You'll learn the importance of striking a balance with technical skills and people skills, challenge your pre-existing ideas about IT customer service, and gain new in...
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 20th International Cloud Expo, which will take place on June 6–8, 2017, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buyers...
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, Cloud Expo and @ThingsExpo are two of the most important technology events of the year. Since its launch over eight years ago, Cloud Expo and @ThingsExpo have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, I provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading the...
While not quite mainstream yet, WebRTC is starting to gain ground with Carriers, Enterprises and Independent Software Vendors (ISV’s) alike. WebRTC makes it easy for developers to add audio and video communications into their applications by using Web browsers as their platform. But like any market, every customer engagement has unique requirements, as well as constraints. And of course, one size does not fit all. In her session at WebRTC Summit, Dr. Natasha Tamaskar, Vice President, Head of C...
In the enterprise today, connected IoT devices are everywhere – both inside and outside corporate environments. The need to identify, manage, control and secure a quickly growing web of connections and outside devices is making the already challenging task of security even more important, and onerous. In his session at @ThingsExpo, Rich Boyer, CISO and Chief Architect for Security at NTT i3, will discuss new ways of thinking and the approaches needed to address the emerging challenges of securit...
TechTarget storage websites are the best online information resource for news, tips and expert advice for the storage, backup and disaster recovery markets. By creating abundant, high-quality editorial content across more than 140 highly targeted technology-specific websites, TechTarget attracts and nurtures communities of technology buyers researching their companies' information technology needs. By understanding these buyers' content consumption behaviors, TechTarget creates the purchase inte...
As cloud adoption continues to transform business, today's global enterprises are challenged with managing a growing amount of information living outside of the data center. The rapid adoption of IoT and increasingly mobile workforce are exacerbating the problem. Ensuring secure data sharing and efficient backup poses capacity and bandwidth considerations as well as policy and regulatory compliance issues.
Almost two-thirds of companies either have or soon will have IoT as the backbone of their business. Though, IoT is far more complex than most firms expected with a majority of IoT projects having failed. How can you not get trapped in the pitfalls? In his session at @ThingsExpo, Tony Shan, Chief IoTologist at Wipro, will introduce a holistic method of IoTification, which is the process of IoTifying the existing technology portfolios and business models to adopt and leverage IoT. He will delve in...
SYS-CON Events announced today that Conference Guru has been named “Media Sponsor” of SYS-CON's 20th International Cloud Expo, which will take place on June 6–8, 2017, at the Javits Center in New York City, NY. A valuable conference experience generates new contacts, sales leads, potential strategic partners and potential investors; helps gather competitive intelligence and even provides inspiration for new products and services. Conference Guru works with conference organizers to pass great dea...
SYS-CON Events announced today that LeaseWeb USA, a cloud Infrastructure-as-a-Service (IaaS) provider, will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. LeaseWeb is one of the world's largest hosting brands. The company helps customers define, develop and deploy IT infrastructure tailored to their exact business needs, by combining various kinds cloud solutions.
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at Cloud Expo, Ed Featherston, a director and senior enterprise architect at Collaborative Consulting, discussed the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
WebRTC defines no default signaling protocol, causing fragmentation between WebRTC silos. SIP and XMPP provide possibilities, but come with considerable complexity and are not designed for use in a web environment. In his session at @ThingsExpo, Matthew Hodgson, technical co-founder of the Matrix.org, discussed how Matrix is a new non-profit Open Source Project that defines both a new HTTP-based standard for VoIP & IM signaling and provides reference implementations.
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids and Smart Cities, the Industrial Internet, and more. Cool platforms like Arduino, Raspberry Pi, Intel's Galileo and Edison, and a diverse world of sensors are making the IoT a great toy box for developers in all these areas. In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists discussed what things are the most important, which will have the most profound e...
We all know that data growth is exploding and storage budgets are shrinking. Instead of showing you charts on about how much data there is, in his General Session at 17th Cloud Expo, Scott Cleland, Senior Director of Product Marketing at HGST, showed how to capture all of your data in one place. After you have your data under control, you can then analyze it in one place, saving time and resources.
910Telecom exhibited at the 19th International Cloud Expo, which took place at the Santa Clara Convention Center in Santa Clara, CA, in November 2016. Housed in the classic Denver Gas & Electric Building, 910 15th St., 910Telecom is a carrier-neutral telecom hotel located in the heart of Denver. Adjacent to CenturyLink, AT&T, and Denver Main, 910Telecom offers connectivity to all major carriers, Internet service providers, Internet backbones and exchanges.
SYS-CON Events announced today that Linux Academy, the foremost online Linux and cloud training platform and community, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Linux Academy was founded on the belief that providing high-quality, in-depth training should be available at an affordable price. Industry leaders in quality training, provided services, and student certification passes, its goal is to c...
Web Real-Time Communication APIs have quickly revolutionized what browsers are capable of. In addition to video and audio streams, we can now bi-directionally send arbitrary data over WebRTC's PeerConnection Data Channels. With the advent of Progressive Web Apps and new hardware APIs such as WebBluetooh and WebUSB, we can finally enable users to stitch together the Internet of Things directly from their browsers while communicating privately and securely in a decentralized way.
The IoT industry is now at a crossroads, between the fast-paced innovation of technologies and the pending mass adoption by global enterprises. The complexity of combining rapidly evolving technologies and the need to establish practices for market acceleration pose a strong challenge to global enterprises as well as IoT vendors. In his session at @ThingsExpo, Clark Smith, senior product manager for Numerex, discussed how Numerex, as an experienced, established IoT provider, has embraced a new m...