|
I found out recently there is a very interesting tool that enables some interesting capabilities to perform network forensics from a PCAP capture file. It's named Dshell and it was released in December 2014 by the United States Army Research Labs (ARL). Its purpose is to easy develop plugins to support the dissection of network packet captures and decode possible unknown malicious protocols. This is the first part of a three-diary-set. I will show the following in each part:
You can download it from https://github.com/USArmyResearchLab/Dshell and easily follow the installation instructions. You can launch the framework by typing dshell in the command prompt. There is a major keyword that launches the decoding framework and it's called decode. Let's see the available options:
As you can see, usage is pretty simple. The following decoders are available to use in the decoder options command section:
I'm sure you will find useful the options I just showed. Stay tuned for the next two parts ;) Manuel Humberto Santander Peláez |
Manuel Humberto Santander Pelaacuteez 194 Posts ISC Handler May 9th 2016 |
| Thread locked Subscribe |
May 9th 2016 5 years ago |
|
This could be really useful. I deal with PCAPs regularly that contain web traffic from a downstream web proxy. The true client IP is contained in a vendor proprietary HTTP header (why they don't just use X-FORWARDED-FOR I don't know). I suppose this could probably be leveraged so I can filter/display that header using a custom decoder or extending the existing http decoder.
|
Anonymous |
| Quote |
May 10th 2016 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
