Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Comment your Packet Captures!

Published: 2018-01-18
Last Updated: 2018-01-18 12:28:43 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

When you are investigating a security incident, a key element is to take notes and to document as much as possible. There is no “best” way to take notes, some people use electronic solutions while others are using good old paper and pencil. Just keep in mind: it must be properly performed if your notes will be used as evidence later… With investigations, there are also chances to you will have to deal with packet captures. Many security tools can record samples of network traffic or you can maybe need a full-packet capture[1]. Some tools, like Moloch, allow you to “tag” some conversations. Later, you can search for them to find back interesting traffic:


Tags are helpful to assign some flows to a case being investigated or to categorize them (“suspicious”, “exfiltration”, “exploitation”, etc). I’m a big fan of Moloch but, with this kind of tools, added tags are stored in the ElasticSearch database. If you export the data in PCAP format, you will lose your tags. How to add them to the PCAP itself? To achieve this, let’s have a look at the PCAP-ng format[2]. It extends the simple PCAP format features with more options like: 

  • to store more capture related information
  • extended time stamp precision
  • capture interface information
  • capture statistics
  • mixed link layer types
  • name resolution information
  • user comments

The latest information is definitively a nice feature. Wireshark supports PCAP-ng natively. While reviewing traffic, it’s easy to add a comment: Select the packet, right click and select “Packet Comment”. You can now enter your comment in a small editor window. To display the existing comments when you open an existing PCAP-ng file (or to see yours), you can add an extra column to the main Wireshark windows:

And of course, you can search for comments. This filter displays all packets that belong to the incident “1234”:

frame.comment contains “1234”

If you need to save the PCAP to share it with other handlers or colleagues, Wireshark will automatically select the PCAP-ng format (because extra metadata have been added - comments in this case).

What’s nice, you can also search/display comments with command line tools:

$ tshark -r test.pcapng -Y frame.comment
  916 177.563553 Cisco_5a:fa:30  CDP/VTP/DTP/PAgP/UDLD CDP 370 This is Cisco CDP packet. Case ID #1234 Device ID: cisco-ap.xxxx  Port ID: Dot11Radio0.1
 3314 540.372018 192.168.254.212 59920 104.199.42.108 TCP 129 TCP Error? [TCP Retransmission] 59920 → 443 [PSH, ACK] Seq=3988 Ack=5698 Win=4096 Len=63 TSval=1092967452 TSecr=898909663

On Mac OSX, the native tcpdump command can also handle comments:

$ tcpdump -r test.pcapng -n -k C | grep -v ' () '
reading from PCAP-NG file test.pcapng
17:47:58.181178 (This is Cisco CDP packet. Case ID #1234) CDPv2, ttl: 180s, Device-ID 'cisco-ap.xxxx', length 348
17:54:00.989643 (TCP Error?) IP 192.168.254.212.59920 > 104.199.42.108.443: Flags [P.], seq 3987:4050, ack 5698, win 4096, options [nop,nop,TS val 1092967452 ecr 898909663], length 63

Finally, if you use cloud services to handle your capture files, most of them support pcap-ng and comments, like CloudShark[3]. From now, you don't have any valid excuse for not commenting your PCAP files!

[1] https://isc.sans.edu/forums/diary/The+easy+way+to+analyze+huge+amounts+of+PCAP+data/22876/
[2] https://wiki.wireshark.org/Development/LibpcapFileFormat
[3] https://support.cloudshark.org/user-guide/#comments
 

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Reviewing the spam filters: Malspam pushing Gozi-ISFB
Jan 17th 2018
16 hours ago by Brad (3 comments)

Decrypting malicious PDFs with the key
Jan 15th 2018
2 days ago by DidierStevens (0 comments)

Peeking into Excel files
Jan 14th 2018
3 days ago by DidierStevens (0 comments)

Flaw in Intel's Active Management Technology (AMT)
Jan 13th 2018
5 days ago by Rick (0 comments)

Those pesky registry keys required by critical security patches
Jan 12th 2018
6 days ago by Bojan (8 comments)

Mining or Nothing!
Jan 11th 2018
1 week ago by Xme (1 comment)

View All Diaries →

Latest Discussions

What is airbnb doing?
created Jan 9th 2018
1 week ago by Mike (0 replies)

Convert OST Emails to PST Files
created Jan 4th 2018
2 weeks ago by Anonymous (0 replies)

Windows Client what the hell is this?
created Jan 2nd 2018
2 weeks ago by Anonymous (0 replies)

My log Reports not displaying reported entries
created Dec 22nd 2017
3 weeks ago by Tony (0 replies)

StormCast RSS feed not supporting older SSL?
created Dec 15th 2017
1 month ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
6 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
5 months ago by Johannes (12 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 month ago by Russ McRee (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
4 months ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
5 months ago by Xme (2 comments)