2013-12-05_tcpflow-and-BE-update

More documents

Recommendations

Info

In 2012, scan_net was expanded to create pcap files“pcap” files are much easier to process.• Provides entire packet (ip.txt gave the offset of the packet in the disk image.)• Process with existing tools: Wireshark, tcpflow, tcpdump,...• Include timestamp metadata for each packet (for those from pcap files)inputscan_netTwo sources of packets:• Ethernet or IP packet in memory.• PCAP file on the drive—Someone was running a sniffer?IP addressespcap files61
pcap files are a common file format for packets.There are many tools for analyzing pcap files.$ tcpdump -r packets.pcap-5:-59:-59.0000 IP 192.168.1.1.microsoft-ds > 192.168.1.104.udpradio: Flags [.], ack416616880, win 65535, length 0-5:-59:-59.0000 IP 192.168.1.1.microsoft-ds > 192.168.1.104.udpradio: Flags [.], ack4294967234, win 65535, length 0-5:-59:-59.0000 IP 192.168.1.1.microsoft-ds > 192.168.1.104.udpradio: Flags [.], ack4294967084, win 65535, length 0-5:-59:-59.0000 IP 192.168.1.1.microsoft-ds > 192.168.1.104.udpradio: Flags [P.], seq4294966956:4294967060, ack 4294967008, win 65535, length 104SMB PACKET: SMBtrans2(REPLY)...Notice time is -5:-59:-59.000• This has a time zone of -0600 (I’m typing this in Utah in the summer)• The time in the packet file is “1”/* Possibly a valid ethernet frame but not preceded by a* pcap_record_header.* Write it out with time of 1.*/• Only packets carved from a PCAP file will have a the correct time.62
Page 1 and 2:
TCPBEflowTCP analysis with tcpflow;
Page 3 and 4:
tcpflow is a command-line tool for
Page 6 and 7:
tcpflow turns each side of the TCP
Page 8 and 9:
Page 10 and 11:
Page 12 and 13:
Page 14 and 15: tcpflow automatically bins connecti
Page 16 and 17: eport.xml is a DFXML file that reco
Page 18 and 19: tags generated by tcpflow match fiw
Page 20 and 21: Harassment atNITROBAState Universit
Page 22 and 23: To find out what's going on,Nitroba
Page 24 and 25: How to solve this problem:NITROBASt
Page 26 and 27: Slides omitted
Page 28 and 29: tcpflow addresses important “real
Page 30 and 31: 26tcpflow makes transcripts from ea
Page 32 and 33: 28tcpflow makes transcripts with mi
Page 34 and 35: 30tcpflow will detect and split gig
Page 36 and 37: tcpflow 1.4 uses the bulk_extractor
Page 38 and 39: SSL decryption issuesOptions for de
Page 40 and 41: The actual cipher suites used when
Page 42 and 43: 808023One-page visualization of pac
Page 44 and 45: Radiotap information available at T
Page 46 and 47: 802.11 link-layer information avail
Page 48 and 49: plot_wifi_aps.py will transform thi
Page 50 and 51: BEbulk_extractorimprovements
Page 53 and 54: zip.txt — potential zipfile heade
Page 55 and 56: Beverly, Robert, Simson Garfinkel a
Page 57 and 58: Are low-level binary network data s
Page 59 and 60: Hibernation decompression found eve
Page 61 and 62: BE 1.3 put MAC addresses in ether.t
Page 63: ip_histogram.txt removes random noi
Page 67 and 68: We find a lot of packets on disks!A
Page 69 and 70: The big picture:using low-probabili
show all

2013-12-05_tcpflow-and-BE-update

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?