2013-12-05_tcpflow-and-BE-update

More documents

Recommendations

Info

Example of packets from IN4001-1026:Packets in file 204,202UDP packets 93,130TCP packets 111,039Sample UDP-5:00:00.000000 IP 10.48.231.2.hsrp >all-routers.mcast.net.hsrp:HSRPv0-hello 20: state=active group=5 addr=10.48.231.1Sample TCP:-5:00:00.000000 IP 10.48.133.228.http > 10.48.231.44.chip-lm:Flags [.], seq 6301:7561, ack 763, win 65535, length <strong>12</strong>60Note:• Time -5:00:00, so these packets came from memory, not a carved PCAP file.65
The big picture:using low-probability data for high-outcome correlation.bulk_extractor was created to find low-probably, high-value information.• “low-probability” means does not occur by chance; not part of the background.• Examples:—email addresses—Credit card numbers—Evidence of specific executables (prefetch files; PE headers)Once found, the goal was to enable:• Multi-drive correlation—Find all drives with a specific identifier—“Blind correlation” between multiple drives to find identifiers in commonWe now have more sources of low-probability data:• Fragments from ZIP & RAR files• Ethernet MAC addresses66
Page 1 and 2:
TCPBEflowTCP analysis with tcpflow;
Page 3 and 4:
tcpflow is a command-line tool for
Page 6 and 7:
tcpflow turns each side of the TCP
Page 8 and 9:
Page 10 and 11:
Page 12 and 13:
Page 14 and 15:
tcpflow automatically bins connecti
Page 16 and 17:
eport.xml is a DFXML file that reco
Page 18 and 19: tags generated by tcpflow match fiw
Page 20 and 21: Harassment atNITROBAState Universit
Page 22 and 23: To find out what's going on,Nitroba
Page 24 and 25: How to solve this problem:NITROBASt
Page 26 and 27: Slides omitted
Page 28 and 29: tcpflow addresses important “real
Page 30 and 31: 26tcpflow makes transcripts from ea
Page 32 and 33: 28tcpflow makes transcripts with mi
Page 34 and 35: 30tcpflow will detect and split gig
Page 36 and 37: tcpflow 1.4 uses the bulk_extractor
Page 38 and 39: SSL decryption issuesOptions for de
Page 40 and 41: The actual cipher suites used when
Page 42 and 43: 808023One-page visualization of pac
Page 44 and 45: Radiotap information available at T
Page 46 and 47: 802.11 link-layer information avail
Page 48 and 49: plot_wifi_aps.py will transform thi
Page 50 and 51: BEbulk_extractorimprovements
Page 53 and 54: zip.txt — potential zipfile heade
Page 55 and 56: Beverly, Robert, Simson Garfinkel a
Page 57 and 58: Are low-level binary network data s
Page 59 and 60: Hibernation decompression found eve
Page 61 and 62: BE 1.3 put MAC addresses in ether.t
Page 63 and 64: ip_histogram.txt removes random noi
Page 65 and 66: pcap files are a common file format
Page 67: We find a lot of packets on disks!A
show all

2013-12-05_tcpflow-and-BE-update

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?