2013-12-05_tcpflow-and-BE-update

More documents

Recommendations

Info

tcpflow turns each side of the TCP connection into a file.These files are then processed with standard tools.tcpflow splits 1-N pcap files into multiple TCP connections.• Each connection is put in two files (client ➜ server / server ➜ client)• HTTP sessions are decompressed & explodedTCPflowExample:$ tcpflow -a -o out-nitroba -r nitroba.pcap$ ls -l out-nitroba3648 Jul 22 2008 004.071.104.187.00080-192.168.015.004.35950462 Jul 22 2008 004.078.212.029.00080-192.168.015.004.35458138 Jul 22 2008 004.078.212.029.00080-192.168.015.004.35458-HTTPBODY-001.html462 Jul 22 2008 004.078.212.029.00080-192.168.015.004.35712138 Jul 22 2008 004.078.212.029.00080-192.168.015.004.35712-HTTPBODY-001.html136520 Jul 22 2008 008.012.217.125.00080-192.168.015.004.328222550 Jul 22 2008 008.012.217.125.00080-192.168.015.004.32822-HTTPBODY-001.gif1582 Jul 22 2008 008.012.217.125.00080-192.168.015.004.32822-HTTPBODY-002.gif58123 Jul 22 2008 008.012.217.125.00080-192.168.015.004.32822-HTTPBODY-003.gif...# of bytessent5
tcpflow turns each side of the TCP connection into a file.These files are then processed with standard tools.tcpflow splits 1-N pcap files into multiple TCP connections.• Each connection is put in two files (client ➜ server / server ➜ client)• HTTP sessions are decompressed & explodedTCPflowExample:$ tcpflow -a -o out-nitroba -r nitroba.pcap$ ls -l out-nitroba3648 Jul 22 2008 004.071.104.187.00080-192.168.015.004.35950462 Jul 22 2008 004.078.212.029.00080-192.168.015.004.35458138 Jul 22 2008 004.078.212.029.00080-192.168.015.004.35458-HTTPBODY-001.html462 Jul 22 2008 004.078.212.029.00080-192.168.015.004.35712138 Jul 22 2008 004.078.212.029.00080-192.168.015.004.35712-HTTPBODY-001.html136520 Jul 22 2008 008.012.217.125.00080-192.168.015.004.328222550 Jul 22 2008 008.012.217.125.00080-192.168.015.004.32822-HTTPBODY-001.gif1582 Jul 22 2008 008.012.217.125.00080-192.168.015.004.32822-HTTPBODY-002.gif58123 Jul 22 2008 008.012.217.125.00080-192.168.015.004.32822-HTTPBODY-003.gif...# of bytessentDatesent5
Page 1 and 2: TCPBEflowTCP analysis with tcpflow;
Page 3 and 4: tcpflow is a command-line tool for
Page 8 and 9: tcpflow turns each side of the TCP
Page 14 and 15: tcpflow automatically bins connecti
Page 16 and 17: eport.xml is a DFXML file that reco
Page 18 and 19: tags generated by tcpflow match fiw
Page 20 and 21: Harassment atNITROBAState Universit
Page 22 and 23: To find out what's going on,Nitroba
Page 24 and 25: How to solve this problem:NITROBASt
Page 26 and 27: Slides omitted
Page 28 and 29: tcpflow addresses important “real
Page 30 and 31: 26tcpflow makes transcripts from ea
Page 32 and 33: 28tcpflow makes transcripts with mi
Page 34 and 35: 30tcpflow will detect and split gig
Page 36 and 37: tcpflow 1.4 uses the bulk_extractor
Page 38 and 39: SSL decryption issuesOptions for de
Page 40 and 41: The actual cipher suites used when
Page 42 and 43: 808023One-page visualization of pac
Page 44 and 45: Radiotap information available at T
Page 46 and 47: 802.11 link-layer information avail
Page 48 and 49: plot_wifi_aps.py will transform thi
Page 50 and 51: BEbulk_extractorimprovements
Page 53 and 54: zip.txt — potential zipfile heade
Page 55 and 56:
Beverly, Robert, Simson Garfinkel a
Page 57 and 58:
Are low-level binary network data s
Page 59 and 60:
Hibernation decompression found eve
Page 61 and 62:
BE 1.3 put MAC addresses in ether.t
Page 63 and 64:
ip_histogram.txt removes random noi
Page 65 and 66:
pcap files are a common file format
Page 67 and 68:
We find a lot of packets on disks!A
Page 69 and 70:
The big picture:using low-probabili
show all

2013-12-05_tcpflow-and-BE-update

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?