Network Forensics

Packet Capture (PCAP) files capture live network traffic to a file for deep analysis. PCAP files contain all bytes captured and can be used to reconstruct entire TCP, UDP, and other data streams.

Programs and Tools

There are several different programs that can be used to analyze a pcap file, the most ubiquitous prorgam is none other than Wireshark. Wireshark is a GUI based pcap analysis and capture program which makes gathering and analyzing captures a breeze. Wireshark also has tons of built-in protocol dissectors which help analyze and present raw bytes in human a readable and digestible format.

​Tshark is a terminal based program provided by Wireshark which brings the power of the terminal to Wireshark's framework. When paired with simple bash scripting and display filters, Tshark creates an unbelievably powerful analysis tool.

​Scapy is a python based packet manipulation library which is another powerful tool. Scapy is useful to craft packets, but can also be used to analyze capture files as well. Since this library is python based, it can be used to create robust networking programs.

​Tcpdump is a classic network capture and monitoring tool which uses the Berkley Packet Filter (BPF) syntax.

Analysis

Now this is where the rubber meets the road. It's all fun and games to have a pcap file, but if you can't analyze it then the pcap is worthless.

Opening the file in Wireshark we can see all sorts of colors, each one is for a different protocol or specific TCP flag. Right clicking on a packet, we can choose Follow > TCP Stream to see the data transferred over a TCP connection.

Follow a TCP stream in Wireshark

We will be presented with the data transferred over this specific TCP stream, and if it's plaintext, be able to easily read what's happening. In this specific stream, we can watch a user log into an FTP session and put his password in. Pretty cool!

This shows the login and password used for this FTP server

There's plenty more to find in pcap, this is simply a primer. Get out there and find it!