👨‍💻
Hacking Notes
  • Hacking Notes
  • 💅One-Liners
  • ⚔️Offensive
    • Exploit Workflow
    • Recon
      • OSINT
      • DNS
        • Domain Discovery
      • Layer 2 Config and Analysis
      • Port Scanning and Discovery
      • Port Attacks
      • Link it all together
    • Payloads
      • MSFVenom
      • Reverse Shells
    • Websites
      • Enumeration
      • Injection/LFI
      • Session Management
      • Brute Forcing
      • JavaScript & XSS
      • SSRF
      • XXE
      • PHP
    • Password Attacks
      • Brute Forcing
      • Mimikatz
      • Password Cracking
      • Hash Extraction
      • Wordlist Generation
    • Databases
      • SQL
      • Mongodb
    • Microsoft Windows Exploits
      • Enumeration
      • Powershell
      • Cmd
      • Privilege Escalation
      • Active Directory
      • Bloodhound
    • Social Engineering
    • Netcat & Socat
    • File Transfers
    • Metasploit
      • Writing Modules
    • PS Empire
    • Priv Escalation
    • Post Exploitation
    • Pivoting
    • Certs and Secrets
    • NGROK
    • Misc.
  • 🛡️Defensive
    • Defensive Notes
    • Windows Forensics
      • Program Execution Artifacts
      • ASEP Locations
      • Event Logs
    • Linux Forensics
    • Network Forensics
      • tshark
      • Wireshark Filters
    • Memory Forensics
    • Stego
    • Malware Analysis
    • Volatility
  • 🌩️Cloud
    • Scope and Shared Responsibility
    • AWS CLI
    • Azure CLI
    • SaaS Attacks
    • PaaS
  • ⌨️Programming
    • Programming Notes
    • Examples and Quick Scripts
    • PowerShell
    • Pwn
      • Windows Pwn
    • Python
      • Basic Python
      • Modules
      • Working with Files
      • Networking
      • Attack Related
      • Scapy
        • Using Scapy
        • Reading PCAP
    • C
      • Code Examples
      • GDB
    • PHP
Powered by GitBook
On this page
  • Programs and Tools
  • Analysis

Was this helpful?

  1. Defensive

Network Forensics

Packet Capture (PCAP) files capture live network traffic to a file for deep analysis. PCAP files contain all bytes captured and can be used to reconstruct entire TCP, UDP, and other data streams.

PreviousLinux ForensicsNexttshark

Last updated 4 years ago

Was this helpful?

Programs and Tools

There are several different programs that can be used to analyze a pcap file, the most ubiquitous prorgam is none other than . Wireshark is a GUI based pcap analysis and capture program which makes gathering and analyzing captures a breeze. Wireshark also has tons of built-in protocol dissectors which help analyze and present raw bytes in human a readable and digestible format.

is a terminal based program provided by Wireshark which brings the power of the terminal to Wireshark's framework. When paired with simple bash scripting and display filters, Tshark creates an unbelievably powerful analysis tool.

is a python based packet manipulation library which is another powerful tool. Scapy is useful to craft packets, but can also be used to analyze capture files as well. Since this library is python based, it can be used to create robust networking programs.

is a classic network capture and monitoring tool which uses the Berkley Packet Filter (BPF) syntax.

Analysis

Now this is where the rubber meets the road. It's all fun and games to have a pcap file, but if you can't analyze it then the pcap is worthless.

Opening the file in Wireshark we can see all sorts of colors, each one is for a different protocol or specific TCP flag. Right clicking on a packet, we can choose Follow > TCP Stream to see the data transferred over a TCP connection.

Follow a TCP stream in Wireshark

We will be presented with the data transferred over this specific TCP stream, and if it's plaintext, be able to easily read what's happening. In this specific stream, we can watch a user log into an FTP session and put his password in. Pretty cool!

There's plenty more to find in pcap, this is simply a primer. Get out there and find it!

This shows the login and password used for this FTP server
🛡️
Wireshark
Tshark
Scapy
Tcpdump