Open source network forensics and advanced pcap analysis


Published on

Speaker: GTKlondike

There is a lot of information freely available out on the internet to get network administrators and security professionals started with network analysis tools such as Wireshark. However, there is a well defined limit on how in depth the topic is covered. This intermediate level talk aims to bridge the gap between a basic understanding of protocol analyzers (I.e. Wireshark and TCPdump), and practical real world usage. Things that will be covered include: network file carving, statistical flow analysis, GeoIP, exfiltration, limitations of Wireshark, and other network based attacks. It is assumed the audience has working knowledge of protocol analysis tools (I.e. Wireshark and TCPdump), OSI and TCP/IP model, and major protocols (I.e. DNS, HTTP(s), TCP, UDP, DHCP, ARP, IP, etc.).

GTKlondike is a local hacker/independent security researcher who has a passion for network security, both attack and defense. He has several years experience working as an network infrastructure and security consultant mainly dealing with switching, routing, firewalls, and servers. Currently attending graduate school, he is constantly studying and learning new techniques to better defend or bypass network security mechanisms.

Published in: Technology

Open source network forensics and advanced pcap analysis

  1. 1. OR So we have a Pcap, now what? By: GTKlondike
  2. 2. Oh hey, that guy…
  3. 3. I Am…  Local hacker/independent security researcher  Several years of experience in network infrastructure and security consulting as well as systems administration (Routing, Switching, Firewalls, Servers)  Passionate about networking  I’m friendly, just come up and say hi Contact Info:  Email:  Blog:
  4. 4. I Am Here Because…  Not enough easily accessible “advanced” material when it comes to packet analysis and network forensics  Goal: To bridge the gap between basic understanding and real world usage * Disclaimer: I am not an expert, I’m just really passionate about networks
  5. 5. This is For…  Incident response teams  Network defenders  Malware analysts  Law enforcement  Network engineers  Technology lawyers  Infosec managers  Security researchers
  6. 6. What should you know already?  Assumed basic knowledge of:  Protocol analyzers (Wireshark/TCPdump)  OSI and TCP/IP model  Major protocols (I.e. DNS, HTTP(s), TCP, UDP, DHCP, ARP, IP, etc.)
  7. 7. Tools I Will Be Using  Wireshark  Network Miner  Hex editor  SiLK  Scalpel  GeoIP DB (
  8. 8. What Is Network Forensics?  Network forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents.
  9. 9. Pcap Data Pros Cons  Full packet capture  Detailed communication information  Used to set up new IDS/IPS rules  Large amount of data to parse  Large file sizes  Disk write latency may not record all packets
  10. 10. Flow Data Pros Cons  Easy to implement  Easy to identify the important things at a high level  Baselining  Visualization  Up to 10,000:1 ratio from the packet size  Different analysis suites and Flow types  Mostly command line tools  Only “who’s talking to whom”, not the details of the conversation
  11. 11. Network Forensics Process  Know your Triggering Events  Have a Goal  Packet Capture Analysis  Pattern Matching  List Conversations  Export  File/Data Carving
  12. 12. Triggering Events Examples of Triggering Events:  IDS alert  Noticeable anomaly (I.e. DoS or virus activity)  Log anomalies  Deviations from network baselines  Known malicious/compromised system (I.e. Known C&C servers or from out of country)  Time frame  Traffic signature  etc.
  13. 13. Have A Goal  Always have a goal for analysis, there could be many needles in the haystack and not having a goal could prolong a particular investigation  Prioritize your goals
  14. 14. Pcap Analysis Methodology 1. Pattern Matching – Identify and filter packets of interest by matching specific values or protocol meta-data 2. List Conversations – List all conversation streams within the filtered packet capture 3. Export - Isolate and export specific conversation streams of interest 4. Draw Conclusions – Extract files or data from streams and compile data
  15. 15. Yeah….
  16. 16. Scenario 1 Triggering Events:  User reporting malware activity  Current AV solution does not have a signature for the virus; nor is the virus recoverable from the infected host What We Know:  Full network packet capture for the day of the incident  Host of intrest: Security Onion: /opt/samples/fake_av.pcap
  17. 17. Scenario 1 (contd.) What We Want to Know:  Where the user contracted the malware from?  Malware file (if possible)  What kind of calls to the internet does it make?  Does it try to self propagate through the internal network?  Possible network traffic signatures Security Onion: /opt/samples/fake_av.pcap
  18. 18. Results Of The Investigation  Where did the user contract the malware from?  User made a direct call to the executable. Therefore, user either deliberately downloaded the malware, or there was a piece of malware sleeping on the system.  Malware file (if possible)  Malware has been carved out and analyzed via  MD5 hash of the file: fbe86fe4bd273ba11ee09799994c9e93  Sha256 hash of the file: 7fdf98dbacfb45ed800b4ba66bb0887aa7e8529b4fb36bda63d28e1010fbd9d1  What kind of calls to the internet does it make?  DNS queries for a plethora of domains  HTTP communication for web sites located on a few of those domains  Does it try to self propagate?  No communication to other internal addresses  Network traffic signatures  High volume of DNS queries within a short amount of time
  19. 19. Scenario 2 Triggering Events:  A denial of service (DoS) attack has been reported against FTP server  FTP traffic spikes were seen prior to the FTP server being taken offline What We Know:  Captured traffic data that is narrowed down between an attacking host ( and the FTP server (
  20. 20. Scenario 2 (contd.) What We Want to Know:  What happened?  What caused the spike in FTP traffic  What events took place prior to the FTP server being taken offline? (I.e. Were any files transferred to/from the FTP server or were any user accounts compromised)
  21. 21. Results Of The Investigation  Attacker first initiated a ARP scan of the subnet  The following hosts were discovered: and  Attacker then began a port scan of host  The following ports were found open: 21, 445, 139, 135, 49152, 49153, 49154, 49155, 49156  Attacker followed up with an FTP brute force attack against FTP server  User anon credentials were compromised  Attacker successfully logged in as user anon with stolen credentials  File "Whywecanthavenicecat.png" was downloaded  MD5 sum of the file: 12039fd05bc2fcd3902247124edcea06
  22. 22. Just goin with the flow…
  23. 23. Network Flow  A record of source and destination traffic information, without the conversation details  Source IP  Destination IP  Source Port  Destination Port  Protocol  Start, end, and duration of the conversation *  Number of bytes  Number of Packets  Directionality * * format dependent
  24. 24. Flow Use In Security  Identify and track compromised hosts  Identify potential data leaks to unauthorized networks (Exfiltration)  Network/Host Traffic Patterns (Baselining)
  25. 25. Devices  Sensor – Monitor flows and sends information back to Collectors  Collector – Collect flows from some or all sensors  Analyzer – Perform analysis on collected Flow data
  26. 26. Flow Formats  Netflow V5 – Uses UDP to send information from Sensor to Collector; very common and widely adopted. Does not work with IPv6.  Netflow V9 – Uses TCP, UDP, or SCTP (Stream Control Transmission Protocol) to send information from Sensor to Collector; also very common. Includes many improvements over Netflow V5.
  27. 27. Flow Formats (contd.)  IPFIX (IP Flow Information Export) – Built off of Netflow V9; uses TCP, UDP, or SCTP to send information from Sensor to Collector.  Sflow – Flows based off of samples.
  28. 28. Flow Analysis Methodology  Filtering – Filter down flows to relevant targets  Baselining – Compare flow record traffic to network baselines  Pattern Matching – Monitor fingerprints in traffic flows  Unidirectional traffic volumes  Complex deviations from normal traffic
  29. 29. Additional Information (Pcap Files)     
  30. 30. Further Reading  Practical Packet Analysis: Using Wireshark to Solve Real- World Network Problems  By: Chris Sanders  Network Forensics: Tracking Hackers Through Cyberspace  By: Sherri Davidoff, Jonathan Ham  Guide to Integrating Forensic Techniques into Incident Response  86.pdf  SiLK Analysis Handbook   File Signatures 