Professional Documents
Culture Documents
Analysis –
Analyzing packet
captures
Presented by,
Subhana s
NETWORK EVIDENCE COLLECTION AND ANALYSIS
Network forensic involves the process of identifying, collecting, analyzing and examining
the digital evidence extracted from network security element logs.
This collection is critical during an incident where an external threat sources is in the
process of pilfering data out of the network.
activities ,
To uncover the source of attacks, viruses, intrusions or security breaches that occur on a
It is used to collect evidence by analyzing network traffic data in order to identify the source
of an attack.
Some experts believe that Target likely had two primary sources of that evidence to analyze
log data and packet capture network forensic analysis.
Analyzing Packet Captures
Network Packet Capture is a networking term for intercepting a data packet that is
Once a packet is captured in real-time, it is stored for a period of time so that it can be
Packet captures contain a great deal of information that is potentially valuable to incident
response analysts.
Some of this information includes source and destination IP addresses , domains and
The payload is the actual contents of the packet, while the header contains
In some instances , incident response analysts are able to reconstruct actual files,
COMMAND-LINE TOOLS
There are certain tools and techniques are available to examine the evidence acquired.
There are several command-line tools that can be utilized during the analysis of network
packet captures.
During more in-depth or lengthy incident response engagements, analysts may gather
several packet captures files.
Mergecap : Merging multiple capture files into one
Mergecap is a program that combines multiple saved capture files into a single
output file specified by the -w argument.
There is no need to tell Mergecap what type of file you are reading; it will determine the file
type by itself.
By default, Mergecap writes all of the packets in the input capture files to a pcapng file.
Packets from the input files are merged in chronological order based on each frame’s
When the –a flag is specified,packets are copied from each input file to the output file.
Simple example of using mergecap.
This would be helpful if an analysts has a large packet capture and dividing makes
searching easier.
WIRESHARK
Wireshark comes with an array of command line tools which can be helpful for packet
analysis.
It is one of the most popular packet capture analysis tool available to incident response
analysts.
In the past, such tools were either very expensive, proprietary, or both. However, with
the advent of Wireshark, that has changed.
Wireshark is available for free, is open source, and is one of the best packet analyzers
available today.
Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real
time and display them in human-readable format.
Wireshark includes filters, color coding, and other features that enables to dig deep into
network traffic and inspect individual packets.
There are some changes to be made to better assist the incident response analyst with
performing packet capture analysis in relation to an incident investigation:
Time :
i. The time setting in Wireshark allows for several options.
ii. One of these options which can be useful in an incident investigation is the date and
time that the individual packets have been captured.
To enable this, navigate to View and then to Time Display Format. From there, choose one
of the time options such as Date and Time of Day or Time of Day.
i. The name resolution setting allows analysts to toggle between seeing the IP address of
source and destination hosts and hostname resolution.
ii. For example, if the packet capture is opened, the following shows the IP addresses:
iii. Navigate to View and then Name Resolution. Click on Resolve Network
Addresses. Wireshark will then resolve the IP addresses to hostnames.
Colorize packet list:
a) Display filters :
• One of the most important features is the ability to filter packet captures on a
wide range of services and ports.
• In order to filter traffic on the source IP address, by right-clicking on the IP
address in the packet capture window and navigating to Apply as Filter and
then Selected, the analyst can select the IP address as a filter.
b) Host identification:
• The first packet in the capture is a DHCP packet originating from a CISCO device to the
compromised machine.
If an analyst wishes to isolate specific traffic such as HTTP or DNS traffic, there
Both of these tools can be run on Linux operating systems and provide a
specialists,
• System administrators and others who need to analyze a large number of captured
network traffic.
gain insight
into the wealth of data contained within a packet capture in a more user-
friendly way. The way that the data is presented in these solutions further