Jump to content

What Pcap data craving programs do you use?


PC646
 Share

Recommended Posts

As you have seen in my other posts I love Netwitness for analyzing pcaps, but I'm looking for other windows based programs for quickly data carving files. I have played with Network Miner but it tends to crash with the large amounts of pcaps I have, any other suggestions? Thanks.

Link to comment
Share on other sites

Most of my pcap experience is on Linux but there are win32 versions of a lot of the tools I use. Wireshark can be very usefull, especially if you don't know what you are looking for. If you do know what you are looking for then ettercap can be very usefull with a few custom filters you can quickly get out information.

Link to comment
Share on other sites

I found NetworkMiner to be an exelent tool as well. Dareen covered it in a show not too long ago and did a damn good job at it.

FYI NetworkMiner just released a new version and it seems to give out 2x as more info from a saved PCAP as before and a tad bit faster when it comes to LARGE files and network scanning

Link to comment
Share on other sites

So it sounds like their isnt much out there to pull files from pcaps...

Wetwork-

When you say large what are we talking about here? I'm doing multiple 250mb files (51GB total) and one at a time or a handful it's slow or crashes.

Link to comment
Share on other sites

  • 2 weeks later...
As you have seen in my other posts I love Netwitness for analyzing pcaps, but I'm looking for other windows based programs for quickly data carving files. I have played with Network Miner but it tends to crash with the large amounts of pcaps I have, any other suggestions? Thanks.

One Way Network Sniffer (OWNS) can be run on Windows and Linux. It can open pcap files for extracting images, videos, http files, emails... It can be downloaded from (SourceForge ).

Other interesting tools that can open pcap files are IMSniffer, for saving IM conversations (Live Messenger, Yahoo!, AIM, ICQ,...), MSN Webcam Recorder for saving MSN webcam streams, and Yahoo Webcam Recorder, a Java app that saves Yahoo Webcam Streams (sorry, no link).

Don't forget popular Cain&Abel. It can be used for voice calls.

There are a lot more options in the Linux world ;-)

--------

EPSILON

Link to comment
Share on other sites

1. Wireshark (http://www.wireshark.org/)

2. Cain & Abel (http://www.oxid.it)

3. Network Miner (http://sourceforge.net/projects/networkminer/)

4. TCP xract (http://tcpxtract.sourceforge.net/)

5. IM Sniffer (http://sourceforge.net/projects/imsniffer/)

6. MSN Shadow (http://msnshadow.blogspot.com/)

7. Honey Snap (https://projects.honeynet.org/honeysnap/)

8. NGrep (http://ngrep.sourceforge.net/)

I think thats most of the tools available for analysing pcaps for anything from passwords to data flow.

Link to comment
Share on other sites

  • 2 years later...

Wireshark can pull files out of pcap. Just 'follow the TCP conversation', highlight the file contents, and point-click your way to a standalone file. That is a pretty manual process though, so I'd want something automated or scriptable with 200+ pcaps to process.

I've used tcpxtract in the past with great success. Can you kick off an Ubuntu or Debian VM and dump the pcaps in there? tcpxtract will make fast work of them once you set up the signatures.

Link to comment
Share on other sites

Wireshark can pull files out of pcap. Just 'follow the TCP conversation', highlight the file contents, and point-click your way to a standalone file. That is a pretty manual process though, so I'd want something automated or scriptable with 200+ pcaps to process.

I've used tcpxtract in the past with great success. Can you kick off an Ubuntu or Debian VM and dump the pcaps in there? tcpxtract will make fast work of them once you set up the signatures.

What about the tool you demoed for deleted file recovery. Could it look at the raw hex dump in a pcap and do the same thing to reconstruct files? I know that when you do a "follow tcp stream" you can see the raw hex data, which is how I used tp pull MP3's from Flash Players. I imagine you could carve that data up the same way, although I've not sifted through a raw pcap in a text editor to see if its the same type of data. I know pcap files contain a lot of other info like the frames and time stamps and make fragmented packets look like single file streams, just wondering if you could train it to follow the sequence and reconstruct if for you with the same tool or same way to pipe it there with output from tshark or tcpdump maybe.

Link to comment
Share on other sites

That might not work since the file will be spread over multiple packets. If you do a follow stream and export that then yes it should work.

As much as I hate windows tools for forensics. You could use NetworkMiner to extract the files of a pcap pretty easily.

You could also run it all through the sniff suite of tools.

dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy

Link to comment
Share on other sites

That might not work since the file will be spread over multiple packets. If you do a follow stream and export that then yes it should work.

As much as I hate windows tools for forensics. You could use NetworkMiner to extract the files of a pcap pretty easily.

You could also run it all through the sniff suite of tools.

dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy

They now have NetworkMiner for Linux, and not windows version in whine, but natively in linux - http://www.netresec.com/?page=Blog&month=2011-12&post=No-more-Wine---NetworkMiner-in-Linux-with-Mono

Link to comment
Share on other sites

What about the tool you demoed for deleted file recovery. Could it look at the raw hex dump in a pcap and do the same thing to reconstruct files? I know that when you do a "follow tcp stream" you can see the raw hex data, which is how I used tp pull MP3's from Flash Players. I imagine you could carve that data up the same way, although I've not sifted through a raw pcap in a text editor to see if its the same type of data. I know pcap files contain a lot of other info like the frames and time stamps and make fragmented packets look like single file streams, just wondering if you could train it to follow the sequence and reconstruct if for you with the same tool or same way to pipe it there with output from tshark or tcpdump maybe.

tcpxtract is pretty much scalpel for pcap, I believe the config files are even compatible (or the format is at least extremely similar if not identical) :)

Link to comment
Share on other sites

<!--quoteo(post=145797:date=Fri, 06 Nov 2009 17:59:53 +0000:name=PC646)--><div class='quotetop'>QUOTE (PC646 @ Fri, 06 Nov 2009 17:59:53 +0000) <a href="index.php?act=findpost&pid=145797"><{POST_SNAPBACK}></a></div><div class='quotemain'><!--quotec-->As you have seen in my other posts I love Netwitness for analyzing pcaps, but I'm looking for other windows based programs for quickly data carving files. I have played with Network Miner but it tends to crash with the large amounts of pcaps I have, any other suggestions? Thanks.<!--QuoteEnd--></div><!--QuoteEEnd-->

One Way Network Sniffer (OWNS) can be run on Windows and Linux. It can open pcap files for extracting images, videos, http files, emails... It can be downloaded from (<a href="http://sourceforge.net/projects/owns/" target="_blank">SourceForge </a>).

Other interesting tools that can open pcap files are IMSniffer, for saving IM conversations (Live Messenger, Yahoo!, AIM, ICQ,...), <a href="http://sourceforge.net/projects/imsniffer/" target="_blank">MSN Webcam Recorder</a> for saving MSN webcam streams, and Yahoo Webcam Recorder, a Java app that saves Yahoo Webcam Streams (sorry, no link).

Don't forget popular Cain&Abel. It can be used for voice calls.

There are a lot more options in the Linux world ;-)

Hello,

I've been speaking to NetworkMiner people and debugging that thing and the crash is not related to the size of the PCAPs. The crash happens due to fragmented IP packets and problems with session management... If you filter your PCAPs on Wireshark using "!ip.fragments" it will work fine. A fix for the bug might come soon.

Have a nice day.

Link to comment
Share on other sites

Hello,

I've been speaking to NetworkMiner people and debugging that thing and the crash is not related to the size of the PCAPs. The crash happens due to fragmented IP packets and problems with session management... If you filter your PCAPs on Wireshark using "!ip.fragments" it will work fine. A fix for the bug might come soon.

Have a nice day.

If that is a fix, it would seem they should just run their own pre-load filter to remove fragments as well, then load the clean file.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...