What Pcap data craving programs do you use?

[PC646]

As you have seen in my other posts I love Netwitness for analyzing pcaps, but I'm looking for other windows based programs for quickly data carving files. I have played with Network Miner but it tends to crash with the large amounts of pcaps I have, any other suggestions? Thanks.

[Jason Cooper]

Most of my pcap experience is on Linux but there are win32 versions of a lot of the tools I use. Wireshark can be very usefull, especially if you don't know what you are looking for. If you do know what you are looking for then ettercap can be very usefull with a few custom filters you can quickly get out information.

[Wetwork]

I found NetworkMiner to be an exelent tool as well. Dareen covered it in a show not too long ago and did a damn good job at it.

FYI NetworkMiner just released a new version and it seems to give out 2x as more info from a saved PCAP as before and a tad bit faster when it comes to LARGE files and network scanning

[odz2win]

I too use NetMiner. I also use Net Witness. You can also load Pcap's into Cain if I'm not mistaken...

[PC646]

So it sounds like their isnt much out there to pull files from pcaps...

Wetwork-

When you say large what are we talking about here? I'm doing multiple 250mb files (51GB total) and one at a time or a handful it's slow or crashes.

[digip]

I just use wireshark for pcap files.

[PC646]

I just use wireshark for pcap files.

Not capturing Pcaps, but pulling files from pcaps. Photos, docs, etc on a large scale...

[EPSILON]

As you have seen in my other posts I love Netwitness for analyzing pcaps, but I'm looking for other windows based programs for quickly data carving files. I have played with Network Miner but it tends to crash with the large amounts of pcaps I have, any other suggestions? Thanks.

One Way Network Sniffer (OWNS) can be run on Windows and Linux. It can open pcap files for extracting images, videos, http files, emails... It can be downloaded from (SourceForge ).

Other interesting tools that can open pcap files are IMSniffer, for saving IM conversations (Live Messenger, Yahoo!, AIM, ICQ,...), MSN Webcam Recorder for saving MSN webcam streams, and Yahoo Webcam Recorder, a Java app that saves Yahoo Webcam Streams (sorry, no link).

Don't forget popular Cain&Abel. It can be used for voice calls.

There are a lot more options in the Linux world ;-)

--------

EPSILON

[PC646]

EPSILON,

Thanks for the info...

StraightEdge???

[EPSILON]

StraightEdge???

No. Avatar is just a pic I like.

[Sud0x3]

1. Wireshark (http://www.wireshark.org/)

2. Cain & Abel (http://www.oxid.it)

3. Network Miner (http://sourceforge.net/projects/networkminer/)

4. TCP xract (http://tcpxtract.sourceforge.net/)

5. IM Sniffer (http://sourceforge.net/projects/imsniffer/)

6. MSN Shadow (http://msnshadow.blogspot.com/)

7. Honey Snap (https://projects.honeynet.org/honeysnap/)

8. NGrep (http://ngrep.sourceforge.net/)

I think thats most of the tools available for analysing pcaps for anything from passwords to data flow.

[bowler]

7. Honey Snap (https://projects.honeynet.org/honeysnap/)

I think thats most of the tools available for analysing pcaps for anything from passwords to data flow.

Have you actually used this before?

[Sud0x3]

Have you actually used this before?

Yeah i would recommend using the linux version the windows one was a little buggy for me. Oh and make sure you have the dependencies listed in the install file. l

[TCB13]

Hi,

I really like networkminer... but it crashed if it found a error in the pcap file... and that tends to happen a lot...

Does anyone have a way to remove the potential errors or make networkminer deal with them?

Thanks.

[int0x80]

Wireshark can pull files out of pcap. Just 'follow the TCP conversation', highlight the file contents, and point-click your way to a standalone file. That is a pretty manual process though, so I'd want something automated or scriptable with 200+ pcaps to process.

I've used tcpxtract in the past with great success. Can you kick off an Ubuntu or Debian VM and dump the pcaps in there? tcpxtract will make fast work of them once you set up the signatures.

[digip]

Wireshark can pull files out of pcap. Just 'follow the TCP conversation', highlight the file contents, and point-click your way to a standalone file. That is a pretty manual process though, so I'd want something automated or scriptable with 200+ pcaps to process.

I've used tcpxtract in the past with great success. Can you kick off an Ubuntu or Debian VM and dump the pcaps in there? tcpxtract will make fast work of them once you set up the signatures.

What about the tool you demoed for deleted file recovery. Could it look at the raw hex dump in a pcap and do the same thing to reconstruct files? I know that when you do a "follow tcp stream" you can see the raw hex data, which is how I used tp pull MP3's from Flash Players. I imagine you could carve that data up the same way, although I've not sifted through a raw pcap in a text editor to see if its the same type of data. I know pcap files contain a lot of other info like the frames and time stamps and make fragmented packets look like single file streams, just wondering if you could train it to follow the sequence and reconstruct if for you with the same tool or same way to pipe it there with output from tshark or tcpdump maybe.

[Mr-Protocol]

That might not work since the file will be spread over multiple packets. If you do a follow stream and export that then yes it should work.

As much as I hate windows tools for forensics. You could use NetworkMiner to extract the files of a pcap pretty easily.

You could also run it all through the sniff suite of tools.

dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy

[digip]

That might not work since the file will be spread over multiple packets. If you do a follow stream and export that then yes it should work.

As much as I hate windows tools for forensics. You could use NetworkMiner to extract the files of a pcap pretty easily.

You could also run it all through the sniff suite of tools.

dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy

They now have NetworkMiner for Linux, and not windows version in whine, but natively in linux - http://www.netresec.com/?page=Blog&month=2011-12&post=No-more-Wine---NetworkMiner-in-Linux-with-Mono

[Mr-Protocol]

Veeeeeeeeery nice. I haven't played with forensic tools in a bit.

Chances are it still uses the other tools in the background.

[int0x80]

What about the tool you demoed for deleted file recovery. Could it look at the raw hex dump in a pcap and do the same thing to reconstruct files? I know that when you do a "follow tcp stream" you can see the raw hex data, which is how I used tp pull MP3's from Flash Players. I imagine you could carve that data up the same way, although I've not sifted through a raw pcap in a text editor to see if its the same type of data. I know pcap files contain a lot of other info like the frames and time stamps and make fragmented packets look like single file streams, just wondering if you could train it to follow the sequence and reconstruct if for you with the same tool or same way to pipe it there with output from tshark or tcpdump maybe.

tcpxtract is pretty much scalpel for pcap, I believe the config files are even compatible (or the format is at least extremely similar if not identical) :)

[TCB13]

<!--quoteo(post=145797:date=Fri, 06 Nov 2009 17:59:53 +0000:name=PC646)--><div class='quotetop'>QUOTE (PC646 @ Fri, 06 Nov 2009 17:59:53 +0000) <a href="index.php?act=findpost&pid=145797"><{POST_SNAPBACK}></a></div><div class='quotemain'><!--quotec-->As you have seen in my other posts I love Netwitness for analyzing pcaps, but I'm looking for other windows based programs for quickly data carving files. I have played with Network Miner but it tends to crash with the large amounts of pcaps I have, any other suggestions? Thanks.<!--QuoteEnd--></div><!--QuoteEEnd-->

One Way Network Sniffer (OWNS) can be run on Windows and Linux. It can open pcap files for extracting images, videos, http files, emails... It can be downloaded from (<a href="http://sourceforge.net/projects/owns/" target="_blank">SourceForge </a>).

Other interesting tools that can open pcap files are IMSniffer, for saving IM conversations (Live Messenger, Yahoo!, AIM, ICQ,...), <a href="http://sourceforge.net/projects/imsniffer/" target="_blank">MSN Webcam Recorder</a> for saving MSN webcam streams, and Yahoo Webcam Recorder, a Java app that saves Yahoo Webcam Streams (sorry, no link).

Don't forget popular Cain&Abel. It can be used for voice calls.

There are a lot more options in the Linux world ;-)

Hello,

I've been speaking to NetworkMiner people and debugging that thing and the crash is not related to the size of the PCAPs. The crash happens due to fragmented IP packets and problems with session management... If you filter your PCAPs on Wireshark using "!ip.fragments" it will work fine. A fix for the bug might come soon.

Have a nice day.

[digip]

Hello,

I've been speaking to NetworkMiner people and debugging that thing and the crash is not related to the size of the PCAPs. The crash happens due to fragmented IP packets and problems with session management... If you filter your PCAPs on Wireshark using "!ip.fragments" it will work fine. A fix for the bug might come soon.

Have a nice day.

If that is a fix, it would seem they should just run their own pre-load filter to remove fragments as well, then load the clean file.