PC646 Posted November 6, 2009 Posted November 6, 2009 As you have seen in my other posts I love Netwitness for analyzing pcaps, but I'm looking for other windows based programs for quickly data carving files. I have played with Network Miner but it tends to crash with the large amounts of pcaps I have, any other suggestions? Thanks. Quote
Jason Cooper Posted November 6, 2009 Posted November 6, 2009 Most of my pcap experience is on Linux but there are win32 versions of a lot of the tools I use. Wireshark can be very usefull, especially if you don't know what you are looking for. If you do know what you are looking for then ettercap can be very usefull with a few custom filters you can quickly get out information. Quote
Wetwork Posted November 6, 2009 Posted November 6, 2009 I found NetworkMiner to be an exelent tool as well. Dareen covered it in a show not too long ago and did a damn good job at it. FYI NetworkMiner just released a new version and it seems to give out 2x as more info from a saved PCAP as before and a tad bit faster when it comes to LARGE files and network scanning Quote
odz2win Posted November 9, 2009 Posted November 9, 2009 I too use NetMiner. I also use Net Witness. You can also load Pcap's into Cain if I'm not mistaken... Quote
PC646 Posted November 11, 2009 Author Posted November 11, 2009 So it sounds like their isnt much out there to pull files from pcaps... Wetwork- When you say large what are we talking about here? I'm doing multiple 250mb files (51GB total) and one at a time or a handful it's slow or crashes. Quote
PC646 Posted November 12, 2009 Author Posted November 12, 2009 I just use wireshark for pcap files. Not capturing Pcaps, but pulling files from pcaps. Photos, docs, etc on a large scale... Quote
EPSILON Posted November 25, 2009 Posted November 25, 2009 As you have seen in my other posts I love Netwitness for analyzing pcaps, but I'm looking for other windows based programs for quickly data carving files. I have played with Network Miner but it tends to crash with the large amounts of pcaps I have, any other suggestions? Thanks. One Way Network Sniffer (OWNS) can be run on Windows and Linux. It can open pcap files for extracting images, videos, http files, emails... It can be downloaded from (SourceForge ). Other interesting tools that can open pcap files are IMSniffer, for saving IM conversations (Live Messenger, Yahoo!, AIM, ICQ,...), MSN Webcam Recorder for saving MSN webcam streams, and Yahoo Webcam Recorder, a Java app that saves Yahoo Webcam Streams (sorry, no link). Don't forget popular Cain&Abel. It can be used for voice calls. There are a lot more options in the Linux world ;-) -------- EPSILON Quote
PC646 Posted November 26, 2009 Author Posted November 26, 2009 EPSILON, Thanks for the info... StraightEdge??? Quote
EPSILON Posted November 26, 2009 Posted November 26, 2009 StraightEdge??? No. Avatar is just a pic I like. Quote
Sud0x3 Posted November 29, 2009 Posted November 29, 2009 1. Wireshark (http://www.wireshark.org/) 2. Cain & Abel (http://www.oxid.it) 3. Network Miner (http://sourceforge.net/projects/networkminer/) 4. TCP xract (http://tcpxtract.sourceforge.net/) 5. IM Sniffer (http://sourceforge.net/projects/imsniffer/) 6. MSN Shadow (http://msnshadow.blogspot.com/) 7. Honey Snap (https://projects.honeynet.org/honeysnap/) 8. NGrep (http://ngrep.sourceforge.net/) I think thats most of the tools available for analysing pcaps for anything from passwords to data flow. Quote
bowler Posted November 29, 2009 Posted November 29, 2009 7. Honey Snap (https://projects.honeynet.org/honeysnap/) I think thats most of the tools available for analysing pcaps for anything from passwords to data flow. Have you actually used this before? Quote
Sud0x3 Posted November 29, 2009 Posted November 29, 2009 Have you actually used this before? Yeah i would recommend using the linux version the windows one was a little buggy for me. Oh and make sure you have the dependencies listed in the install file. l Quote
TCB13 Posted January 12, 2012 Posted January 12, 2012 Hi, I really like networkminer... but it crashed if it found a error in the pcap file... and that tends to happen a lot... Does anyone have a way to remove the potential errors or make networkminer deal with them? Thanks. Quote
int0x80 Posted January 13, 2012 Posted January 13, 2012 Wireshark can pull files out of pcap. Just 'follow the TCP conversation', highlight the file contents, and point-click your way to a standalone file. That is a pretty manual process though, so I'd want something automated or scriptable with 200+ pcaps to process. I've used tcpxtract in the past with great success. Can you kick off an Ubuntu or Debian VM and dump the pcaps in there? tcpxtract will make fast work of them once you set up the signatures. Quote
digip Posted January 14, 2012 Posted January 14, 2012 Wireshark can pull files out of pcap. Just 'follow the TCP conversation', highlight the file contents, and point-click your way to a standalone file. That is a pretty manual process though, so I'd want something automated or scriptable with 200+ pcaps to process. I've used tcpxtract in the past with great success. Can you kick off an Ubuntu or Debian VM and dump the pcaps in there? tcpxtract will make fast work of them once you set up the signatures. What about the tool you demoed for deleted file recovery. Could it look at the raw hex dump in a pcap and do the same thing to reconstruct files? I know that when you do a "follow tcp stream" you can see the raw hex data, which is how I used tp pull MP3's from Flash Players. I imagine you could carve that data up the same way, although I've not sifted through a raw pcap in a text editor to see if its the same type of data. I know pcap files contain a lot of other info like the frames and time stamps and make fragmented packets look like single file streams, just wondering if you could train it to follow the sequence and reconstruct if for you with the same tool or same way to pipe it there with output from tshark or tcpdump maybe. Quote
Mr-Protocol Posted January 14, 2012 Posted January 14, 2012 That might not work since the file will be spread over multiple packets. If you do a follow stream and export that then yes it should work. As much as I hate windows tools for forensics. You could use NetworkMiner to extract the files of a pcap pretty easily. You could also run it all through the sniff suite of tools. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy Quote
digip Posted January 14, 2012 Posted January 14, 2012 That might not work since the file will be spread over multiple packets. If you do a follow stream and export that then yes it should work. As much as I hate windows tools for forensics. You could use NetworkMiner to extract the files of a pcap pretty easily. You could also run it all through the sniff suite of tools. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy They now have NetworkMiner for Linux, and not windows version in whine, but natively in linux - http://www.netresec.com/?page=Blog&month=2011-12&post=No-more-Wine---NetworkMiner-in-Linux-with-Mono Quote
Mr-Protocol Posted January 14, 2012 Posted January 14, 2012 Veeeeeeeeery nice. I haven't played with forensic tools in a bit. Chances are it still uses the other tools in the background. Quote
int0x80 Posted January 15, 2012 Posted January 15, 2012 What about the tool you demoed for deleted file recovery. Could it look at the raw hex dump in a pcap and do the same thing to reconstruct files? I know that when you do a "follow tcp stream" you can see the raw hex data, which is how I used tp pull MP3's from Flash Players. I imagine you could carve that data up the same way, although I've not sifted through a raw pcap in a text editor to see if its the same type of data. I know pcap files contain a lot of other info like the frames and time stamps and make fragmented packets look like single file streams, just wondering if you could train it to follow the sequence and reconstruct if for you with the same tool or same way to pipe it there with output from tshark or tcpdump maybe. tcpxtract is pretty much scalpel for pcap, I believe the config files are even compatible (or the format is at least extremely similar if not identical) :) Quote
TCB13 Posted January 15, 2012 Posted January 15, 2012 <!--quoteo(post=145797:date=Fri, 06 Nov 2009 17:59:53 +0000:name=PC646)--><div class='quotetop'>QUOTE (PC646 @ Fri, 06 Nov 2009 17:59:53 +0000) <a href="index.php?act=findpost&pid=145797"><{POST_SNAPBACK}></a></div><div class='quotemain'><!--quotec-->As you have seen in my other posts I love Netwitness for analyzing pcaps, but I'm looking for other windows based programs for quickly data carving files. I have played with Network Miner but it tends to crash with the large amounts of pcaps I have, any other suggestions? Thanks.<!--QuoteEnd--></div><!--QuoteEEnd--> One Way Network Sniffer (OWNS) can be run on Windows and Linux. It can open pcap files for extracting images, videos, http files, emails... It can be downloaded from (<a href="http://sourceforge.net/projects/owns/" target="_blank">SourceForge </a>). Other interesting tools that can open pcap files are IMSniffer, for saving IM conversations (Live Messenger, Yahoo!, AIM, ICQ,...), <a href="http://sourceforge.net/projects/imsniffer/" target="_blank">MSN Webcam Recorder</a> for saving MSN webcam streams, and Yahoo Webcam Recorder, a Java app that saves Yahoo Webcam Streams (sorry, no link). Don't forget popular Cain&Abel. It can be used for voice calls. There are a lot more options in the Linux world ;-) Hello, I've been speaking to NetworkMiner people and debugging that thing and the crash is not related to the size of the PCAPs. The crash happens due to fragmented IP packets and problems with session management... If you filter your PCAPs on Wireshark using "!ip.fragments" it will work fine. A fix for the bug might come soon. Have a nice day. Quote
digip Posted January 16, 2012 Posted January 16, 2012 Hello, I've been speaking to NetworkMiner people and debugging that thing and the crash is not related to the size of the PCAPs. The crash happens due to fragmented IP packets and problems with session management... If you filter your PCAPs on Wireshark using "!ip.fragments" it will work fine. A fix for the bug might come soon. Have a nice day. If that is a fix, it would seem they should just run their own pre-load filter to remove fragments as well, then load the clean file. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.