Jump to content

Packet Squirrel/PCAP Timestamp


SeRCH1nER

Recommended Posts

Is there any way to get the correct timestamps on my PCAP captures.  Assuming this thing does not have a RTC since every time I log into the PS it has a different timestamp???! Annoying when  troubleshooting and testing new network nodes without having a correct timestamp for my failures....  Grrrrrrr.  

Link to comment
Share on other sites

22 hours ago, SeRCH1nER said:

Surprised no one has run into this issue before. 

This was actually mentioned in their "Let's Code" video when the Packet Squirrel was first released - so it's a known "issue". It can be done by syncing with NTP; however this can't be done in Transparent mode. You would need an IP on the target network with Internet access in order to accomplish this. While it might not be perfect, and might require some parsing on your part - you could always snag Timestamps from HTTP headers as well when returned across the wire.

Link to comment
Share on other sites

On 3/30/2018 at 7:17 AM, Decoy said:

This was actually mentioned in their "Let's Code" video when the Packet Squirrel was first released - so it's a known "issue". It can be done by syncing with NTP; however this can't be done in Transparent mode. You would need an IP on the target network with Internet access in order to accomplish this. While it might not be perfect, and might require some parsing on your part - you could always snag Timestamps from HTTP headers as well when returned across the wire.

Thanks man, I will have to take a look.  

Link to comment
Share on other sites

  • 5 months later...

Hi,

is there any short "how-to" available? I'm not too experienced in this topic, so it would be great if I could learn how to get the correct timestamp on my Packet Squirrel.

I'm using it only for capturing the packets from the target pc which is connected to the Internet via the PS.

Works great, just the timestamp is not correct.

The time for OS of the PS is correct, I used the ntpd to set the time, but still the packets are getting the time from the file in the subfolder payloads 1.

Your help is really appreciated!

Joe

Link to comment
Share on other sites

  • 11 months later...

I know this post is super old - but a quick fix (which I just used recently) is to modify the payload changing NETMODE from TRANSPARENT to BRIDGE. Obviously this won't work if you're looking to keep the device hidden as you will be assigned an IP address from the target; however for my purposes I was simply monitoring one node on my network. This allowed me to track time appropriately.

Payload modification: 

function run() {
	# Create loot directory
	mkdir -p /mnt/loot/tcpdump &> /dev/null
	
	# Set networking to TRANSPARENT mode and wait five seconds
	#NETMODE TRANSPARENT
	# Set networking to BRIDGE to allow for correct timestamp on caps
	NETMODE BRIDGE
	sleep 5
	
	# Start tcpdump on the bridge interface
	tcpdump -i br-lan -s 0 -w /mnt/loot/tcpdump/dump_$(date +%Y-%m-%d-%H%M%S).pcap &>/dev/null &
	tpid=$!

	# Wait for button to be pressed (disable button LED)
	NO_LED=true BUTTON
	finish $tpid
}

982606079_Screenshotfrom2019-09-0623-41-59.png.a31bae1bf70197fdca7909d496f90976.png

Link to comment
Share on other sites

  • 3 years later...
On 9/6/2019 at 10:43 PM, Decoy said:

I know this post is super old - but a quick fix (which I just used recently) is to modify the payload changing NETMODE from TRANSPARENT to BRIDGE. Obviously this won't work if you're looking to keep the device hidden as you will be assigned an IP address from the target; however for my purposes I was simply monitoring one node on my network. This allowed me to track time appropriately.

Payload modification: 

function run() {
	# Create loot directory
	mkdir -p /mnt/loot/tcpdump &> /dev/null
	
	# Set networking to TRANSPARENT mode and wait five seconds
	#NETMODE TRANSPARENT
	# Set networking to BRIDGE to allow for correct timestamp on caps
	NETMODE BRIDGE
	sleep 5
	
	# Start tcpdump on the bridge interface
	tcpdump -i br-lan -s 0 -w /mnt/loot/tcpdump/dump_$(date +%Y-%m-%d-%H%M%S).pcap &>/dev/null &
	tpid=$!

	# Wait for button to be pressed (disable button LED)
	NO_LED=true BUTTON
	finish $tpid
}

982606079_Screenshotfrom2019-09-0623-41-59.png.a31bae1bf70197fdca7909d496f90976.png

 

Your reply is also SUPER old, but I've been using the packet squirrel quite a bit still, but I have to modify the timestamps in Wireshark.  It's a real pain.  

 

SOOOOO, I tried what you suggested, but I'm unable to capture any data while set to Bridge mode.   I set the payload back to what it was earlier, and NOW the damn thing won't work at all.  Even in transparent mode, the packet squirrel will not capture anything, nor does it blink yellow as it's capturing like it had in the past.  Nothing gets saved to the USB stick.  It was just working yesterday 😞 

Well this sucks.  FAWKKK

 

Thanks 

Link to comment
Share on other sites

I was able to recover the squirrel by reflashing it with FW again, so I tried to set it to bridge mode, but nothing would get captured.  I set it back to transparent mode, and it failed to capture anything, so I reflashed it again, which fixed it.  I don't think it likes to be changed to Bridge mode, or I'm doing something wrong, but I don't see how that can be. 

Oh well.. It was worth a try

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...