SeRCH1nER Posted March 26, 2018 Share Posted March 26, 2018 Is there any way to get the correct timestamps on my PCAP captures. Assuming this thing does not have a RTC since every time I log into the PS it has a different timestamp???! Annoying when troubleshooting and testing new network nodes without having a correct timestamp for my failures.... Grrrrrrr. Link to comment Share on other sites More sharing options...
killergeek Posted March 26, 2018 Share Posted March 26, 2018 best way to get a time is to ask for it by a ntp server. or grabbing it from a packet. Link to comment Share on other sites More sharing options...
SeRCH1nER Posted March 26, 2018 Author Share Posted March 26, 2018 I am assuming the Packet Squirrel would sync with a NTP server before running the TCPDUMP Payload. Any tips on how I can do this?? Link to comment Share on other sites More sharing options...
SeRCH1nER Posted March 26, 2018 Author Share Posted March 26, 2018 Would I run something like ntpdate -s time.nist.gov before running the payload. How would that then get applied to the PS. Link to comment Share on other sites More sharing options...
SeRCH1nER Posted March 29, 2018 Author Share Posted March 29, 2018 Surprised no one has run into this issue before. Link to comment Share on other sites More sharing options...
Decoy Posted March 30, 2018 Share Posted March 30, 2018 22 hours ago, SeRCH1nER said: Surprised no one has run into this issue before. This was actually mentioned in their "Let's Code" video when the Packet Squirrel was first released - so it's a known "issue". It can be done by syncing with NTP; however this can't be done in Transparent mode. You would need an IP on the target network with Internet access in order to accomplish this. While it might not be perfect, and might require some parsing on your part - you could always snag Timestamps from HTTP headers as well when returned across the wire. Link to comment Share on other sites More sharing options...
SeRCH1nER Posted April 3, 2018 Author Share Posted April 3, 2018 On 3/30/2018 at 7:17 AM, Decoy said: This was actually mentioned in their "Let's Code" video when the Packet Squirrel was first released - so it's a known "issue". It can be done by syncing with NTP; however this can't be done in Transparent mode. You would need an IP on the target network with Internet access in order to accomplish this. While it might not be perfect, and might require some parsing on your part - you could always snag Timestamps from HTTP headers as well when returned across the wire. Thanks man, I will have to take a look. Link to comment Share on other sites More sharing options...
debitel Posted September 24, 2018 Share Posted September 24, 2018 Hi, is there any short "how-to" available? I'm not too experienced in this topic, so it would be great if I could learn how to get the correct timestamp on my Packet Squirrel. I'm using it only for capturing the packets from the target pc which is connected to the Internet via the PS. Works great, just the timestamp is not correct. The time for OS of the PS is correct, I used the ntpd to set the time, but still the packets are getting the time from the file in the subfolder payloads 1. Your help is really appreciated! Joe Link to comment Share on other sites More sharing options...
debitel Posted September 24, 2018 Share Posted September 24, 2018 Short Update: I was not successful to get the correct date on the timestamps for the packet when saving a new file with a current date on the PS. All timestamps from the dates of the payload.sh. Looking forward to your ideas, Thanks! Link to comment Share on other sites More sharing options...
Decoy Posted September 7, 2019 Share Posted September 7, 2019 I know this post is super old - but a quick fix (which I just used recently) is to modify the payload changing NETMODE from TRANSPARENT to BRIDGE. Obviously this won't work if you're looking to keep the device hidden as you will be assigned an IP address from the target; however for my purposes I was simply monitoring one node on my network. This allowed me to track time appropriately. Payload modification: function run() { # Create loot directory mkdir -p /mnt/loot/tcpdump &> /dev/null # Set networking to TRANSPARENT mode and wait five seconds #NETMODE TRANSPARENT # Set networking to BRIDGE to allow for correct timestamp on caps NETMODE BRIDGE sleep 5 # Start tcpdump on the bridge interface tcpdump -i br-lan -s 0 -w /mnt/loot/tcpdump/dump_$(date +%Y-%m-%d-%H%M%S).pcap &>/dev/null & tpid=$! # Wait for button to be pressed (disable button LED) NO_LED=true BUTTON finish $tpid } Link to comment Share on other sites More sharing options...
SeRCH1nER Posted May 4, 2023 Author Share Posted May 4, 2023 On 9/6/2019 at 10:43 PM, Decoy said: I know this post is super old - but a quick fix (which I just used recently) is to modify the payload changing NETMODE from TRANSPARENT to BRIDGE. Obviously this won't work if you're looking to keep the device hidden as you will be assigned an IP address from the target; however for my purposes I was simply monitoring one node on my network. This allowed me to track time appropriately. Payload modification: function run() { # Create loot directory mkdir -p /mnt/loot/tcpdump &> /dev/null # Set networking to TRANSPARENT mode and wait five seconds #NETMODE TRANSPARENT # Set networking to BRIDGE to allow for correct timestamp on caps NETMODE BRIDGE sleep 5 # Start tcpdump on the bridge interface tcpdump -i br-lan -s 0 -w /mnt/loot/tcpdump/dump_$(date +%Y-%m-%d-%H%M%S).pcap &>/dev/null & tpid=$! # Wait for button to be pressed (disable button LED) NO_LED=true BUTTON finish $tpid } Your reply is also SUPER old, but I've been using the packet squirrel quite a bit still, but I have to modify the timestamps in Wireshark. It's a real pain. SOOOOO, I tried what you suggested, but I'm unable to capture any data while set to Bridge mode. I set the payload back to what it was earlier, and NOW the damn thing won't work at all. Even in transparent mode, the packet squirrel will not capture anything, nor does it blink yellow as it's capturing like it had in the past. Nothing gets saved to the USB stick. It was just working yesterday 😞 Well this sucks. FAWKKK Thanks Link to comment Share on other sites More sharing options...
SeRCH1nER Posted May 4, 2023 Author Share Posted May 4, 2023 I was able to recover the squirrel by reflashing it with FW again, so I tried to set it to bridge mode, but nothing would get captured. I set it back to transparent mode, and it failed to capture anything, so I reflashed it again, which fixed it. I don't think it likes to be changed to Bridge mode, or I'm doing something wrong, but I don't see how that can be. Oh well.. It was worth a try Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.