Packet Squirrel/PCAP Timestamp

[SeRCH1nER]

Is there any way to get the correct timestamps on my PCAP captures.  Assuming this thing does not have a RTC since every time I log into the PS it has a different timestamp???! Annoying when  troubleshooting and testing new network nodes without having a correct timestamp for my failures....  Grrrrrrr.  

[killergeek]

best way to get a time is to ask for it by a ntp server. or grabbing it from a packet.

[SeRCH1nER]

I am assuming the Packet Squirrel would sync with a NTP server before running the TCPDUMP Payload.  

Any tips on how I can do this?? 

[SeRCH1nER]

Would I run something like  ntpdate -s time.nist.gov before running the payload.  How would that then get applied to the PS. 

[SeRCH1nER]

Surprised no one has run into this issue before. 

[Decoy]

22 hours ago, SeRCH1nER said:

Surprised no one has run into this issue before. 

This was actually mentioned in their "Let's Code" video when the Packet Squirrel was first released - so it's a known "issue". It can be done by syncing with NTP; however this can't be done in Transparent mode. You would need an IP on the target network with Internet access in order to accomplish this. While it might not be perfect, and might require some parsing on your part - you could always snag Timestamps from HTTP headers as well when returned across the wire.

[SeRCH1nER]

On 3/30/2018 at 7:17 AM, Decoy said:

This was actually mentioned in their "Let's Code" video when the Packet Squirrel was first released - so it's a known "issue". It can be done by syncing with NTP; however this can't be done in Transparent mode. You would need an IP on the target network with Internet access in order to accomplish this. While it might not be perfect, and might require some parsing on your part - you could always snag Timestamps from HTTP headers as well when returned across the wire.

Thanks man, I will have to take a look.  

[debitel]

Hi,

is there any short "how-to" available? I'm not too experienced in this topic, so it would be great if I could learn how to get the correct timestamp on my Packet Squirrel.

I'm using it only for capturing the packets from the target pc which is connected to the Internet via the PS.

Works great, just the timestamp is not correct.

The time for OS of the PS is correct, I used the ntpd to set the time, but still the packets are getting the time from the file in the subfolder payloads 1.

Your help is really appreciated!

Joe

[debitel]

Short Update: 

I was not successful to get the correct date on the timestamps for the packet when saving a new file with a current date on the PS.

All timestamps from the dates of the payload.sh.

Looking forward to your ideas,

Thanks!

[Decoy]

I know this post is super old - but a quick fix (which I just used recently) is to modify the payload changing NETMODE from TRANSPARENT to BRIDGE. Obviously this won't work if you're looking to keep the device hidden as you will be assigned an IP address from the target; however for my purposes I was simply monitoring one node on my network. This allowed me to track time appropriately.

Payload modification: 

function run() {
	# Create loot directory
	mkdir -p /mnt/loot/tcpdump &> /dev/null
	
	# Set networking to TRANSPARENT mode and wait five seconds
	#NETMODE TRANSPARENT
	# Set networking to BRIDGE to allow for correct timestamp on caps
	NETMODE BRIDGE
	sleep 5
	
	# Start tcpdump on the bridge interface
	tcpdump -i br-lan -s 0 -w /mnt/loot/tcpdump/dump_$(date +%Y-%m-%d-%H%M%S).pcap &>/dev/null &
	tpid=$!

	# Wait for button to be pressed (disable button LED)
	NO_LED=true BUTTON
	finish $tpid
}

[SeRCH1nER]

On 9/6/2019 at 10:43 PM, Decoy said:

I know this post is super old - but a quick fix (which I just used recently) is to modify the payload changing NETMODE from TRANSPARENT to BRIDGE. Obviously this won't work if you're looking to keep the device hidden as you will be assigned an IP address from the target; however for my purposes I was simply monitoring one node on my network. This allowed me to track time appropriately.

Payload modification: 

function run() {
	# Create loot directory
	mkdir -p /mnt/loot/tcpdump &> /dev/null
	
	# Set networking to TRANSPARENT mode and wait five seconds
	#NETMODE TRANSPARENT
	# Set networking to BRIDGE to allow for correct timestamp on caps
	NETMODE BRIDGE
	sleep 5
	
	# Start tcpdump on the bridge interface
	tcpdump -i br-lan -s 0 -w /mnt/loot/tcpdump/dump_$(date +%Y-%m-%d-%H%M%S).pcap &>/dev/null &
	tpid=$!

	# Wait for button to be pressed (disable button LED)
	NO_LED=true BUTTON
	finish $tpid
}

 

Your reply is also SUPER old, but I've been using the packet squirrel quite a bit still, but I have to modify the timestamps in Wireshark.  It's a real pain.  

 

SOOOOO, I tried what you suggested, but I'm unable to capture any data while set to Bridge mode.   I set the payload back to what it was earlier, and NOW the damn thing won't work at all.  Even in transparent mode, the packet squirrel will not capture anything, nor does it blink yellow as it's capturing like it had in the past.  Nothing gets saved to the USB stick.  It was just working yesterday 😞 

Well this sucks.  FAWKKK

 

Thanks 

[SeRCH1nER]

I was able to recover the squirrel by reflashing it with FW again, so I tried to set it to bridge mode, but nothing would get captured.  I set it back to transparent mode, and it failed to capture anything, so I reflashed it again, which fixed it.  I don't think it likes to be changed to Bridge mode, or I'm doing something wrong, but I don't see how that can be. 

Oh well.. It was worth a try