NetsForNutworks Posted September 21, 2019 Share Posted September 21, 2019 Hey guys, I have a packet squirrel setup in Cloud2 and I can successfully start a terminal session. In a terminal session I would like to run a packet capture. If I run the command tcpdump -nni eth1 -f /mnt/loot/tcpdump/test2.pcap I am able to capture some packets. I can Exfil the packet capture with the command: C2EXFIL /mnt/loot/tcpdump/test2.pcap and the file shows up in the C2 dashboard. However, when I download the pcap, Wireshark cannot open it. I get an error message: "The file test2.pcap isn't a capture file in a format that Wireshark understands" Screenshot: https://imgur.com/a/t9MJtoZ I can open the pcap file with Wireshark from the USB stick, if I remove it from the Packet Squirrel and plug it into my PC. Could the C2EXFIL command be modifying the .pcap file when it moves it? I've used the C2EXFIL command to move other files like .txt and .nmap and have not had any issues. Has anyone else experienced this or figured out a way to move pcap's using C2EXFIL? Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted September 21, 2019 Share Posted September 21, 2019 @NetsForNutworks thanks for the report. I was able to reproduce the error you've indicated. The team is investigating. Quote Link to comment Share on other sites More sharing options...
Sleepypanda1 Posted July 12, 2020 Share Posted July 12, 2020 Is there an update, and how can I out c2connect in default tcpdump payload. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.