LoveMyTool - Open Community for Network Management and Monitoring

Just another small tool, only 85KB, with great potential.
HashCheck provides an easy way to check, which files are changed or deleted.
This tool might help you, when you want to monitor folders, for instance the Program Files folder. This can be very handy, when you install/uninstall programs.
It can be very handy to see, which files are changed or removed.

You can download HashCheck here.

Run HashCheckInstall-2.1.11.exe.
HashCheck adds a Checksum tab to the file properties dialog box.
You can run HashCheck on a single file or folder, but also on multiple files and/or folders.

In this article I'll give you an example based on the folder C:\Program Files\Wireshark.

You can download the latest version of Wireshark here and all versions of Wireshark here.

I have first installed Wireshark version 1.9.1.

Run HashCheck
• Open Windows Explorer and navigate to C:\Program Files\Wireshark
• Right-click on the folder "Wireshark"
• Select Properties
• Select the tab Checksums to view the hashes.

 Click on image to enlarge

Wireshark can now export SMB2 Objects.
You don't have to do it the hard way anymore, as I described in my articles "Wireshark and SMB2: extract files part 1 and part 2".

Thanks to Jose Pico of Taddong. He filed an enhancement bug report and submitted a patch to implement the feature "Export SMB2 Objects" in Wireshark.

Right now this new feature is only available in the Development Release.
You can download the latest Development Release, version 1.9.1, here.

Continue reading to learn how to export SMB 2 object.

 Click on image to enlarge

This is a another great feature in Wireshark: Configuration Profiles.
In this article I will show you how to create and use profiles. By sharing one of my profiles I will also show you how easy it is to copy and share existing profiles.

You can use different profiles for different purposes. You can create separate profiles for analyzing capture files, that contain certain protocols or to analyze wireless capture files.
You can also create different profiles for different companies. Thus you only have to save the capture filters, display filters and other settings, that you use for Company A, in the profile for Company A. Those settings don't bother you while working at Company B and using their specific settings.

 Click on image to enlarge

This is the second article about extracting files from Wireshark capture files.
The sample file smb2_pdf2_06f.pcap contains the file WP_SMBPlugin.pdf: A tool for capturing SMB files with Wireshark by David Perez & Jose Pico.
The size is 1.48 MB (1.508.939 bytes). This makes it more complicated, but not impossible to extract the pdf.

You can download the files here:
• sample file smb2_pdf2_06f.pcap
• pdf Download WP_SMBPlugin.pdf

Open the file smb2_pdf2_06f.pcap.
Select a packet in the Packet List.
Right-click and select "Follow TCP Stream" in the context menu to open the "Follow TCP Stream" dialog box.

Select the conversation from "10.0.0.11:49208 -> 10.0.0.12:445 (1516006 bytes)"
Select "raw"
Hit "Save As" and save the file as pdf2.pdf.

 Click on image to enlarge

Although Wireshark does not have a nice feature to export SMB2 objects, you can extract transferred files from the capture files.

In this article I will show you how to extract small files, a pdf and a exe, from Wireshark capture files.

PDF
The sample file smb2-pdf_02.pcap contains the file willhackforsushi.com_80211_Pocket_Reference_Guide.pdf from Will Hack For Sushi.
You can download the files here:
• sample capture file smb2-pdf_02.pcap
• pdf willhackforsushi.com_80211_Pocket_Reference_Guide.pdf

Open the file smb2-pdf_02.pcap.
To check if "Allow subdissector to reassemble TCP streams" is turned on, go to:
• right-click Transmission Control Protocol in the Packet Details pane
• Protocol Preferences
• "Allow subdissector to reassemble TCP streams"

 Click on image to enlarge

Wireshark can export SMB objects.
This feature is inplemented in Wireshark in version 1.6.0.

You can download the latest stable release of Wireshark here.

Download the sample file, export-objects-smb_01.pcap, here and continue reading to learn more about exporting smb objects.

Note
You can also export SMB objects during live capture.

 Click on image to enlarge

SplitCap is an open source pcap file splitter.
By default it splits a pcap into multiple files based on UDP and TCP sessions. The output is one file per session.
If you have a large pcap file you end up with a lot of output files.
In this case you can use TShark, part of the Wireshark distribution, to get an overview of all the TCP and UDP sessions in the pcap file. You can choose which sessions are important and write only those sessions to a separate output file.

Download
You can download the latest version SplitCap_1-7.zip here.

Unzip the file SplitCap_1-7.zip and run SplitCap.exe.

Note
SplitCap is written in C# using the .NET framework 2.0.
Make sure you have that installed before running SplitCap.

 Click on image to enlarge

PDD is an open-source program created by Srivats.

The main features are:

Click on image to enlarge

You can download pdd, current release pdd-bin-win32-0.2.zip, here.

The SHA1 Checksum is abd6903a930b570854f40ed44927f480ff34232e.

There is no installation required. Just unzip pdd-bin-win32-0.2.zip and run pdd.exe.

Note
You need to have Wireshark installed, because PDD is only a wrapper around Wireshark.

Continue reading and follow along.

Click on image to enlarge