My Photo
Subscribe to this blog's feed

Local Search

  • Loading

Recent Comments

LMT Authors

Top 10 Posts

Recent Posts

By Technology

207 posts categorized "Open Source Tools" Feed

January 07, 2012

Wireshark: Using Configuration Profiles (by Joke Snelders)

This is a another great feature in Wireshark: Configuration Profiles.
In this article I will show you how to create and use profiles. By sharing one of my profiles I will also show you how easy it is to copy and share existing profiles.

You can use different profiles for different purposes. You can create separate profiles for analyzing capture files, that contain certain protocols or to analyze wireless capture files.
You can also create different profiles for different companies. Thus you only have to save the capture filters, display filters and other settings, that you use for Company A, in the profile for Company A. Those settings don't bother you while working at Company B and using their specific settings.

Tor_01
 Click on image to enlarge

 

Continue reading "Wireshark: Using Configuration Profiles (by Joke Snelders)" »

Posted in Joke Snelders, Open Source Tools | | Comments (0) | TrackBack (0)

| |

December 16, 2011

Wireshark and SMB2: extract files – part 2 (by Joke Snelders)

This is the second article about extracting files from Wireshark capture files.
The sample file smb2_pdf2_06f.pcap contains the file WP_SMBPlugin.pdf: A tool for capturing SMB files with Wireshark by David Perez & Jose Pico.
The size is 1.48 MB (1.508.939 bytes). This makes it more complicated, but not impossible to extract the pdf.

You can download the files here:
• sample file smb2_pdf2_06f.pcap
• pdf Download WP_SMBPlugin.pdf

Open the file smb2_pdf2_06f.pcap.
Select a packet in the Packet List.
Right-click and select "Follow TCP Stream" in the context menu to open the "Follow TCP Stream" dialog box.

Select the conversation from "10.0.0.11:49208 -> 10.0.0.12:445 (1516006 bytes)"
Select "raw"
Hit "Save As" and save the file as pdf2.pdf.

Smb2_pdf2_01
 Click on image to enlarge

Continue reading "Wireshark and SMB2: extract files – part 2 (by Joke Snelders)" »

Posted in Joke Snelders, Open Source Tools | | Comments (0) | TrackBack (0)

| |

Wireshark and SMB2: extract files – part 1 (by Joke Snelders)

Although Wireshark does not have a nice feature to export SMB2 objects, you can extract transferred files from the capture files.

In this article I will show you how to extract small files, a pdf and a exe, from Wireshark capture files.

PDF
The sample file smb2-pdf_02.pcap contains the file willhackforsushi.com_80211_Pocket_Reference_Guide.pdf from Will Hack For Sushi.
You can download the files here:
• sample capture file smb2-pdf_02.pcap
• pdf willhackforsushi.com_80211_Pocket_Reference_Guide.pdf

Open the file smb2-pdf_02.pcap.
To check if "Allow subdissector to reassemble TCP streams" is turned on, go to:
• right-click Transmission Control Protocol in the Packet Details pane
• Protocol Preferences
• "Allow subdissector to reassemble TCP streams"

Reassemble_TCP_streams
 Click on image to enlarge

 

Continue reading "Wireshark and SMB2: extract files – part 1 (by Joke Snelders)" »

Posted in Joke Snelders, Open Source Tools | | Comments (0) | TrackBack (0)

| |

November 25, 2011

Wireshark: Export SMB Objects (by Joke Snelders)

Wireshark can export SMB objects.
This feature is inplemented in Wireshark in version 1.6.0.

You can download the latest stable release of Wireshark here.

Download the sample file, export-objects-smb_01.pcap, here and continue reading to learn more about exporting smb objects.

Note
You can also export SMB objects during live capture.

Export-smb-live01f
 Click on image to enlarge

Continue reading "Wireshark: Export SMB Objects (by Joke Snelders)" »

Posted in Joke Snelders, Open Source Tools | | Comments (5) | TrackBack (0)

| |

November 03, 2011

Analyzing VxLAN packets using Wireshark (by Srivats P.)

As virtualization and cloud computing platforms are getting more and more deployed, the L2 network that the VMs are deployed in is exploding in size and VM migration from one host to another becoming problematic. To solve this problem VMware and Cisco have introduced a new protocol - VxLAN.

To stay on topic, we will not concern ourselves about the protocol details but only about the protocol frame format. For more information on how the protocol works and what it does see Denton Gentry's 3-part VxLAN article or go straight to the VxLAN IETF Draft.

Being a new protocol, Wireshark doesn't yet have a built-in dissector for the VxLAN protocol. Anticipating such scenarios, Wireshark exports a Lua interface for creating quick-and-dirty dissectors. We will use this interface to write a Wireshark Lua dissector for VxLAN.

The VxLAN frame is a Ethernet-in-UDP encapsulated frame i.e. Ethernet-IP-UDP-VxLAN-Ethernet-IP. If you right-click to open vxlan.pcap in Wireshark, you will see that Wireshark stops dissecting as soon as it encounters the VxLAN header and shows all remaining bytes after UDP as just data bytes. The reason why Wireshark stops there is it does not understand how to decode the VxLAN header. That is what we will fix with our Lua script

Wireshark_without_vxlan

Continue reading "Analyzing VxLAN packets using Wireshark (by Srivats P.)" »

Posted in Open Source Tools, Protocol Analysis | | Comments (0) | TrackBack (0)

| |

October 22, 2011

SplitCap and TShark (by Joke Snelders)

SplitCap is an open source pcap file splitter.
By default it splits a pcap into multiple files based on UDP and TCP sessions. The output is one file per session.
If you have a large pcap file you end up with a lot of output files.
In this case you can use TShark, part of the Wireshark distribution, to get an overview of all the TCP and UDP sessions in the pcap file. You can choose which sessions are important and write only those sessions to a separate output file.

Download
You can download the latest version SplitCap_1-7.zip here.

Unzip the file SplitCap_1-7.zip and run SplitCap.exe.

Note
SplitCap is written in C# using the .NET framework 2.0.
Make sure you have that installed before running SplitCap.

SplitCap-01_options
 Click on image to enlarge

Continue reading "SplitCap and TShark (by Joke Snelders)" »

Posted in Joke Snelders, Open Source Tools | | Comments (0) | TrackBack (0)

| |

August 19, 2011

PDD - Packet Dump Decode (by Joke Snelders)

PDD is an open-source program created by Srivats.

The main features are:

Pdd_buttons
Click on image to enlarge


You can download pdd, current release pdd-bin-win32-0.2.zip, here.

The SHA1 Checksum is abd6903a930b570854f40ed44927f480ff34232e.

There is no installation required. Just unzip pdd-bin-win32-0.2.zip and run pdd.exe.

Note
You need to have Wireshark installed, because PDD is only a wrapper around Wireshark.

Continue reading and follow along.

Pdd_01
Click on image to enlarge

 

Continue reading "PDD - Packet Dump Decode (by Joke Snelders)" »

Posted in Joke Snelders, Open Source Tools | | Comments (0) | TrackBack (0)

| |

August 09, 2011

Ostinato: Craft and Play Packets (by Joke Snelders)

Ostinato is an open-source program created by Srivats.
It is a  packet crafter and traffic generator, which runs on Windows, BSD, Mac OS X and different Linux distros.

The main features are:
• replay a single packet or a capture file e.g. Wireshark capture file
• edit packets
• build your own packets from scratch
• stream control: configure the number of packets and packet rate

You can download Ostinato, current release ostinato-bin-win32-0.4.zip, here.
The SHA1 Checksum is 0f16ceef5937027db19766d295827b844d27c617

There is no installation required. Just unzip ostinato-bin-win32-0.4.zip and run ostinato.exe.

Notes
• you need to have WinPcap installed, otherwise you cannot transmit packets
• you need to have Wireshark installed, otherwise you cannot "View Capture Buffer"
    url: http://www.wireshark.org/download.html
    url: http://www.winpcap.org/
• you don’t have to download WinPcap separately; WinPcap comes with Wireshark

Ostinato_
 Click on image to enlarge

Continue reading "Ostinato: Craft and Play Packets (by Joke Snelders)" »

Posted in Joke Snelders, Open Source Tools | | Comments (0) | TrackBack (0)

| |

August 02, 2011

Observing Duplicate IP's With Wireshark (by Tony Fortunato)

I have gotten several requests to analyze some packets with a video, so I thought this one would be a good start.

This is an excercise I do quite often; I intentionally create a duplicate IP address conflict between 2 pc's, capture the resulting packets and then review the following trace with the group.

Enjoy

 

Continue reading other LoveMyTool posts by Tony Fortunato »

 

Posted in Open Source Tools, Protocol Analysis, Tony Fortunato | | Comments (0) | TrackBack (0)

| |

July 25, 2011

Using Wireshark's Editcap to Reduce Your Trace File Size (by Tony Fortunato)

As much fun as capturing packets may be fun and exciting to the average analyst (that was sarcasm), many times I end up with large trace files that aren't manageable.

In this Video I explain how to use Wiresharks editcap command line utility to make your trace files smaller.

Enjoy

Continue reading other LoveMyTool posts by Tony Fortunato »

 

Posted in Open Source Tools, Protocol Analysis, Test & Measurement, Tony Fortunato | | Comments (0) | TrackBack (0)

| |

Next »

LMT Advertisers


LMT Sponsors

News From LMT Sponsors