My Photo
Subscribe to this blog's feed




Recent Comments

LMT Authors

Recent Posts

215 posts categorized "Open Source Tools" Feed

December 16, 2011

Wireshark and SMB2: extract files – part 1 (by Joke Snelders)

Although Wireshark does not have a nice feature to export SMB2 objects, you can extract transferred files from the capture files.

In this article I will show you how to extract small files, a pdf and a exe, from Wireshark capture files.

PDF
The sample file smb2-pdf_02.pcap contains the file willhackforsushi.com_80211_Pocket_Reference_Guide.pdf from Will Hack For Sushi.
You can download the files here:
• sample capture file smb2-pdf_02.pcap
• pdf willhackforsushi.com_80211_Pocket_Reference_Guide.pdf

Open the file smb2-pdf_02.pcap.
To check if "Allow subdissector to reassemble TCP streams" is turned on, go to:
• right-click Transmission Control Protocol in the Packet Details pane
• Protocol Preferences
• "Allow subdissector to reassemble TCP streams"

Reassemble_TCP_streams
 Click on image to enlarge

 

Continue reading "Wireshark and SMB2: extract files – part 1 (by Joke Snelders)" »

Posted in Joke Snelders, Open Source Tools | | Comments (0) | TrackBack (0)

| |

November 25, 2011

Wireshark: Export SMB Objects (by Joke Snelders)

Wireshark can export SMB objects.
This feature is inplemented in Wireshark in version 1.6.0.

You can download the latest stable release of Wireshark here.

Download the sample file, export-objects-smb_01.pcap, here and continue reading to learn more about exporting smb objects.

Note
You can also export SMB objects during live capture.

Export-smb-live01f
 Click on image to enlarge

Continue reading "Wireshark: Export SMB Objects (by Joke Snelders)" »

Posted in Joke Snelders, Open Source Tools | | Comments (5) | TrackBack (0)

| |

November 03, 2011

Analyzing VxLAN packets using Wireshark (by Srivats P.)

As virtualization and cloud computing platforms are getting more and more deployed, the L2 network that the VMs are deployed in is exploding in size and VM migration from one host to another becoming problematic. To solve this problem VMware and Cisco have introduced a new protocol - VxLAN.

To stay on topic, we will not concern ourselves about the protocol details but only about the protocol frame format. For more information on how the protocol works and what it does see Denton Gentry's 3-part VxLAN article or go straight to the VxLAN IETF Draft.

Being a new protocol, Wireshark doesn't yet have a built-in dissector for the VxLAN protocol. Anticipating such scenarios, Wireshark exports a Lua interface for creating quick-and-dirty dissectors. We will use this interface to write a Wireshark Lua dissector for VxLAN.

The VxLAN frame is a Ethernet-in-UDP encapsulated frame i.e. Ethernet-IP-UDP-VxLAN-Ethernet-IP. If you right-click to open vxlan.pcap in Wireshark, you will see that Wireshark stops dissecting as soon as it encounters the VxLAN header and shows all remaining bytes after UDP as just data bytes. The reason why Wireshark stops there is it does not understand how to decode the VxLAN header. That is what we will fix with our Lua script

Wireshark_without_vxlan

Continue reading "Analyzing VxLAN packets using Wireshark (by Srivats P.)" »

Posted in Open Source Tools, Protocol Analysis | | Comments (0) | TrackBack (0)

| |

October 22, 2011

SplitCap and TShark (by Joke Snelders)

SplitCap is an open source pcap file splitter.
By default it splits a pcap into multiple files based on UDP and TCP sessions. The output is one file per session.
If you have a large pcap file you end up with a lot of output files.
In this case you can use TShark, part of the Wireshark distribution, to get an overview of all the TCP and UDP sessions in the pcap file. You can choose which sessions are important and write only those sessions to a separate output file.

Download
You can download the latest version SplitCap_1-7.zip here.

Unzip the file SplitCap_1-7.zip and run SplitCap.exe.

Note
SplitCap is written in C# using the .NET framework 2.0.
Make sure you have that installed before running SplitCap.

SplitCap-01_options
 Click on image to enlarge

Continue reading "SplitCap and TShark (by Joke Snelders)" »

Posted in Joke Snelders, Open Source Tools | | Comments (0) | TrackBack (0)

| |

August 19, 2011

PDD - Packet Dump Decode (by Joke Snelders)

PDD is an open-source program created by Srivats.

The main features are:

Pdd_buttons
Click on image to enlarge


You can download pdd, current release pdd-bin-win32-0.2.zip, here.

The SHA1 Checksum is abd6903a930b570854f40ed44927f480ff34232e.

There is no installation required. Just unzip pdd-bin-win32-0.2.zip and run pdd.exe.

Note
You need to have Wireshark installed, because PDD is only a wrapper around Wireshark.

Continue reading and follow along.

Pdd_01
Click on image to enlarge

 

Continue reading "PDD - Packet Dump Decode (by Joke Snelders)" »

Posted in Joke Snelders, Open Source Tools | | Comments (0) | TrackBack (0)

| |

August 09, 2011

Ostinato: Craft and Play Packets (by Joke Snelders)

Ostinato is an open-source program created by Srivats.
It is a  packet crafter and traffic generator, which runs on Windows, BSD, Mac OS X and different Linux distros.

The main features are:
• replay a single packet or a capture file e.g. Wireshark capture file
• edit packets
• build your own packets from scratch
• stream control: configure the number of packets and packet rate

You can download Ostinato, current release ostinato-bin-win32-0.4.zip, here.
The SHA1 Checksum is 0f16ceef5937027db19766d295827b844d27c617

There is no installation required. Just unzip ostinato-bin-win32-0.4.zip and run ostinato.exe.

Notes
• you need to have WinPcap installed, otherwise you cannot transmit packets
• you need to have Wireshark installed, otherwise you cannot "View Capture Buffer"
    url: http://www.wireshark.org/download.html
    url: http://www.winpcap.org/
• you don’t have to download WinPcap separately; WinPcap comes with Wireshark

Ostinato_
 Click on image to enlarge

Continue reading "Ostinato: Craft and Play Packets (by Joke Snelders)" »

Posted in Joke Snelders, Open Source Tools | | Comments (0) | TrackBack (0)

| |

August 02, 2011

Observing Duplicate IP's With Wireshark (by Tony Fortunato)

I have gotten several requests to analyze some packets with a video, so I thought this one would be a good start.

This is an excercise I do quite often; I intentionally create a duplicate IP address conflict between 2 pc's, capture the resulting packets and then review the following trace with the group.

Enjoy

 

Continue reading other LoveMyTool posts by Tony Fortunato »

 

Posted in Open Source Tools, Protocol Analysis, Tony Fortunato | | Comments (2) | TrackBack (0)

| |

July 25, 2011

Using Wireshark's Editcap to Reduce Your Trace File Size (by Tony Fortunato)

As much fun as capturing packets may be fun and exciting to the average analyst (that was sarcasm), many times I end up with large trace files that aren't manageable.

In this Video I explain how to use Wiresharks editcap command line utility to make your trace files smaller.

Enjoy

Continue reading other LoveMyTool posts by Tony Fortunato »

 

Posted in Open Source Tools, Protocol Analysis, Test & Measurement, Tony Fortunato | | Comments (0) | TrackBack (0)

| |

July 14, 2011

Ask the Experts (Panel Discussion)


This presentation was recorded at the Sharkfest 2011, Wireshark Developer and User Conference, held at the Stanford University between June 13th and 16th.

" ... Bring your networking problems, issues, questions, dreams, etc. and have the high court of networking hear and address them! ... "

Panel Participants: Hansang Bae, Gerald Combs, Gianluca Varenni and Wireshark Core Developers



Continue viewing other Sharkfest videos »


Posted in Gerald Combs, Hansang Bae, Open Source Tools, Protocol Analysis, Sharkfest | | Comments (0) | TrackBack (0)

| |

July 13, 2011

Network Mystery #2 (by Betty DuBois)


This presentation was recorded at the Sharkfest 2011, Wireshark Developer and User Conference, held at the Stanford University between June 13th and 16th.

" ... In this session, Detective Betty DuBois will review one of the elusive network cases she has solved using Wireshark and Pilot. There will be plenty of forensics evidence provided, and lots of practical information to help you solve your own network mysteries. This session will be a deep dive into the "Case of the Slow Network". Betty will walk the attendees through how the data was captured (tshark & AirPcap), the methods used to isolate the problem (SMTP relay infection), and which users were infected ... "

Betty DuBois has been a networking Instructor and Consultant since 1997. Currently, Betty is a Wireshark University Instructor, and creator of the "Network Mystery" series of videos featured on the wireshark.org site, and network trainer/consultant for hire.



Right click to download the corresponding PowerPoint presentation.


Continue viewing other Sharkfest videos »

Posted in Betty Dubois, Open Source Tools, Protocol Analysis, Sharkfest | | Comments (0) | TrackBack (0)

| |

« Previous | Next »

LMT Advertisers


LMT Sponsors

News From LMT Sponsors

  • Endace

  • Datacom

  • NetScout

  • WildPackets

  • Sharkfest

  • Anue Systems

  • National Instruments

  • Riverbed

  • Net Optics
  • Garland