Packet Analysis Basics


An evolving list of resources around packet analysis tips and tricks.

Terminology

  • SOC, or Security Operations Center, is a central location composed of leading edge tools, technology and peeps (intel gatherers, analysts) that deals with security issues at an organisational and technical level.
  • IDS, or Intrusion Detection System, is a device that monitors network traffic for threats to the environment, proactively alert the SOC analyst of potential problems.
  • IPS, or an Intrusion Prevention System, is more sits inline, and can take active or passive mitigation actions.
  • SIEM, or Security Information and Event Management, is all about the collection and aggregation of alerts and logs for event tracking, retention and correlation from multiple hosts.

Cheat sheets

Anatomy of a Packet

OSI Model Layers

  • 7: application: HTTP, FTP, DNS
  • 6: presentation: SSL, JPEG
  • 5: session: SQL, SCP, NetBIOS, SOAP
  • 4: transport: TCP, UDP
  • 3: network: IPv4, IPv6, ICMP
  • 2: data-link: PPP, ARP, CDP
  • 1: physical: Ethernet, Bluetooth

Layers 2-4 will be of primary interest.

The first 14 bytes. Includes destination and sender MAC’s (6 bytes each) and a type (2 bytes).

Example:

00 0c 29 f5 2b fc 00 0c 29 58 52 ed 08 00

Distilled:

  • Destination is 00 0c 29 f5 2b fc
  • Sender is 00 0c 29 58 52 ed
  • Type is 08 00 (IPv4)

Ether Type Fields

Type Hex
IP 0800
IPv6 86DD
ARP 0806
RARP 8035
MPLS unicast 8847
MPLS multicast 8848
LLDP 88CC

Network layer

The next chunk of 20 bytes is the network layer header. In this case IP. As per RFC791:

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version|  IHL  |Type of Service|          Total Length         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|         Identification        |Flags|      Fragment Offset    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Time to Live |    Protocol   |         Header Checksum       |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                       Source Address                          |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Destination Address                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Options                    |    Padding    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Example:

45 00 00 46 20 ed 40 00 40 11 96 57 c0 a8 01 07 c0 a8 01 0b

Distilled:

  • First nibble (4 bits) defines the protocol version, 0x45 in binary is 1000101. 100 is IPv4.
  • Second nibble (0101 or 5 in decimal) is the internet header length in 32 bit words (i.e. defines the start of the data).
  • Type of service is 00
  • Total length is 00 46 or 70 bytes.
  • Identification is 20 ed (or 8429). Its an id provided by the sender to aid in assembling the fragments of a datagram.
  • 40 00 (or 0100 0000 0000 0000 in binary) defines the control flags and fragment offset fields.
    • First 3 bits 010 are the control flags (bit 0: reserved must be zero, bit 1: (DF) 0 = May Fragment or 1 = Don’t Fragment, bit 2: (MF) 0 = Last Fragment or 1 = More Fragments)
    • Left over 13-bits are the fragment offset, points to where in the datagram this fragment belongs
  • TTL (1-byte) defines the maximum time (in seconds) the datagram is allowed to remain. A TTL of 0x40 is 64 seconds.
  • Protocol (1-byte) is the protocol of the data that is being encapsulated as an IP datagram. Protocol here is 0x11 or 17 decimal, which translates to UDP. Refer to the Internet Protocol Numbers section in RFC790 for more.

TODO: Finish this using rfc791 as a guide.

Transport layer

TCP segment layout:

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|          Source Port          |        Destination Port       |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                        Sequence Number                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                     Acknowledgment Number                     |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Offset|  Res. |     Flags     |             Window            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|            Checksum           |         Urgent Pointer        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Options                    |    Padding    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Tools

pcap (packet capture) is the defacto API and output format (application/vnd.tcpdump.pcap) for dealing with packets at the link layer and above. UNIX systems implement libpcap and other OS’s have ports.

Wireshark (and tshark)

Wireshark (and it’s CLI tshark) is a graphical analyser, and provides a very intuitive visual experience for filtering and breaking down segments.

Filtering abilities are strong.

To exclude udp datagrams coming in, or leaving on port 53 (DNS):

!(udp.dstport == 53 || udp.srcport == 53)

To only include ARP packets:

arp

tcpdump

tcpdump born in 1988, typically ships with most UNIX systems. WinDump is a Windows port.

Useful switches

Capture options:

  • -D show available interfaces
  • -i the interface to pull packets from (e.g. -i eth0 or -i all)
  • -c limit the number of packets processed (e.g. first 5 packets -c 5)
  • -s limit the capture in size (bytes) -s0 gets everything
  • -n don’t resolve host names (the default) - just show raw IP’s
  • -l buffer output (for real time output)

View options:

  • -q quick (summarised) view
  • -t suppress timestamp
  • -N resolve host name
  • -v -vv -vvv verbosity of packet info shown
  • -X show packet as hex and ascii
  • -XX like -X but includes ethernet header
  • -e show link level (e.g. ethernet) header
  • -A exclude the link level header

PCAP I/0:

  • -w write a pcap file to disk
  • -r read a pcap file from disk

Examples

Show the available network interfaces that can be captured:

$ tcpdump -D --list-interfaces
1.wlp6s0 [Up, Running]
2.docker0 [Up, Running]
3.veth5d8138d [Up, Running]
4.lo [Up, Running, Loopback]
5.enp0s31f6 [Up]
6.virbr0-nic
7.nflog (Linux netfilter log (NFLOG) interface)

Capture packets on a specific interface -i, either going to and coming from a specific host, outputting to stdout:

$ sudo tcpdump -i wlp6s0 host 192.168.1.244
listening on wlp6s0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:13:11.122855 IP donatello.50844 > 192.168.1.244.8009: Flags [P.], seq 962252308:962252425, ack 2567658854, win 354, options [nop,nop,TS val 4001693313 ecr 6768796], length 117
...

Capture packets on an interface and port (SSH):

$ sudo tcpdump -i wlp6s0 port 22

Instead of outputting to stdout, write the first 100 packets -c100, to disk -w:

$ tcpdump -i wlp6s0 host 192.168.1.244 -w ~/the-hunt.pcap

It’s also easy to filter by proto and port, for example:

$ tcpdump 'tcp port 5000'

Read a single packet from packet capture (pcap):

$ tcpdump -r foo.pcap -c 1
16:05:50.391838 IP donatello.42092 > a104-98-39-17.deploy.static.akamaitechnologies.com.https: Flags [.], ack 3388739579, win 384, options [nop,nop,TS val 861102334 ecr 2396246368], length 0

Show the hex (-X) representation of packet:

$ tcpdump -r foo.pcap -q -c 1 -X
reading from file foo.pcap, link-type EN10MB (Ethernet)
16:05:50.391808 IP donatello.44202 > ppp22-50.static.internode.on.net.https: tcp 0
    0x0000:  4500 0034 3a5e 4000 4006 ec42 c0a8 01a2
    0x0010:  3ba7 1632 acaa 01bb ba1f eb32 ca54 5471
    0x0020:  8010 01ac 7966 0000 0101 080a 7743 bd6a
    0x0030:  9afd a55d

Exclude packets with a src/dest port of 53 (DNS):

$ tcpdump -r ARP_Spoof.pcap -c 5 -n port not 53
reading from file ARP_Spoof.pcap, link-type EN10MB (Ethernet)
04:27:27.037563 ARP, Reply 192.168.1.3 is-at 00:0c:29:58:52:ed, length 46
04:27:27.037709 ARP, Reply 192.168.1.11 is-at 00:0c:29:58:52:ed, length 46
04:27:29.038072 ARP, Reply 192.168.1.3 is-at 00:0c:29:58:52:ed, length 46
04:27:29.038083 ARP, Reply 192.168.1.11 is-at 00:0c:29:58:52:ed, length 46
04:27:29.685743 CDPv2, ttl: 180s, Device-ID 'Lab_3750x.Abraham.local', length 533

Include only ARP packets:

$ tcpdump -r ARP_Spoof.pcap -c 5 -n arp

Display hex representation of the segments (-XX). Note the source (000c 29f5 2bfc) and dest (000c 2958 52ed) MAC addresses, the frame type 0806 (ARP) and so on.

$ tcpdump -r ARP_Spoof.pcap -c 8 -n -XX arp
reading from file ARP_Spoof.pcap, link-type EN10MB (Ethernet)
04:27:27.037563 ARP, Reply 192.168.1.3 is-at 00:0c:29:58:52:ed, length 46
    0x0000:  000c 29f5 2bfc 000c 2958 52ed 0806 0001  ..).+...)XR.....
    0x0010:  0800 0604 0002 000c 2958 52ed c0a8 0103  ........)XR.....
    0x0020:  000c 29f5 2bfc c0a8 010b 0000 0000 0000  ..).+...........
    0x0030:  0000 0000 0000 0000 0000 0000            ............
04:27:27.037709 ARP, Reply 192.168.1.11 is-at 00:0c:29:58:52:ed, length 46
    0x0000:  000c 29ec be89 000c 2958 52ed 0806 0001  ..).....)XR.....
    0x0010:  0800 0604 0002 000c 2958 52ed c0a8 010b  ........)XR.....
    0x0020:  000c 29ec be89 c0a8 0103 0000 0000 0000  ..).............
    0x0030:  0000 0000 0000 0000 0000 0000            ............

Real world use-cases

HTTP user agents:

$ sudo tcpdump -vvAs0 -i wlp6s0 | grep 'User-Agent:' --color
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0

HTTP host headers:

$ sudo tcpdump -vvAs0 -i wlp6s0 | grep 'Host:' --color

SSH connections. This one highlights the expression DSL, which queries and bit shifts byte 12 (the banner response), and maes sure its SSH:

$ sudo tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D' -i wlp6s0
13:24:12.794001 IP donatello.46052 > bigdatabox.ssh: Flags [P.], seq 3418003761:3418003802, ack 2594645045, win 229, options     [nop,nop,TS val 710154217 ecr 2981583095], length 41
13:24:12.834329 IP bigdatabox.ssh > donatello.46052: Flags [P.], seq 1:42, ack 41, win 227, options [nop,nop,TS val     2981583136 ecr 710154217], length 41

DNS traffic:

$ sudo tcpdump -vvAs0 -i wlp6s0 port 53
tcpdump: listening on wlp6s0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:28:33.039827 IP (tos 0x0, ttl 64, id 7953, offset 0, flags [DF], proto UDP (17), length 71)
    donatello.40121 > router.asus.com.domain: [udp sum ok] 15380+ [1au] A? www.google.com. ar: . OPT UDPsize=512 (43)
E..G..@.@..............5.3..<............www.google.com.......)........

Scan for cleartext passwords:

$ sudo tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '

netsniff-ng

The Swiss army knife of network plumbing.

  • netsniff-ng, a fast zero-copy analyzer, pcap capturing and replaying tool
  • trafgen, a multithreaded low-level zero-copy network packet generator
  • mausezahn, high-level packet generator for HW/SW appliances with Cisco-CLI
  • bpfc, a Berkeley Packet Filter compiler, Linux BPF JIT disassembler
  • ifpps, a top-like kernel networking statistics tool
  • flowtop, a top-like netfilter connection tracking tool
  • curvetun, a lightweight curve25519-based IP tunnel
  • astraceroute, an autonomous system (AS) trace route utility

Some useful switches:

  • -X dump segment out as hex

Examples:

Capture 5 packets for a specific interface:

$ sudo netsniff-ng -i wlp6s0 -o netsniff.pcap -n5
Running! Hang up with ^C!

< wlp6s0 176 1549689379s.169831786ns #1 
 [ Eth MAC (0c:9d:92:4d:37:c0 => 50:3e:aa:51:b9:17), Proto (0x0800, IPv4) ]
 [ Vendor (Unknown => Unknown) ]
 [ IPv4 Addr (172.217.25.170 => 192.168.1.162), Proto (17), TTL (59), TOS (0), Ver (4), IHL (5), Tlen (162), ID (0), Res (0), NoFrag (1), MoreFrag (0)
   FragOff (0), CSum (0xb67d) is ok ]
 [ UDP Port (443 (https) => 60022), Len (142 Bytes, 134 Bytes Data), CSum (0x3a15) ]
 [ Chr .0.|....}\.....wR._=.E.............rMX<lyL"...7.0#.F....m.A.,O..E5....4W.*V...tH..L0/&.h......To.d.....jS).5.u........M.....p>_".v.... ]

Filter by source IP:

$ sudo netsniff-ng -i wlp6s0 -o netsniff.pcap -n5 ip src 192.168.1.121

Read a single packet from packet capture (pcap):

$ sudo netsniff-ng -i foo.pcap -n5

Only display ascii printable characters:

$ sudo netsniff-ng -i foo.pcap -n5 --ascii

Analysis

Get a lay of the land by dumping out the first n packets:

$ sudo netsniff-ng -i ARP_Spoof.pcap -V -n 5

There’s a lot of DNS noise, to weed that out exclude everything on port 53:

$ sudo netsniff-ng -i ARP_Spoof.pcap -V -n 5 not port 53

Outputs:

< ? 60 1523726847s.37563000ns #1 
 [ tpacketv3 VLAN Prio (0), CFI (0), ID (0), Proto (0x0000) ]
 [ Eth MAC (00:0c:29:58:52:ed => 00:0c:29:f5:2b:fc), Proto (0x0806, ARP) ]
 [ Vendor (VMware, Inc. => VMware, Inc.) ]
 [ ARP Format HA (1 => Ethernet), Format Proto (0x0800 => IPv4), HA Len (6), Proto Len (4), Opcode (2 => ARP reply), Sender MAC (00:0c:29:58:52:ed), S
   ender IP (192.168.1.3), Target MAC (00:0c:29:f5:2b:fc), Target IP (192.168.1.11) ]
 [ Chr .................. ]
 [ Hex  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ]
...

ARP packets from mac :ed to :fc. To focus on only ARP packets, include arp as the protocol filter criteria:

$ sudo netsniff-ng -i ARP_Spoof.pcap -V -n 5 arp

Next dump out the hex representation of the first 5 packet:

$ sudo netsniff-ng -i ARP_Spoof.pcap -V -n 5 arp -X
pcap file I/O method: scatter-gather
Running! Hang up with ^C!

< ? 60 1523726847s.37563000ns #1 
 [ tpacketv3 VLAN Prio (0), CFI (0), ID (0), Proto (0x0000) ]
 [ Hex  00 0c 29 f5 2b fc 00 0c 29 58 52 ed 08 06 00 01 08 00 06 04 00 02 00 0c 29 58 52 ed c0 a8 01 03 00 0c 29 f5 2b fc c0 a8 01 0b 00 00 00 00 00 0
   0 00 00 00 00 00 00 00 00 00 00 00 00 ]

< ? 60 1523726847s.37709000ns #2 
 [ tpacketv3 VLAN Prio (0), CFI (0), ID (0), Proto (0x0000) ]
 [ Hex  00 0c 29 ec be 89 00 0c 29 58 52 ed 08 06 00 01 08 00 06 04 00 02 00 0c 29 58 52 ed c0 a8 01 0b 00 0c 29 ec be 89 c0 a8 01 03 00 00 00 00 00 0
   0 00 00 00 00 00 00 00 00 00 00 00 00 ]

...

Unpacking the hex of the first packet:

  • The first 6 bytes 00 0c 29 f5 2b fc show the destination MAC address
  • The next 6 bytes 00 0c 29 58 52 ed the source MAC address
  • The next 2 bytes, is the frame type 08 06 (ARP)
  • The remainder is ARP payload. 00 01 is the hardware type (ether). 08 00 indicates IP based.