Packet Analysis Basics
An evolving list of resources around packet analysis tips and tricks.
Terminology⌗
- SOC, or Security Operations Center, is a central location composed of leading edge tools, technology and peeps (intel gatherers, analysts) that deals with security issues at an organisational and technical level.
- IDS, or Intrusion Detection System, is a device that monitors network traffic for threats to the environment, proactively alert the SOC analyst of potential problems.
- IPS, or an Intrusion Prevention System, is more sits inline, and can take active or passive mitigation actions.
- SIEM, or Security Information and Event Management, is all about the collection and aggregation of alerts and logs for event tracking, retention and correlation from multiple hosts.
Cheat sheets⌗
- SANS TCP/IP and tcpdump Pocket Reference Guide
- RFC 790 Assigned Internet Protocol Numbers
- RFC 791 Internet Protocol
Anatomy of a Packet⌗
OSI Model Layers⌗
- 7: application: HTTP, FTP, DNS
- 6: presentation: SSL, JPEG
- 5: session: SQL, SCP, NetBIOS, SOAP
- 4: transport: TCP, UDP
- 3: network: IPv4, IPv6, ICMP
- 2: data-link: PPP, ARP, CDP
- 1: physical: Ethernet, Bluetooth
Layers 2-4 will be of primary interest.
Link Layer⌗
The first 14 bytes. Includes destination and sender MAC’s (6 bytes each) and a type (2 bytes).
Example:
00 0c 29 f5 2b fc 00 0c 29 58 52 ed 08 00
Distilled:
- Destination is
00 0c 29 f5 2b fc - Sender is
00 0c 29 58 52 ed - Type is
08 00(IPv4)
Ether Type Fields⌗
| Type | Hex |
|---|---|
| IP | 0800 |
| IPv6 | 86DD |
| ARP | 0806 |
| RARP | 8035 |
| MPLS unicast | 8847 |
| MPLS multicast | 8848 |
| LLDP | 88CC |
Network layer⌗
The next chunk of 20 bytes is the network layer header. In this case IP. As per RFC791:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Example:
45 00 00 46 20 ed 40 00 40 11 96 57 c0 a8 01 07 c0 a8 01 0b
Distilled:
- First nibble (4 bits) defines the protocol version,
0x45in binary is1000101.100is IPv4. - Second nibble (
0101or 5 in decimal) is the internet header length in 32 bit words (i.e. defines the start of the data). - Type of service is
00 - Total length is
00 46or 70 bytes. - Identification is
20 ed(or 8429). Its an id provided by the sender to aid in assembling the fragments of a datagram. 40 00(or0100 0000 0000 0000in binary) defines the control flags and fragment offset fields.- First 3 bits
010are the control flags (bit 0: reserved must be zero, bit 1: (DF) 0 = May Fragment or 1 = Don’t Fragment, bit 2: (MF) 0 = Last Fragment or 1 = More Fragments) - Left over 13-bits are the fragment offset, points to where in the datagram this fragment belongs
- First 3 bits
- TTL (1-byte) defines the maximum time (in seconds) the datagram is allowed to remain. A TTL of
0x40is 64 seconds. - Protocol (1-byte) is the protocol of the data that is being encapsulated as an IP datagram. Protocol here is
0x11or 17 decimal, which translates to UDP. Refer to the Internet Protocol Numbers section in RFC790 for more.
TODO: Finish this using rfc791 as a guide.
Transport layer⌗
TCP segment layout:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Offset| Res. | Flags | Window |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Tools⌗
pcap (packet capture) is the defacto API and output format (application/vnd.tcpdump.pcap) for dealing with packets at the link layer and above. UNIX systems implement libpcap and other OS’s have ports.
Wireshark (and tshark)⌗
Wireshark (and it’s CLI tshark) is a graphical analyser, and provides a very intuitive visual experience for filtering and breaking down segments.
Filtering abilities are strong.
To exclude udp datagrams coming in, or leaving on port 53 (DNS):
!(udp.dstport == 53 || udp.srcport == 53)
To only include ARP packets:
arp
tcpdump⌗
tcpdump born in 1988, typically ships with most UNIX systems. WinDump is a Windows port.
Useful switches⌗
Capture options:
-Dshow available interfaces-ithe interface to pull packets from (e.g.-i eth0or-i all)-climit the number of packets processed (e.g. first 5 packets-c 5)-slimit the capture in size (bytes)-s0gets everything-ndon’t resolve host names (the default) - just show raw IP’s-lbuffer output (for real time output)
View options:
-qquick (summarised) view-tsuppress timestamp-Nresolve host name-v-vv-vvvverbosity of packet info shown-Xshow packet as hex and ascii-XXlike-Xbut includes ethernet header-eshow link level (e.g. ethernet) header-Aexclude the link level header
PCAP I/0:
-wwrite a pcap file to disk-rread a pcap file from disk
Examples⌗
Show the available network interfaces that can be captured:
$ tcpdump -D --list-interfaces
1.wlp6s0 [Up, Running]
2.docker0 [Up, Running]
3.veth5d8138d [Up, Running]
4.lo [Up, Running, Loopback]
5.enp0s31f6 [Up]
6.virbr0-nic
7.nflog (Linux netfilter log (NFLOG) interface)
Capture packets on a specific interface -i, either going to and coming from a specific host, outputting to stdout:
$ sudo tcpdump -i wlp6s0 host 192.168.1.244
listening on wlp6s0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:13:11.122855 IP donatello.50844 > 192.168.1.244.8009: Flags [P.], seq 962252308:962252425, ack 2567658854, win 354, options [nop,nop,TS val 4001693313 ecr 6768796], length 117
...
Capture packets on an interface and port (SSH):
$ sudo tcpdump -i wlp6s0 port 22
Instead of outputting to stdout, write the first 100 packets -c100, to disk -w:
$ tcpdump -i wlp6s0 host 192.168.1.244 -w ~/the-hunt.pcap
It’s also easy to filter by proto and port, for example:
$ tcpdump 'tcp port 5000'
Read a single packet from packet capture (pcap):
$ tcpdump -r foo.pcap -c 1
16:05:50.391838 IP donatello.42092 > a104-98-39-17.deploy.static.akamaitechnologies.com.https: Flags [.], ack 3388739579, win 384, options [nop,nop,TS val 861102334 ecr 2396246368], length 0
Show the hex (-X) representation of packet:
$ tcpdump -r foo.pcap -q -c 1 -X
reading from file foo.pcap, link-type EN10MB (Ethernet)
16:05:50.391808 IP donatello.44202 > ppp22-50.static.internode.on.net.https: tcp 0
0x0000: 4500 0034 3a5e 4000 4006 ec42 c0a8 01a2
0x0010: 3ba7 1632 acaa 01bb ba1f eb32 ca54 5471
0x0020: 8010 01ac 7966 0000 0101 080a 7743 bd6a
0x0030: 9afd a55d
Exclude packets with a src/dest port of 53 (DNS):
$ tcpdump -r ARP_Spoof.pcap -c 5 -n port not 53
reading from file ARP_Spoof.pcap, link-type EN10MB (Ethernet)
04:27:27.037563 ARP, Reply 192.168.1.3 is-at 00:0c:29:58:52:ed, length 46
04:27:27.037709 ARP, Reply 192.168.1.11 is-at 00:0c:29:58:52:ed, length 46
04:27:29.038072 ARP, Reply 192.168.1.3 is-at 00:0c:29:58:52:ed, length 46
04:27:29.038083 ARP, Reply 192.168.1.11 is-at 00:0c:29:58:52:ed, length 46
04:27:29.685743 CDPv2, ttl: 180s, Device-ID 'Lab_3750x.Abraham.local', length 533
Include only ARP packets:
$ tcpdump -r ARP_Spoof.pcap -c 5 -n arp
Display hex representation of the segments (-XX). Note the source (000c 29f5 2bfc) and dest (000c 2958 52ed) MAC addresses, the frame type 0806 (ARP) and so on.
$ tcpdump -r ARP_Spoof.pcap -c 8 -n -XX arp
reading from file ARP_Spoof.pcap, link-type EN10MB (Ethernet)
04:27:27.037563 ARP, Reply 192.168.1.3 is-at 00:0c:29:58:52:ed, length 46
0x0000: 000c 29f5 2bfc 000c 2958 52ed 0806 0001 ..).+...)XR.....
0x0010: 0800 0604 0002 000c 2958 52ed c0a8 0103 ........)XR.....
0x0020: 000c 29f5 2bfc c0a8 010b 0000 0000 0000 ..).+...........
0x0030: 0000 0000 0000 0000 0000 0000 ............
04:27:27.037709 ARP, Reply 192.168.1.11 is-at 00:0c:29:58:52:ed, length 46
0x0000: 000c 29ec be89 000c 2958 52ed 0806 0001 ..).....)XR.....
0x0010: 0800 0604 0002 000c 2958 52ed c0a8 010b ........)XR.....
0x0020: 000c 29ec be89 c0a8 0103 0000 0000 0000 ..).............
0x0030: 0000 0000 0000 0000 0000 0000 ............
Real world use-cases⌗
HTTP user agents:
$ sudo tcpdump -vvAs0 -i wlp6s0 | grep 'User-Agent:' --color
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
HTTP host headers:
$ sudo tcpdump -vvAs0 -i wlp6s0 | grep 'Host:' --color
SSH connections. This one highlights the expression DSL, which queries and bit shifts byte 12 (the banner response), and maes sure its SSH:
$ sudo tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D' -i wlp6s0
13:24:12.794001 IP donatello.46052 > bigdatabox.ssh: Flags [P.], seq 3418003761:3418003802, ack 2594645045, win 229, options [nop,nop,TS val 710154217 ecr 2981583095], length 41
13:24:12.834329 IP bigdatabox.ssh > donatello.46052: Flags [P.], seq 1:42, ack 41, win 227, options [nop,nop,TS val 2981583136 ecr 710154217], length 41
DNS traffic:
$ sudo tcpdump -vvAs0 -i wlp6s0 port 53
tcpdump: listening on wlp6s0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:28:33.039827 IP (tos 0x0, ttl 64, id 7953, offset 0, flags [DF], proto UDP (17), length 71)
donatello.40121 > router.asus.com.domain: [udp sum ok] 15380+ [1au] A? www.google.com. ar: . OPT UDPsize=512 (43)
E..G..@.@..............5.3..<............www.google.com.......)........
Scan for cleartext passwords:
$ sudo tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '
netsniff-ng⌗
The Swiss army knife of network plumbing.
netsniff-ng, a fast zero-copy analyzer, pcap capturing and replaying tooltrafgen, a multithreaded low-level zero-copy network packet generatormausezahn, high-level packet generator for HW/SW appliances with Cisco-CLIbpfc, a Berkeley Packet Filter compiler, Linux BPF JIT disassemblerifpps, a top-like kernel networking statistics toolflowtop, a top-like netfilter connection tracking toolcurvetun, a lightweight curve25519-based IP tunnelastraceroute, an autonomous system (AS) trace route utility
Some useful switches:
-Xdump segment out as hex
Examples:
Capture 5 packets for a specific interface:
$ sudo netsniff-ng -i wlp6s0 -o netsniff.pcap -n5
Running! Hang up with ^C!
< wlp6s0 176 1549689379s.169831786ns #1
[ Eth MAC (0c:9d:92:4d:37:c0 => 50:3e:aa:51:b9:17), Proto (0x0800, IPv4) ]
[ Vendor (Unknown => Unknown) ]
[ IPv4 Addr (172.217.25.170 => 192.168.1.162), Proto (17), TTL (59), TOS (0), Ver (4), IHL (5), Tlen (162), ID (0), Res (0), NoFrag (1), MoreFrag (0)
FragOff (0), CSum (0xb67d) is ok ]
[ UDP Port (443 (https) => 60022), Len (142 Bytes, 134 Bytes Data), CSum (0x3a15) ]
[ Chr .0.|....}\.....wR._=.E.............rMX<lyL"...7.0#.F....m.A.,O..E5....4W.*V...tH..L0/&.h......To.d.....jS).5.u........M.....p>_".v.... ]
Filter by source IP:
$ sudo netsniff-ng -i wlp6s0 -o netsniff.pcap -n5 ip src 192.168.1.121
Read a single packet from packet capture (pcap):
$ sudo netsniff-ng -i foo.pcap -n5
Only display ascii printable characters:
$ sudo netsniff-ng -i foo.pcap -n5 --ascii
Analysis⌗
Get a lay of the land by dumping out the first n packets:
$ sudo netsniff-ng -i ARP_Spoof.pcap -V -n 5
There’s a lot of DNS noise, to weed that out exclude everything on port 53:
$ sudo netsniff-ng -i ARP_Spoof.pcap -V -n 5 not port 53
Outputs:
< ? 60 1523726847s.37563000ns #1
[ tpacketv3 VLAN Prio (0), CFI (0), ID (0), Proto (0x0000) ]
[ Eth MAC (00:0c:29:58:52:ed => 00:0c:29:f5:2b:fc), Proto (0x0806, ARP) ]
[ Vendor (VMware, Inc. => VMware, Inc.) ]
[ ARP Format HA (1 => Ethernet), Format Proto (0x0800 => IPv4), HA Len (6), Proto Len (4), Opcode (2 => ARP reply), Sender MAC (00:0c:29:58:52:ed), S
ender IP (192.168.1.3), Target MAC (00:0c:29:f5:2b:fc), Target IP (192.168.1.11) ]
[ Chr .................. ]
[ Hex 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ]
...
ARP packets from mac :ed to :fc. To focus on only ARP packets, include arp as the protocol filter criteria:
$ sudo netsniff-ng -i ARP_Spoof.pcap -V -n 5 arp
Next dump out the hex representation of the first 5 packet:
$ sudo netsniff-ng -i ARP_Spoof.pcap -V -n 5 arp -X
pcap file I/O method: scatter-gather
Running! Hang up with ^C!
< ? 60 1523726847s.37563000ns #1
[ tpacketv3 VLAN Prio (0), CFI (0), ID (0), Proto (0x0000) ]
[ Hex 00 0c 29 f5 2b fc 00 0c 29 58 52 ed 08 06 00 01 08 00 06 04 00 02 00 0c 29 58 52 ed c0 a8 01 03 00 0c 29 f5 2b fc c0 a8 01 0b 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 ]
< ? 60 1523726847s.37709000ns #2
[ tpacketv3 VLAN Prio (0), CFI (0), ID (0), Proto (0x0000) ]
[ Hex 00 0c 29 ec be 89 00 0c 29 58 52 ed 08 06 00 01 08 00 06 04 00 02 00 0c 29 58 52 ed c0 a8 01 0b 00 0c 29 ec be 89 c0 a8 01 03 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 ]
...
Unpacking the hex of the first packet:
- The first 6 bytes
00 0c 29 f5 2b fcshow the destination MAC address - The next 6 bytes
00 0c 29 58 52 edthe source MAC address - The next 2 bytes, is the frame type
08 06(ARP) - The remainder is ARP payload.
00 01is the hardware type (ether).08 00indicates IP based.