We will use these pcaps of network traffic to practice extracting objects using Wireshark. The instructions also assume you have customized your Wireshark column display as previously demonstrated in this tutorial. Warning: Most of these pcaps contain Windows malware, and this tutorial involves examining these malicious files. Since these files are Windows malware, I recommend doing this tutorial in a non-Windows environment, like a MacBook or Linux host.
You could also use a virtual machine VM running Linux. The first pcap for this tutorial, extracting-objects-from-pcap-example Open the pcap in Wireshark and filter on http. Figure 1. Filtering on the tutorial's first pcap in Wireshark. After filtering on http. The first request ends with. The second request ends with. Figure 2 show this menu path in Wireshark. Figure 2. Select the first line with smart-fax[.
Select the second line with smart-fax[. Figure 3. Figure 4. In some cases, Windows executables are intentionally labeled as a different type of file in an effort to avoid detection.
Fortunately, the first pcap in this tutorial is a very straight-forward example. Still, we should confirm these files are what we think they are. In a MacBook or Linux environment, you can use a terminal window or command line interface CLI for the following commands:.
The file command returns the type of file. The shasum command will return the file hash, in this case the SHA file hash. Figure 5. Determining the file type and hash of our two objects exported from the pcap.
The information above confirms our suspected Word document is in fact a Microsoft Word document. It also confirms the suspected Windows executable file is indeed a Windows executable. We could also do a Google search on the SHA hashes to possibly find additional information. You can always "eyeball it" by using "Follow TCP. This data is encrypted but Wireshark does calculate the size of this "conversation. It won't be equal the exact size of your file because of the packet headers.
This will more or less precisely give you the size of all the packet headers. About 52,7 KB This should give you something close to the "real" size.
Hope this helps. Cheers, JF. To see only each trials: tcp. I've used NetworkMiner to find files in other pcaps. I've also seen what the file transfer looks like by following each stream. But the pcap I'm working with doesn't look anything like that.
This is for a CTF so I'm not looking for anyone to just give me the answer, but any pointers would be much appreciated. One way I start is by using the filter tcp. Awesome thanks, I'll try that. There isn't a public link to the pcap file, I could upload it to google drive and share it that way. That did help filter out the ambiguity. The goal of that particular question was to find the file, and calculate the md5 hash which is the flag.
Nice one Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. The Overflow Blog. Podcast An oral history of Stack Overflow — told by its founding team.
Millinery on the Stack: Join us for Winter Summer? Bash, ! Featured on Meta. New responsive Activity page. Related 3.
0コメント