Have you ever had to work with a large packet capture, and after getting past the initial stage of being overwhelmed by a few million packets, find that are still a bit overwhelmed? I quite often work with large PCAPs - either for long-running issues, or intermittent issues, or because the capture filter that was defined might not have been all that it should be :-) PCAP2XML will dump standard PCAP files to XML or SQLite format. Let's start with a sample PCAP file, I did a simple 1 minute capture of my "home / family" wireless network (not my home / work network), and got a 96 packet capture file. Using a few examples in PCAP2XML's website, let's see what we find. First, export the file. Note that the offset is required (it should be zero for most cases), or the export will error out. In this example I'm exporting to sql (use -x for xml) C:\tmp> Pcap2XML.exe sample1.pcap -s sample.sql --offset 0 ver 1.0 by Pentester Academy [+] Opening file: sample1.pcap (9.0 kB) Filename: sample1.pcap Now, let's open the file in sqlite browser OH - as my cat would say - this is as good as catnip!! Let's list the unique sending and receiving mac addresses on the network Adding counts for each, sorted in descending order by packet count - OK, maybe this is BETTER than catnip ! Average packet length? No problem! OK, for a 96 packet PCAP, thsi might not be your first go-to tool for analysis. But if the file was 96,000 or 960,000 packets? Maybe now using a database approach makes a bit more sense now, at least to start narrowing things down? You can download PCAP2XML and read more about it here: https://github.com/securitytube/pcap2xml http://hackoftheday.securitytube.net/2015/03/pcap2xmlsqlite-convert-80211-packets-to.html
=============== |
Rob VandenBrink 563 Posts ISC Handler Mar 31st 2015 |
Thread locked Subscribe |
Mar 31st 2015 6 years ago |
Wow! Thanks! I usually do this with a pipeline of grep, awk, sort, uniq, et al, even breaking out in fluent perl script one-liners when the need arises, but you still gotta slough thru the whole stinkin file every time. Nice tool!
|
Moriah 133 Posts |
Quote |
Mar 31st 2015 6 years ago |
Nice finding, added to my bookmarks!
Often, I'm also using bro to parse the pcap file. The "conn.log" gives you useful information to start debugging. Ok, grep is still used but you can get quickly interesting stats. Ex: top-10 of source IP addresses from the PCAP file: $ cat conn.log | awk '{ print $3 }' | sort -urn | head -10 /x |
Xme 603 Posts ISC Handler |
Quote |
Mar 31st 2015 6 years ago |
Bro absolutely rules!
|
beamer 12 Posts |
Quote |
Apr 1st 2015 6 years ago |
Great post!
|
Anonymous |
Quote |
Sep 11th 2017 3 years ago |
Sign Up for Free or Log In to start participating in the conversation!