Showing blog posts from April 2011

Tuesday, 26 April 2011 19:33:00 (UTC/GMT)

PCAP is now a valid MIME type

Samy Molcho 1960

The libpcap packet dump format used by applications like tcpdump, Wireshark, NetworkMiner, RawCap, Argus and many others is now a valid MIME type.

The guy behind this effort is Glen Turner, who has done a great job writing the pcap MIME type application. This application was accepted by IANA on March 31 this year and is now published at
http://www.iana.org/assignments/media-types/application/vnd.tcpdump.pcap

Your UNIX-type OS is probably not yet supporting this MIME type, but why not give it a try? This is what it looks like when I grep for pcap in /etc/mime.types of an Ubuntu machine:

erik@ubuntu:~$ grep pcap /etc/mime.types
application/cap          cap pcap

This is not the new MIME type, it's an old not-so-good type from the Debian project. Gerald Combs (yes, the Wireshark guy) has submitted a bug report to Debian requesting for this old MIME type to be replaced with the new “application/vnd.tcpdump.pcap” one. When this is implemented I believe the same command above would look something like this:

erik@ubuntu:~$ grep pcap /etc/mime.types
application/vnd.tcpdump.pcap          pcap cap

Standardizing the PCAP file format

The MIME type definition for vnd.tcpdump.pcap does contain a very short description of the pcap file format. There is, for example, a brief explanation of the PCAP magic number 0xa1b2c3d4 (or 0xd4c3b2a1), which is used in order to figure out if the pcap is written in big-endian (a.k.a. network byte order) or little-endian byte order. I was, however, hoping the MIME type definition would contain a much more complete definition of the pcap file format than so.

The best available description of the pcap file currently available is in my opinion the Libpcap File Format entry at the Wireshark Wiki. This description is pretty well written, but I would prefer to see it published as an IETF RFC or as part of the IANA MIME type definition. But I suppose the registration of PCAP as a MIME type is a first step towards having the PCAP file format standardized...

Update (November 2012)

The website PCAPNG.com is a free online service for converting files from the Pcap-NG format into PCAP files. This website serves the converted PCAP files using the "application/vnd.tcpdump.pcap" MIME type as Content-Type.

More... Share  |  Facebook   Twitter   Reddit Short URL: http://netresec.com/?b=114467E

Posted by Erik Hjelmvik on Tuesday, 26 April 2011 19:33:00 (UTC/GMT)

Sunday, 10 April 2011 08:32:00 (UTC/GMT)

RawCap sniffer for Windows released

RawCap sniffer

We are today proud to announce the release of RawCap, which is a free raw sockets sniffer for Windows.

Here are some highlights of why RawCap is a great tool to have in your toolset:

  • Can sniff any interface that has got an IP address, including 127.0.0.1 (localhost/loopback)
  • RawCap.exe is just 17 kB
  • No external libraries or DLL's needed
  • No installation required, just download RawCap.exe and sniff
  • Can sniff most interface types, including WiFi and PPP interfaces
  • Minimal memory and CPU load
  • Reliable and simple to use

Usage

RawCap takes two arguments; the first argument is the IP address or interface number to sniff from, the second is the path/file to write the captured packets to.

C:\Tools>RawCap.exe 192.168.0.23 dumpfile.pcap

You can also start RawCap without any arguments, which will leave you with an interactive dialog where you can select NIC and filename:

C:\Tools>RawCap.exe
Network interfaces:
0.     192.168.0.23    Local Area Connection
1.     192.168.0.47    Wireless Network Connection
2.     90.130.211.54   3G UMTS Internet
3.     192.168.111.1   VMware Network Adapter VMnet1
4.     192.168.222.1   VMware Network Adapter VMnet2
5.     127.0.0.1       Loopback Pseudo-Interface
Select network interface to sniff [default '0']: 1
Output path or filename [default 'dumpfile.pcap']:
Sniffing IP : 192.168.0.47
File        : dumpfile.pcap
Packets     : 1337

For Incident Responders

RawCap comes in very handy for incident responders who want to be able to sniff network traffic locally at the clients of the corporate network. Here are a few examples of how RawCap can be used for incident response:

  1. A company laptop somewhere on the corporate network is believed to exfiltrate sensitive coporate information to a foreign server on the Internet by using a UMTS 3G connection on a USB dongle. After finding the internal IP address on the corporate network the Incident Response Team (IRT) use the Sysinternals tool PsExec to inject RawCap.exe onto the laptop and sniff the packets being exfiltrated through the 3G connection. The generated pcap file can be used to determine what the external 3G connection was used for.
  2. A computer is suspected to be infected with malware that uses an SSL tunnelling proxy (stunnel) to encrypt all Command-and-Control (C&C) communication. The data that is to be sent into the tunnel is first sent unencrypted to localhost (127.0.0.1 aka loopback interface) before it enters the encrypted tunnel. Incident responders can use RawCap to sniff the traffic to/from localhost on the Windows OS, which is something other sniffing tools cannot do.
  3. A corporate laptop connected to the companies WPA2 encrypted WiFi is found to have suspicious TCP sessions opened to other computers on the same WiFi network. Incident responders can run RawCap locally on any of those machines in order to capture the WiFi network traffic to/from that machine in unencrypted form.

For Penetration Testers

RawCap was not designed for pen-testers, but I realize that there are some situations where the tool can come in hany when doing a penetration test. Here are some examples:

  1. After getting remote access and admin privileges on a Windows XP machine the pen-tester wanna sniff the network traffic of the machine in order to get hold of additional credentials. Sniffing tools like dumpcap, WinDump and NMCap can unfortunately not be used since no WinPcap or NDIS driver is installed. RawCap does, however, not need any special driver installed since it makes use of the Raw Sockets functionality built into Windows. Pen-testers can therefore run RawCap.exe to sniff traffic without installing any drivers.
  2. After getting admin on a box the pen-tester wanna sniff the network traffic, but box uses a WiFi network so traditional sniffing tools won't work. This is when RawCap comes in handy, since it can sniff the WiFi traffic of the owned machine just as easily as if it had been an Ethernet NIC.

Download RawCap

RawCap is provided for free and can be downloaded from here:
http://www.netresec.com/?page=RawCap

More... Share  |  Facebook   Twitter   Reddit Short URL: http://netresec.com/?b=11412E9

Posted by Erik Hjelmvik on Sunday, 10 April 2011 08:32:00 (UTC/GMT)

twitter

NETRESEC on Twitter

Follow @netresec on twitter:
» twitter.com/netresec


book

Recommended Books

» The Practice of Network Security Monitoring, Richard Bejtlich (2013)

» Applied Network Security Monitoring, Chris Sanders and Jason Smith (2013)

» Network Forensics, Sherri Davidoff and Jonathan Ham (2012)

» The Tao of Network Security Monitoring, Richard Bejtlich (2004)

» Practical Packet Analysis, Chris Sanders (2011)

» Windows Forensic Analysis, Harlan Carvey (2009)

» TCP/IP Illustrated, Volume 1, Kevin Fall and Richard Stevens (2011)


Recommended Mags

eForensics Mag