|
|
|
Dig pcap File For Fun and Productivity |
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Présentation : Having worked with networking gear for many years I thought it was about time to jump in and post something to our blog, and why not start by talking about pcap files. As most of you already know, when testing and providing support of networking products, it is common that you will get a big pcap file. Often the file can be so big that it is at best slow when opening in Wireshark, or at worst it may be impossible. Make no mistake, I am a big fan of Wireshark and can not remember a day here on the job where I didn't use this wonderful tool. But the question is, how do you complete tasks such as grab some TCP sessions where there is no data from server if opening a 200MB pcap file crashes Wireshark every time No worries, programming to the rescue To solve the problem I used Perl feel free to use your favorite language to open a pcap file and do some analysis. Let us look at finding sessions where the client sent data but the server didn't send any data in response. To make it easy I've included all the steps I took and, where appropriate, the code. Since the point is to illustrate how to use script language like Perl to do the job, the code is greatly simplified. For the convenience of reader, the complete code is listed at the end. Step 1. Open the pcap file and put it in binary mode inputFile ARGV 0 the first command line parameter is the name of the pcap file open FD, 1.2.167.89 80 1.1.172.218 7840 -- 1.2.26.37 80 1.1.121.19 7698 -- 1.2.122.238 80 1.1.127.196 7652 -- 1.2.129.100 80 1.1.172.131 7532 -- 1.2.174.40 80 You can then grab a TCP sessions using tcpdump or windump as windump -r bigPcap.pcap -w output.pcap host 1.1.17.167 and tcp port 7697 and then your output.pcap will contain the TCP session, and it is small enough to be opened by Wireshark. Since the code is arranged to make it easy to read you may want to format it in your favorite coding style and add more error check if you see fit. Whatever you do let me know in the comments section. You may also be wondering about the speed of using Perl in processing a big pcap file. Yes, a program written in C is faster, but Perl is also fast. On my Windows XP 3.1GH, duo core , I ran this Perl program on a 234MB pcap file with 13655 TCP sessions and it took about 2 seconds. With this method we can also do the following Find which TCP session has retransmissions from a big pcap file Open two big pcap files and find out which packets that are present in the first pcap file but not in the second one. This is useful in determining what packets ard dropped by a device under test. Determine the average latency between HTTP request and HTTP response. Honestly, using this method the options are limitless. One of the better side benefits of completing this task is when you hear compliments from your colleagues in the form of the question, How did you find the needle in the haystack . For the sake of completeness, here is the entire Perl script my pktHdrFormat depending the endianess of file hdr, the 16 byte pkt hdr should be read accordingly my pourcentstcpSessionState this is used to keep track of all the TCP sessions. inputFile ARGV 0 the first command line parameter is the name of the pcap file open FD, pourcentsd.pourcentsd.pourcentsd.pourcentsd pourcentsd n , B 0 , B 1 , B 2 , B 3 , B 4 256 B 5 , B 6 , B 7 , B 8 , B 9 , B 10 256 B 11
Les derniers articles du site "BreakingPoint Labs Blog" :
- Data Sheets Lie and How To Truly Measure the Performance and Security of a Network Device
- Webcast and Research Paper Mobile Network Traffic Optimization
- IPv6 Everywhere You Turn
- Dig pcap File For Fun and Productivity
- Resiliency. Don't Leave Home Without It
- From the Floor at RSA 2010 Real-World Mobile Network Traffic Validation
- Replace Vendor Assurances With Measurable Answers
- Testing and Validation of Network Security Devices
- Application Protocol Fuzzing
- Proxies
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.191.75.173 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.191.75.173 to any 80"
- Nous contacter par mail
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
