Click here to close now.

Welcome!

MICROSERVICES Authors: Michael Kanasoot, Liz McMillan, Elizabeth White, Pat Romanski, Carmen Gonzalez

Related Topics: Security, XML, MICROSERVICES, Adobe Flex, Web 2.0

Security: Article

Capture File Filtering with Wireshark

Needle in a Haystack

Intrusion detection tools that use the libpcap C/ C++ library [1] for network traffic capture (such as Snort [2] and Tcpdump [1]) can output packet capture information to a file for later reference. The format of this capture file is known as pcap. By capturing packet data to a file, an investigator can return later to study the history of an intrusion attempt – or to turn up other important clues about clandestine activity on the network.

Of course, the traffic history data stored in a pcap file is much too vast to study by just viewing the file manually. Security experts use specialized filtering tools to search through the file for pertinent information. One way to look for clues in a pcap file is to use the Wireshark protocol analysis tool [3] and its accompanying command-line utility tshark.

Wireshark is included by default on many Linux distros, and if not, it is available through the leading package repositories. You can also download Wireshark through the project website [4]. In this article, I describe how to use Wireshark and tshark to search a pcap file for information on network activity. I will assume you already have a pcap file ready for investigation. For more on how to capture a pcap file with Tcp-dump, see my article “Intruder Detection with Tcpdump,” which is available online at the ADMIN magazine website [5].

tshark at the Command Line
The tshark utility is a simple tool included with the Wireshark package that lets you filter the contents of a pcap file from the command line. To get a view of the most significant activity, I use the following command:

$ tshark ‑nr dumpfile1.gz ‑qz "io,phs" > details.txt

The ‑n switch disables network object name resolution, ‑r indicates that packet data is to be read from the input file, in this case dumpfile1.gz. The ‑z allows for statistics to display after it finishes reading the capture file, the ‑q flag specifies that only the statistics are printed, and the > redirection
sends the output to the file called details.txt. See Figure 1 for the output of this information. To view a list of help commands used with tshark, type:

$ tshark ‑h

And for a list of ‑z arguments type:

$ tshark ‑z help

Figure 1

Say you would like to know whether a particular IP address appeared in a packet dump and what port it was connecting on. The following command line checks the dump file for the IP address 98.139.126.21:

$ tshark ‑V ‑nr dumpfile.gz ip.src == 98.139.126.21 | grep "Source port" | awk {'print $3'} | sort ‑n | uniq 80

The resulting output on the line following the command shows that the packet dump file recorded IP address 98.139.126.21 having connections on port 80.

If you were given a packet dump file and asked to find possible IRC traffic on your network, how would you do it? First, you would need to know what port numbers were associated with IRC traffic, and that could be accomplished with Google or by issuing the following command:

$ grep irc /usr/share/nmap/nmap‑services | grep tcp

Figure 2 shows the results of the preceding command.

Figure 2

Now I can search the packet dump and look for evidence of IRC traffic using the following commands:

$ tshark ‑nr dumpfile1.gz 'ip.addr==172.16.134.191 and tcp.port >=  6667 and tcp.port <= 6670 and irc' |  awk {'print $3,$4,$5,$6'} | sort ‑n | uniq ‑c

Figure 1: tshark statistics output.
Figure 2: Locating IRC port numbers with grep.
Figure 3: IRC connections found in the packet dump.
Figure 4: The Wireshark startup window.

The breakdown of this command is shown in Table 1, and the output is in Figure 3.

Figure 3

In the GUI
The Wireshark GUI application is easier on the eyes, and it provides some options that aren’t available at the command line. You can start Wireshark from the Application menu or from the terminal.  To load a capture file, select Open in the startup window (Figure 4) or select File | Open from the menubar.  Once you have a packet capture file loaded, you can start searching packet dumps within the Wireshark interface.

Figure 4

The Filter box below the Wireshark toolbar lets you enter criteria for the search. For instance, to search for all the Canonical Name records within the capture file, type in the following filter: dns.resp.type == CNAME (see Figure 5).  After you enter a filter, remember to clear the filter text to see the full file before starting a new search.

Figure 5

Table 1: Parts of a tshark Command

Option Description
‘ip.addr==172.16.134.191         This is my network
and tcp.port >= 6667                   Start of the port range
and tcp.port <= 6670                   End of the port range
and irc’                                           Searches for IRC traffic only
awk {‘print $3,$4,$5,$6’}             Prints the third through sixth patterns from each matching line
sort ‑n                                            Sorts according to string numerical value
uniq ‑c                                            Only prints the number of matches that are unique

Digging deeper, if I want to know how long a client resolver cached the IP address associated with the name cookex.amp.gapx.yahoodns.net (Figure 6), I would enter the following filter:

dns.resp.name == "cookex.amp.gapx. yahoodns.net"

Figure 6

The filter ip.addr == 10.37.32.97 gives information on all communications that involve 10.37.32.97 in the packet dump. If needed, use && to isolate to a specific protocol. The filter ip.dst == 10.37.32.97 or ip.src == 10.37.32.97 looks for a source or destination IP address.

How could I find the password used over Telnet between two IP addresses? For example, if a user at 172.21.12.5 is using Telnet to access a device at 10. 37. 140.160, I can enter:

ip.dst == 10.37.140.160 && ip.src == 172.21.12.5 && telnet.data contains "Password"

The preceding command will list the connections that meet the search requirement, and you can right-click on the packet and click Follow TCP Stream to view the password. (See Figures 7 and 8.)

Figure 7

Figure 8

Note: A much easier way to get the password on the network, if you were sniffing the traffic instead of reading from a capture file, would be to use ettercap, as follows:

$ ettercap ‑Tzq //23

To discover whether someone was viewing a suspicious web page, I can perform a filter search to find out what picture the person at IP address 10.225.5.107 was viewing at Yahoo (216.115.97.236) with the following filter:

ip.dst == 10.225.5.107 && ip.src == 216.115.97.236 && (image‑jfif || image‑gif)

Figure 9

Figure 9 shows the results. If you then right-click on a line in the output and select Follow TCP Stream for the results shown in Figure 10.
The second line in the Follow TCP Stream output specifies that wynn‑ rovepolitico.jpg is the image this person was viewing on the site.

Figure 10

Conclusion
Wireshark can do more than just watch the wires in real time. If you save a snapshot of network activity in a capture file in the pcap format, you can use Wireshark to search through the file to look for clues about nefarious activity.

In this article, I described how to search for information in a capture file using Wireshark and the tshark command-line tool.

Info

[1] Tcpdump and Libpcap: http://www.tcpdump.org/
[2] Snort: http://www..snort.org
[3] Wireshark: http://www.wireshark.org/
[4] Wireshark Download: http://www.wireshark.org/download.html
[5] “Intruder Detection with Tcpdump” by David J. Dodd: http://www.admin‑magazine.com/Articles/Intruder‑Detection‑with‑tcpdump/

More Stories By David Dodd

David J. Dodd is currently in the United States and holds a current 'Top Secret' DoD Clearance and is available for consulting on various Information Assurance projects. A former U.S. Marine with Avionics background in Electronic Countermeasures Systems. David has given talks at the San Diego Regional Security Conference and SDISSA, is a member of InfraGard, and contributes to Secure our eCity http://securingourecity.org. He works for Xerox as Information Security Officer City of San Diego & pbnetworks Inc. http://pbnetworks.net a Service Disabled Veteran Owned Small Business (SDVOSB) located in San Diego, CA and can be contacted by emailing: dave at pbnetworks.net.

@MicroservicesExpo Stories
Cloud computing is changing the way we look at IT costs, according to industry experts on a recent Cloud Luminary Fireside Chat panel discussion. Enterprise IT, traditionally viewed as a cost center, now plays a central role in the delivery of software-driven goods and services. Therefore, companies need to understand their cloud utilization and resulting costs in order to ensure profitability on their business offerings. Led by Bernard Golden, this fireside chat offers valuable insights on ho...
SYS-CON Events announced today that Cisco, the worldwide leader in IT that transforms how people connect, communicate and collaborate, has been named “Gold Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Cisco makes amazing things happen by connecting the unconnected. Cisco has shaped the future of the Internet by becoming the worldwide leader in transforming how people connect, communicate and collaborat...
OmniTI has expanded its services to help customers automate their processes to deliver high quality applications to market faster. Consistent with its focus on IT agility and quality, OmniTI operates under DevOps principles, exploring the flow of value through the IT delivery process, identifying opportunities to eliminate waste, realign misaligned incentives, and open bottlenecks. OmniTI takes a unique, value-centric approach by plotting each opportunity in an effort-payoff quadrant, then work...
Modern Systems announced completion of a successful project with its new Rapid Program Modernization (eavRPMa"c) software. The eavRPMa"c technology architecturally transforms legacy applications, enabling faster feature development and reducing time-to-market for critical software updates. Working with Modern Systems, the University of California at Santa Barbara (UCSB) leveraged eavRPMa"c to transform its Student Information System from Software AG's Natural syntax to a modern application lev...
Hosted PaaS providers have given independent developers and startups huge advantages in efficiency and reduced time-to-market over their more process-bound counterparts in enterprises. Software frameworks are now available that allow enterprise IT departments to provide these same advantages for developers in their own organization. In his workshop session at DevOps Summit, Troy Topnik, ActiveState’s Technical Product Manager, will show how on-prem or cloud-hosted Private PaaS can enable organ...
In today's digital world, change is the one constant. Disruptive innovations like cloud, mobility, social media, and the Internet of Things have reshaped the market and set new standards in customer expectations. To remain competitive, businesses must tap the potential of emerging technologies and markets through the rapid release of new products and services. However, the rigid and siloed structures of traditional IT platforms and processes are slowing them down – resulting in lengthy delivery ...
SYS-CON Events announced today that Akana, formerly SOA Software, has been named “Bronze Sponsor” of SYS-CON's 16th International Cloud Expo® New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. Akana’s comprehensive suite of API Management, API Security, Integrated SOA Governance, and Cloud Integration solutions helps businesses accelerate digital transformation by securely extending their reach across multiple channels – mobile, cloud and Internet of Thi...
SYS-CON Events announced today that MangoApps will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY., and the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. MangoApps provides private all-in-one social intranets allowing workers to securely collaborate from anywhere in the world and from any device. Social, mobile, and eas...
SYS-CON Events announced today that Solgenia will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY, and the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Solgenia is the global market leader in Cloud Collaboration and Cloud Infrastructure software solutions. Designed to “Bridge the Gap” between Personal and Professional S...
SYS-CON Events announced today Sematext Group, Inc., a Brooklyn-based Performance Monitoring and Log Management solution provider, will exhibit at SYS-CON's DevOps Summit 2015 New York, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Sematext is a globally distributed organization that builds innovative Cloud and On Premises solutions for performance monitoring, alerting and anomaly detection (SPM), log management and analytics (Logsene), search analytics (S...
In the midst of the widespread popularity and adoption of cloud computing, it seems like everything is being offered “as a Service” these days: Infrastructure? Check. Platform? You bet. Software? Absolutely. Toaster? It’s only a matter of time. With service providers positioning vastly differing offerings under a generic “cloud” umbrella, it’s all too easy to get confused about what’s actually being offered. In his session at 16th Cloud Expo, Kevin Hazard, Director of Digital Content for SoftL...
When it comes to microservices there are myths and uncertainty about the journey ahead. Deploying a “Hello World” app on Docker is a long way from making microservices work in real enterprises with large applications, complex environments and existing organizational structures. February 19, 2015 10:00am PT / 1:00pm ET → 45 Minutes Join our four experts: Special host Gene Kim, Gary Gruver, Randy Shoup and XebiaLabs’ Andrew Phillips as they explore the realities of microservices in today’s IT worl...
The world's leading Cloud event, Cloud Expo has launched Microservices Journal on the SYS-CON.com portal, featuring over 19,000 original articles, news stories, features, and blog entries. DevOps Journal is focused on this critical enterprise IT topic in the world of cloud computing. Microservices Journal offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. Follow new article posts on T...
SYS-CON Events announced today that Site24x7, the cloud infrastructure monitoring service, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Site24x7 is a cloud infrastructure monitoring service that helps monitor the uptime and performance of websites, online applications, servers, mobile websites and custom APIs. The monitoring is done from 50+ locations across the world and from various wireless carr...
Even though it’s now Microservices Journal, long-time fans of SOA World Magazine can take comfort in the fact that the URL – soa.sys-con.com – remains unchanged. And that’s no mistake, as microservices are really nothing more than a new and improved take on the Service-Oriented Architecture (SOA) best practices we struggled to hammer out over the last decade. Skeptics, however, might say that this change is nothing more than an exercise in buzzword-hopping. SOA is passé, and now that people are ...
For those of us that have been practicing SOA for over a decade, it's surprising that there's so much interest in microservices. In fairness microservices don't look like the vendor play that was early SOA in the early noughties. But experienced SOA practitioners everywhere will be wondering if microservices is actually a good thing. You see microservices is basically an SOA pattern that inherits all the well-known SOA principles and adds characteristics that address the use of SOA for distribut...
Microservice architectures are the new hotness, even though they aren't really all that different (in principle) from the paradigm described by SOA (which is dead, or not dead, depending on whom you ask). One of the things this decompositional approach to application architecture does is encourage developers and operations (some might even say DevOps) to re-evaluate scaling strategies. In particular, the notion is forwarded that an application should be built to scale and then infrastructure sho...
Microservices are the result of decomposing applications. That may sound a lot like SOA, but SOA was based on an object-oriented (noun) premise; that is, services were built around an object - like a customer - with all the necessary operations (functions) that go along with it. SOA was also founded on a variety of standards (most of them coming out of OASIS) like SOAP, WSDL, XML and UDDI. Microservices have no standards (at least none deriving from a standards body or organization) and can be b...
Our guest on the podcast this week is Jason Bloomberg, President at Intellyx. When we build services we want them to be lightweight, stateless and scalable while doing one thing really well. In today's cloud world, we're revisiting what to takes to make a good service in the first place. Listen in to learn why following "the book" doesn't necessarily mean that you're solving key business problems.
Exelon Corporation employs technology and process improvements to optimize their IT operations, manage a merger and acquisition transition, and to bring outsourced IT operations back in-house. To learn more about how this leading energy provider in the US, with a family of companies having $23.5 billion in annual revenue, accomplishes these goals we're joined by Jason Thomas, Manager of Service, Asset and Release Management at Exelon. The discussion is moderated by me, Dana Gardner, Principal A...