Table of Contents Tcpxtract Tcpextract Tcpxtract Supports 26 file formats, extensible (/etc/tcpxtract.conf), however it requires the clear start and end markers. Supports only TCP packets, no UDP. Live capture from an interface and extract:
$ mkdir -p /tmp/enp0s3-tcpxtract-output $ sudo tcpxtract -d enp0s3 -o /tmp/enp0s3-tcpxtract-output Extract from the pcap file:
Tcpextract Similar to both tcpflow and tcpxtract, tcpextract extracts all files it recognized from a pcap file or interface.
Table of Contents Introduction Wireshark HTTP objects and files Binary files Tcpflow & Foremost Introduction The process is mostly the same in network packets data-carving, which comprises of:
Gain access and collect the raw bytes Strip the protocol information Extract and write the data to file The differences of these tools are their capabilities i.e., the supported protocols and file formats.
Background The following setup is intended to streamline the column display for effective analysis when looking at HTTP and HTTPS traffic. The default columns are: ‘No (Packet number)’, ‘Time’, ‘Source’, ‘Destination’, ‘Protocol’, ‘Length’, and ‘Info’.
Table of Contents Background Changing the column display Changing the Time Display Format Adding HTTP Server Names Adding HTTPS Server Names Changing the column display To change the default column display, navigate to ‘Preferences’:
Table of Contents DNSCrypt Install Select a resolver Modify resolv.conf Start systemd service Verify the DNS traffic is encrypted DNSCrypt can be used to increase web browsing privacy and thwart DNS traffic sniffing. It enables encryption and authentication on DNS traffic between the local computer and the remote DNS resolver. It helps to mask the domain resolution (sent in clear text) to the DNS server, before the HTTPS connection initiated to the target website.
Table of Contents dig & grep namebench dig & grep A straightforward way is by using the dig util from the dnsutils package and grep the results. This works well for quick debug on-the-go:
# apt-get install dnsutils $ dig @202.188.0.132 archive.org | grep "Query time:" ;; Query time: 356 msec $ dig @8.8.8.8 archive.org | grep "Query time:" ;; Query time: 48 msec Note: 202.
Table of Contents Tcpkill GDB Tcpkill enables priviledged user to kill TCP connections, it uses the tcpdump expression. It’s part of the dsniff package. The default degree of brute force to use in killing a connection is 3, fast connections may require a higher number in order to land a RST in the moving receive window.
tcpkill [-i interface] [-1...9] expression For example, to kill the established and also to prevent any connections from 192.
Table of Contents Nettop Google Transparency Report: Safe Browsing Tool Netstat Flowtop Nettop Assuming an unknown/suspicious output (i.e., no chat client is being used, but random chat domain appeared: vmp.boldchat.com) is spotted from a DNS monitoring such as in previous post titled - Sniff DNS queries:
Under macOS, the nettop util provides list of sockets and routes in details that help to trace down the process that established the connection to the unknown domain:
Table of Contents Dnstop Tcpdump Wireshark / Tshark Dnstop is a console libpcap application that displays various tables of DNS traffic on a network including:
Source IP addresses Destination IP addresses Query types Top level domains Second level domains # dnstop enp0s3 -l 3 Use ctrl-r to reset the counter/refresh the history to get the latest queries.
Tcpdump Capture packets from port 53 (DNS):
Table of Contents MacOS’s Airport Wireshark MacOS’s Airport is a built-in wireless utility comes preinstalled in MacOS.
$ ll /usr/local/bin/airport lrwxr-xr-x 1 root wheel 89 Jun 22 2016 /usr/local/bin/airport@ -> /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport Perform a wireless broadcast scan to get the list of access points in the neighborhood:
Sniff 802.11 frames on channel 1, the output is in pcap format and can be opened with tcpdump/wireshark:
$ airport en0 sniff 1 Capturing 802.
mtr Often times, troublesome networks won’t show up in the results of a few packets. mtr combines the functionality of the traceroute and ping utils and enables user to constantly poll a remote server to see the latency and performance changes over time. It’s not installed by default on most linux systems, simply get it from the distribution and package manager of choice:
$ sudo apt-get install mtr To debug remotely over ssh where no GUI is available, use the --curses or -t option: