PCAP files ========== When packets are captured off of a network, they are typically written to PCAP (Packet CAPture) files. These files contain some information about the device used to do the capture, and a list of packets that were captured along with what precise time they were captured. PCAP files are invaluable in network reverse engineering. Without packet capture, all you can usually do is speculate. It's like the difference between looking at clues at the scene of the crime, and having a videotape from cameras providing video at every angle. With full packet capture (capture of all inbound and outbound traffic to a network), it is sometimes even possible to write *protocol decoders*, which can be used to show exactly what information went back and forth, at what times. This ability is of extremely high value in any sort of forensic investigation. Wireshark --------- Wireshark is a graphical PCAP viewing tool for Unix, Windows, or MacOS. It features built-in protocol decoders for many standard protocols, powerful filters for examining captures, statistical tools, and much more. It is capable of capturing packets on its own, and reading and writing PCAP files. Let’s load up Wireshark. ![Wireshark’s Startup](ws-start.png) We can now open [an example pcap file](example1.pcap) with “File -> Open”. After loading, we will see Wireshark’s 3-panel display: ![Loaded file](ws-opened.png) The top panel shows a list of frames (packets). The middle panel shows information about the currently-selected frame, and the bottom panel shows a hex dump of the frame. We can click on one of the white triangles to expand information about an aspect of the frame, and by highlighting any line in the second panel, the third panel will highlight that part of the hex dump: ![Examining a frame](ws-examine.png) We can also right-click on a frame in the top panel for a drop-down menu of options. We will focus on the “follow TCP stream” option. ![Follow a stream](ws-follow.png) This opens up a new window in which both sides of the TCP stream are reassembled from the individual frames: ![Followed stream](ws-stream.png) This text can be copied and pasted into a text editor or a binary editor as a means to quickly extract payloads like attachments or transferred files. Wireshark’s weakness, and `tcpflow` ----------------------------------- Wireshark’s TCP reassembly routines have bugs. Sometimes, stream reassembly is incomplete, even though all the frames are present. Under Unix (or Cygwin in Windows), a program called `tcpflow` can do much more reliable--not to mention quick--reassembly of TCP sessions: $ ls example1.pcap $ tcpflow -r example1.pcap $ ls 106.086.094.175.06063-239.201.176.004.65167 239.201.176.004.65167-106.086.094.175.06063 example1.pcap $ `tcpflow` reassembles each side of a connection, which is usually all you want anyway. This has reassembled into the “106.86.94.175 side” and the “239.201.176.4 side”; each file contains what the left IP sent to the right IP. Question ======== Use Wireshark or `tcpflow` to extract the TCP stream from [this packet capture](key.pcap). Then, using techniques from previous sections, decode the payload. View it to find the key for this page.