dnslosa.blogg.se - Sample pcap files for analysis

I examined the details of the 2 files using capinfos: $ capinfos -ace https.pcap dns.pcap

In one terminal: sudo tcpdump -i eth0 -nn -w dns.pcap host 8.8.8.8 In one terminal: sudo tcpdump -i eth0 -nn -w https.pcap host 216.154.220.53 As a proof-of-concept, I created 2 simple pcap files using tcpdump: To accomplish what I wanted, I needed to edit the timestamps in the pcap files. When the -a flag is specified, packets are copied directly from each input file to the output file, independent of each frame’s timestamp. Mergecap assumes that frames within a single capture file are already stored in chronological order. Packets from the input files are merged in chronological order based on each frame’s timestamp, unless the -a flag is specified. However, the mergecap documentation indicates that the timestamps will be preserved:

editcap – modified packet details, such as timestamps, in a packet capture fileĪt first I thought mergecap alone would be sufficient, but I wanted the packets from the various source pcaps to overlap so that malicious and legitimate network traffic would be intermingled.

mergecap – combines 2 or more packet capture files.

capinfos – provides high-level data about a packet capture file.

In addition to tcpdump, there are three CLI tools provided by Wireshark that I used to help accomplish this: I wanted to create an example that would interweave such sources and intersperse malicious and legitimate traffic, as they would typically occur concurrently. (like Security Onion’s list of PCAPs for Testing) or on examples of legitimate traffic (like Wireshark’s Sample Captures). Many example packet capture files focus either specifically on malware, exploits, C2 traffic, etc.

Another contains legitimate, non-malicious network traffic.

One that contains just malicious (or simulated malicious) network traffic.Motivation: I wanted to combine 2 or more packet capture, or pcap, files in order to create an example: