Hunting through pcap can be a daunting task even with the plethora of tools available to analyze network traffic. Digging through pcap on the Linux command line using tcpdump, Bash, and BPF filters can be an effective way to get an understanding of various protocols. This blog post will demonstrate some CLI Kung Fu with network forensics.
First we can get an idea of the packet count by reading the file into tcpdump and piping the output into the Linux utility “wc” and using switch “-l”
Additionally, you can use a BPF filter to look for the number of SYNs in the pcap sample using “tcp
We can apply additional Linux utilities to get more information from the pcap. In the example below we pipe the output into the grep utility to search for the value ‘ IP ‘:
Now if we are only interested in the destination IP address for the SYNs we can use the Linux awk utility to print the 6th element in the line based on a space deliminator:
Next you can pipe the output through awk again and can change the deliminator to a “.” to drop off the port:
Next you can summarize the data by piping the output through the Linux utilities sort and uniq with switch “-c” then sort again with switch “-nr”.
If you want to get a summary of the ports that were associated with the SYNs in the pcap we can use a series of Linux utilities chained together to pull just the port out of the SYN traffic and summarize the data:
DNS can be another very interesting protocol to analyze when performing network forensics. By using the simple bpf syntax “udp and port 53” we can focus on DNS queries. The screen shot below pipes that output through the grep utility searching for ‘ A? ‘ to look for Host A queries:
To summarize the queries in the pcap we can grab just the domain requested using the awk utility. Since the domain is the second to last element in the line we can use the “NF-1” variable to print the second to last element in the line based on a space deliminator. Then we pipe the output through the sort/uniq combo to summarize the data, and we use the Linux utility “head –n 10” to only show the first 10 entries:
Now to further filter the data we can use the Linux utility “egrep –v” to remove any lines that match the content specified in the regular expression. In the screen shot below we are removing domains based on the top level domain:
HTTP can be a very interesting protocol to investigate when analyzing network traffic. You can leverage more advanced BPF syntax to filter for certain packet data within the HTTP protocol. HTTP GET and POST requests will be at the same place in the packet each time. They start at the 20th offset from zero in the TCP header, so we can craft a BPF filter to search for either a GET or POST and match any request regardless of the port. Below is an example of filtering for HTTP GET requests by searching at the 20th byte offset from zero in the TCP header for the next four bytes being ‘0x47455420’ which is ‘GET ‘ in ASCII:
The last command in the screen shot above is utilizing BPF filtering logic to remove certain network ranges from the output using “and not net” expression. Here you can begin to remove legitimate network communication to filter on the “unknown” activity. This type of logic can be applied to a BPF filter file and built up to several hundred lines to profile the network activity for a given protocol:
You can create these types of BPF files for SYNs, HTTP, DNS, etc. to essentially remove legitimate network ranges to focus on unexplained activity. Below are some additional examples leveraging SYNs and DNS:
Focusing on Name Servers of interest (Dynamic Naming services):
You can focus on FTP by using the BPF expression “tcp and port 21” then we can use the grep utility to look for some of the commands in the network traffic, namly RETR and STOR. After the grep utility we pipe the output through the “sed” utility to clean up the line and remove the trailing junk so the output is easier to read:
This post explored the power of tcpdump, Linux utilities, and BPF expressions. By being a CLI ninja you aren’t held back by limitations in tools and can view the raw pcap to perform your analysis. In addition, these utilities can go through gigabytes of pcap quickly, which is often a limitation of GUI tools like Wireshark.