Archive for the ‘Packet Capture’ category

  1. DDoS Tracefile for SharkFest Europe 2021

    SharkFest Europe has opened it’s doors for the pre-conference classes. Presentations will start on June, 17th. I am honored to give a presentation on DDoS attacks. The trace files for the presentation are available for download at http://www.packet-foo.com/blog/SF21EU/DDoS_Tracefiles.zip The Zip file contains five traces: FreakOut_Flooding.pcapng Shows the UDP Flood, TCP Flood, SYN Flood and Slowloris attacks […]
  2. Analyzing a failed TLS connection

    Summary This post demonstrates how to correlate two or more trace files to analyze a broken connection. We identify the root cause and gather information about the network topology. Tracefiles are available at http://www.packet-foo.com/blog/TLS/Skype.zip We assume that the reader is familiar with TCP basics like session setup, retransmissions, window size etc.
  3. Wireless Capture on Windows

    Capturing Wireless on Windows was always problematic, because other than on Linux or Mac it wasn’t possible to activate Monitor mode on the WiFi cards to capture the radio layer. All you could do was capture packets on your WiFi card from the Ethernet layer and up. That’s  unless you spent money on the now […]
  4. Installing Moloch on Debian 9 Stretch

    Moloch is a tool that builds on Elasticsearch to process large numbers of network packets, either from a live network or from imported PCAP files. This is how I installed it on a Debian 9 server.
  5. Attacking Wireshark

    Every once in a while there is some news about Wireshark being vulnerable to being attacked/exploited/pwned, meaning that there is a way to craft frames/packets in a pcap/pcapng file to make Wireshark crash and (if done right) execute malicious code. So let’s take a look at what that means and what can be done about […]
  6. Wireshark Column Setup Deepdive

    Every once in a while I check the blog statistics for the searches that have brought visitors here. Most of them are more or less concealed versions of “how can I grab the password of others/my ex partner/my children/friends”, which comes as no surprise. Today I saw one search expression that I used as inspiration […]
  7. PCAP Split and Merge

    Sometimes it also happens during network troubleshooting engagements, but it is also common for analysis jobs regarding network forensics: dealing with huge number of packets, sometimes millions or more. Two typical situations may have you scratch your head: either you have one huge file containing all packets at once, or you have a ton of […]
  8. SMB System Error 384

    This blog post highlights a very specific detail of Microsoft’s implementation of SMB. It might help those, who try to get rid of SMB version 1 and support staff dealing with inaccessible file shares.
  9. Wireshark GeoIP resolution setup V2.0

    I already wrote a blog post about setting up GeoIP resolution for Wireshark in 2013. Now, almost exactly five years later I had to decide if I replace that one with an updated version, or to write a second, updated post instead. I choose the second option.
  10. System Error 58 – Wireshark to the rescue

    The other day I was called to investigate a problem where a user could no longer mount a share. The client was running Windows 7. The user got the somewhat obscure message “System error 58 occurred”.