Packet Foo | Analyzing network packets since 2003

Sharkfest 2018 EU

I’m back from Sharkfest EU 2018 and once again it was a great conference. This time, many core developers and instructors brought their families along, so it felt even more like a family gathering than ever before.

Installing Moloch on Debian 9 Stretch

Moloch is a tool that builds on Elasticsearch to process large numbers of network packets, either from a live network or from imported PCAP files. This is how I installed it on a Debian 9 server.

Attacking Wireshark

Jasper
03/9/2018
Coding, Network Forensics, Protocols, Security, Wireshark
4 Comments

Every once in a while there is some news about Wireshark being vulnerable to being attacked/exploited/pwned, meaning that there is a way to craft frames/packets in a pcap/pcapng file to make Wireshark crash and (if done right) execute malicious code. So let’s take a look at what that means and what can be done about it.

Wireshark Column Setup Deepdive

Every once in a while I check the blog statistics for the searches that have brought visitors here. Most of them are more or less concealed versions of “how can I grab the password of others/my ex partner/my children/friends”, which comes as no surprise. Today I saw one search expression that I used as inspiration for this post: “Good Wireshark columns to have”. So let’s talk about them.

PCAP Split and Merge

Sometimes it also happens during network troubleshooting engagements, but it is also common for analysis jobs regarding network forensics: dealing with huge number of packets, sometimes millions or more. Two typical situations may have you scratch your head: either you have one huge file containing all packets at once, or you have a ton of small files that you need to look at. So let’s see how we can still tackle both.

SMB System Error 384

This blog post highlights a very specific detail of Microsoft’s implementation of SMB. It might help those, who try to get rid of SMB version 1 and support staff dealing with inaccessible file shares.

Wireshark GeoIP resolution setup V2.0

I already wrote a blog post about setting up GeoIP resolution for Wireshark in 2013. Now, almost exactly five years later I had to decide if I replace that one with an updated version, or to write a second, updated post instead. I choose the second option.

System Error 58 – Wireshark to the rescue

The other day I was called to investigate a problem where a user could no longer mount a share. The client was running Windows 7. The user got the somewhat obscure message “System error 58 occurred”.

A look at Cisco Tetration

Once again I was invited to join the group of delegates for Tech Field Day Extra at Cisco Live 2018 in Barcelona, with various presentations covering a number of new and improved Cisco technologies. One of them I had seen already last year at the same event in Berlin, but hadn’t had the time to cover it in a blog post: Cisco Tetration.

The Network Capture Playbook Part 6 – Planning Network Troubleshooting

In the previous posts of the Capture Playbook series we discussed various approaches about how to record packets, but before going into more elaborate techniques of doing that we should talk about how a network troubleshooting project works, and especially how to plan a capture setup. In my experience this aspect of a troubleshooting is often neglected, which can be lead to problems during analysis. In the worst case scenario, a botched capture setup can make it impossible to find root cause in the packets that were collected.

12 3 4 5

Sharkfest 2018 EU

Installing Moloch on Debian 9 Stretch

Attacking Wireshark

Wireshark Column Setup Deepdive

PCAP Split and Merge

SMB System Error 384

Wireshark GeoIP resolution setup V2.0

System Error 58 – Wireshark to the rescue

A look at Cisco Tetration

The Network Capture Playbook Part 6 – Planning Network Troubleshooting

Downloads

Recent Comments

Recent Posts

Archives

Meta

Rechtliches