The drawbacks of local packet captures

Probably the most common way of capturing network data is not a decision between SPAN or TAP – it is Wireshark simply being installed on one of the computers that need to be analyzed. While this an easy way to capture network packets it is also an easy way to get “wrong” results, because there are a lot of side effects when capturing packets directly on a computer. I discussed a lot of these side effects in my Sharkfest 2013 talk “PA-14: Top 5 False Positives” already, but let’s go check them out again.

IPv6 DHCP flood

A few days ago I took a capture for some reason and saw something unexpected that had nothing to do with what I wanted to check: there were tons and tons of DHCPv6 packets trying to renew an IPv6 address in a never ending stream of packets, and really fast, too.

A creative way of refusing connections

A few days ago, Olli, one of our team members, sent me a funny trace that he’d taken while configuring the security settings on a Netoptics Bypass kit. This device has an SNMP and HTTP management service, and when he disabled the HTTP service he verified if the setting was accepted (like you should). Usually, there would either be a Reset packet coming back when a SYN is sent, or no answer at all. To his surprise, the device behaved a little different than expected.

Installing Tomahawk IPS test tool on Debian 7

For a current IPS/IDS project I was looking for a test system to benchmark various IDS/IPS engines. The idea was to record network captures carrying malware samples in HTTP, SMTP or other protocols, and replaying them against the various detection engines. Problem with that is that tools like tcpreplay, bittwist or Ostinato all replay the trace on a single network card, which means that both “client” and “server” side of the communication are injected into the same NIC of the detection engine.

It’s been a while…

…before I found some time to post something on this blog. Mostly because of the summer break, but also because I was attending DefCon 2013 in Las Vegas, after a break of 3 years. I used to be at DefCon every year while it was held at the Riviera, working for the hotel as a network security expert (“We need protection! Evil hackers everywhere!”) with my buddies Eddi and Landi. Funniest thing the Riv guys did back then was to disconnect all public network ports accessible to the public (“the hackers”) like we told them too – well, all except one. That one, they put a small padlock in front of it. Our question to them was “uhm… did you know they have lock picking contests? What do you think will happen when they see this?” ;)

PCAP and PCAPng sanitization tool for network analysts

Trace file anonymization, trace file sanitization… it seems like I can’t decide whether to call it “Sanitization” or “Anonymization” – even in my code base it is sometimes called the first, sometimes the latter. Of course there is a small difference between the two – one is removing sensitive data by cutting it away, while the other replaces it with something generic.