Packet Capture (PCAP) Analysis Tools

What is a PCAP tool?

In computer networking, a packet capture is a term for intercepting a data packet that is crossing over a target network. This can be accomplished by using packet capture and analysis software. Packet capture analysis software enables the capture of network packet traffic and allows one to save frame details and analyze them in different methods.

Who is using packet capturing software?

An organization may use software like Wireshark or RSA’s NetWitness Investigator to inspect packets to help diagnose and solve network problems or to determine whether security policies are being followed by their end-users. It can also be used to analyze the data captured from a network in order to identify internal or external security threats. A critical function of NetWitness Investigator is that it converts each protocol into common language so that network engineers and non-engineers alike can perform effective analysis.

Hackers can also use packet capturing software to sniff network traffic, looking to steal data that is being transmitted over a network. For a malicious actor like this, a particularly juicy target would be unencrypted passwords. It is important to be aware of this in order to protect ourselves when using insecure or public networks. Never visit sensitive websites where you may be exposing your credentials (e.g. doing online banking over a coffee shop’s free WiFi) and try to always employ some form of tunneling and data encryption with something like a VPN service.

RSA’s NetWitness Investigator is one of the more sophisticated diagnostic tools on the market. NetWitness provides a high level overview of all the traffic in a PCAP file. While Wireshark looks at each packet, NetWitness categorizes and organizes traffic so that anomalous patterns become very apparent. It creates an extensive log of all network activities and interprets them into a user-friendly format that virtually anyone can interpret.

Packet capture analyzer tools like NetWitness Investigator simplifies interpreting packets being transferred over a network. There are many different functions within it which enable optimal viewing options for quick packet analysis. All of this drives home how imperative it is for us to use secure methods when transferring sensitive data!

Wireshark

Wireshark is likely the most widely used packet capture and analysis software in the world. Although it lacks some of the more sophisticated diagnostic tools and pretty interfaces options (like in NetWitness), Wireshark remains free for anyone to use. This software enables the capture of network packet traffic and allows one to save frame details in multiple formats that could then be imported into the more sophisticated, expensive software.

Wireshark capture environment

Wireshark can be used by security analysts to find anomalies in network traffic indicative of malicious activity, viruses, or exfiltration of data. At the same time, it is effective in troubleshooting application performance issues or benchmarking service latencies.

Wireshark capture files (otherwise known as packet capture files, or PCAP files) have a “.pcapng” extension, which stands for packet capture, next generation.

Promiscuous mode enables Wireshark to capture packets destined to any host on the same subnet or VLAN. Without this selected, Wireshark would only capture packets to and from the host machine running it.

The top pane of Wireshark is referred to as the frame summary or packet list pane, where all of the packets that Wireshark has captured, in time ordered, are shown. This pane provides a summary of the contents of the packet in a format that is relatively human readable.

The middle pane is referred to as the frame details or packet details pane, and is where the packet structure and contents of the fields within a packet are displayed.

The bottom pane, which displays the hex data, is referred to as the hex data or packet bytes pane. All of the information in the packet is displayed in hexadecimal on the left and the in decimal on the right. This can be useful especially if passwords are passed unencrypted.

By running the Wireshark software on the same computer that generates the packets, the capture is specific to that machine. However, using a network probe or hub device, or the capture port (SPAN port — Switched Port Analyzer) of a LAN switch and provide more accurate timing information.

The timestamp used by Wireshark is the current system time on the machine on which Wireshark runs. Attempting to sync Wireshark captures made on two different machines requires a few considerations (namely: time differences like time zones). Using Network Time Protocol (NTP) may alleviate some of these problems, but some issues may still remain. For example, if there is a propagation delay for the timing packets, this could introduce small discrepencies that build up over time and matter a lot especially when capturing packets from high-speed interfaces. Therefore in order to overcome time zone mismatches altogether, the common best practice is to use the UTC (Coordinated Universal Time) time zone.

A difference between bytes on the wire and bytes captured (seen in the middle pane at the top of the frame header) can indicate that not everything is being captured or that partial or malformed packets may have been captured. This could lead to problematic analysis. If this is a regular occurrence, chances are there is a problem with the computer on which Wireshark is running on.

Wireshark takes the first 6 hexadecimal characters of the MAC address (the OUI — Organizationally Unique Identify) and interprets the IEEE-assigned manufacturer’s unique ID to determine the company that manufactured the device’s network card. The company associated with each unique OUI is public and can be found online at ieee.org.

Filters are one of the most useful tools in Wireshark that can make analyzing captured data much easier. They allow for a complex set of criteria to be applied to the captured packets to filter out any unnecessary data.

Capturing Wireless Data

The detailed information that Wireshark can provide about antennae, signal strengths, and other aspects of wireless communications is useful for installation, antenna placement, and of course, troubleshooting. In the IEEE 802.11 Quality of Service data and Flags field, Wireshark displays information about the transmitters and receivers of the data, which enables a network admins to determine which MAC addresses match each of them.

While it is possible for adversaries to spoof receiver and transmitter addresses, it is unlikely. It is much more common to spoof the MAC address itself, but matching them to their appropriate transmitter and receiver addresses can provide the needed forensic evidence of which devices are involved in a particular communication.

It is common for Wireshark to be installed with a packet capture library called WinPcap. Based on the wireless interfaces and how the capture is set up, Wireshark will display all of the field it can capture. That being said, there are some cases where wireless information cannot be captured by Wireshark. Because of this, packet capture add-ons, like AirPcap, are frequently installed. AirPcap is almost certainly required for capturing wireless traffic between multiple devices or between wireless access points and other devices.

An example of using PCAP information in an investigation: The ultimate payload, whether sent through the air or on a wire, is a DNS query. An investigator might use information in a packet capture by linking the Layer 2 MAC address and/or the Layer 3 IP address to specific wireless information.