Network Traffic Analysis

adventofcyber2 startup chrome h4cked cap ftp_authentication telnet_authentication twitter_authentication

Network Traffic Analysis may involve capture traffic and investigating it to find useful information such as:

  • πŸ“š Interesting files to reverse
  • πŸ—οΈ Cleartext passwords
  • πŸ—ΊοΈ Lists of hosts/IP and protocols
  • ...

We may not have a GUI and have to use a TUI or CLI applications.

You may use tshark -r xxx.pcap -w yyy.pcap -F libpcap to convert a libpcap file to a standard file if Python tools complain.

Common applications are:

Additional Uncommon Tools

net-creds β€” Simple Packet Analyzer

net-creds (1.6k ⭐, 2019 πŸͺ¦) is a network packet sniffer which superseded creds.py (0.2k ⭐, 2015 πŸͺ¦). It's written in Python2.

$ wget "https://raw.githubusercontent.com/DanMcInerney/net-creds/master/net-creds.py"
$ wget "https://raw.githubusercontent.com//quentinra/blog.quentinra.dev/cybersecurity/red-team/_knowledge/topics/_files/py3_and_fixes.patch"
$ patch -u < py3_and_fixes.patch
$ python3 net-creds.py -p xxx.pcap

NetworkMiner β€” Paid Packet Analyzer

NetworkMiner is a paid packet analyzer for Windows. It groups network traffic in tabs and per host. There is a free version πŸ’Έ.

apackets β€” Online Packet Analyzer

Refer to apackets. All free analysis are public.


tcpflow β€” Dump TCP Flows

You can use tcpflow (1.6k ⭐), which is similar to wireshark 'Follow TCP Streams' feature, to dump TCP Streams.

$ tcpflow -r xxx.pcap -C0

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • Port scanning: look for packets matching the scan (ex: SYN=1;ACK=0)
  • tshark -Y, tshark -r xxx.pcapng -T fields -e data.txt