Pcaps for this tutorial are available here. It covers display filter expressions I find useful in reviewing pcaps of malicious network traffic from infected Windows hosts. Today's post provides more tips for analysts to better use Wireshark. To better accomplish this work, I use a customized Wireshark column display as described my previous blog about using Wireshark. Otherwise for more programmatic control of packet replay one could use scapy as suggested in this answer, though one would need to extract the HTTP content and resend it on new connection(s).As a Threat Intelligence Analyst for Palo Alto Networks Unit 42, I often use Wireshark to review packet captures (pcaps) of network traffic generated by malware samples. However the latest version of tcpreplay suite from AppNeta now provides a tool tcpliveplay that says it can replay TCP streams so that seems like it could be the best option. One approach would be to extract the HTTP content from the packet trace and resend that over a new TCP connection - Wireshark does allow for HTTP traces to be extracted which could be resent. It's not straightforward to just resend a HTTP interactions that have been captured by Wireshark as the the HTTP is transported over TCP which needs to set up a new connection for each interaction so things like the TCP sequence numbers would need to be different. If the HTTP requests are being sent from a browser then you can take advantage of the Web Developer mode available in most modern browsers - by going to the 'Network' section and right clicking on a particular GET/POST requests and then one can optionally modify and resend selected requests and/or using curl (e.g.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |