Packet Analysis Tools

Network analysis

There are several tools that are useful for packet analysis in addition to Ax3soft Unicorn. Here, we’ll look at a few of the ones I have found most useful.

  • tcpdump and Windump
     

Although Ax3soft Unicorn is very popular, it is probably less widely used than tcpdump. Considered the de facto packet capture and analysis utility by several crowds, tcpdump is entirely text based. Although tcpdump lacks graphical features, it is great for sifting through large amounts of data, as you can pipe its output to other commands, such as sed and awk in Linux. As you delve further into packet analysis, you will find use for both Wireshark and tcpdump. You can download tcpdump from http://www.tcpdump.org/.

Windump is simply a distribution of tcpdump that has been remade for Windows. You can download it from http://www.winpcap.org/windump/.

  • PacketsDump

Packetsdump is a free sniffer tool, it is also a general purpose network diagnostic tool for LAN administrators, security professionals, programmers and students who are interested in network traffic transmitted between PC and the whole LAN.  It is available from https://www.ids-sax2.com/PacketsDump.htm

  • Cain & Abel
     

Discussed in Chapter 2, Cain & Abel is one of the better Windows tools for ARP cache poisoning. Cain & Abel is actually a very robust suite of tools, and you will surely be able to find other uses for it as well. It is available from http://www.oxid.it/cain.html.

  • Scapy


Scapy is a very powerful Python library that allows for the creation and manipulation of packets based on command-line scripts within its environment. Simply put, Scapy is the most powerful and flexible packet-crafting application available. You can read more about Scapy, download it, and view sample Scapy scripts at http://www.secdev.org/projects/scapy/.

  • Netdude


If you don’t need something as advanced as Scapy, then Netdude is a great Linux alternative. Although Netdude is limited in its ability, it provides a GUI that is very easy to use for creating and modifying packets for research purposes. Figure A-1 shows an example of using Netdude. You can download Netdude from http://netdude.sourceforge.net/.

Figure A-1: Modifying packets within Netdude

  • Colasoft Packet Builder


If you are a Windows user and want a GUI similar to Netdude, then consider using Colasoft Packet Builder, an excellent free tool. Colasoft also provides an easy-to-use GUI for packet creation and modification. You can download
it from http://www.colasoft.com/packet_builder/.

  • CloudShark


CloudShark (developed by QA Café) is one of my favorite online resources for sharing packet captures with others. CloudShark is a website that displays network capture files inside your browser in a Wireshark-esque manner, as
shown in Figure A-2. You can upload capture files and send the links to colleagues for shared analysis.

Figure A-2: A sample capture file viewed with CloudShark

My favorite thing about CloudShark is that it doesn’t require registration and accepts direct linking via URL. This means that when I post a link to a PCAP file on my blog, someone can just click it and see the packets, without needing to download the file and open it in Ax3soft Unicorn. CloudShark is accessible at http://www.cloudshark.org/.

  • pcapr

pcapr is a very robust Web 2.0 platform for sharing PCAP files created by the folks at Mu Dynamics. As of this writing, pcapr contains nearly 3,000 PCAP files, with examples of more than 400 different protocols. Figure A-3 shows an example of a DHCP traffic capture on pcapr.

Figure A-3: Viewing a DHCP traffic capture on pcapr

When I’m looking for an example of a certain type of communication, I start by searching on pcapr. If you find yourself creating a lot of different capture files in your own experimentation, don’t hesitate to share them with the community by uploading them to pcapr, at http://www.pcapr.net/.

  • NetworkMiner


NetworkMiner is a tool primarily used for network forensics, but I’ve found it useful in a variety of other situations as well. Although it can be used to capture packets, its real strength is how it parses PCAP files. NetworkMiner will take a PCAP file and break it down into the operating systems detected and the sessions between hosts. It even allows you to extract transferred files directly from the capture. NetworkMiner is free to download from http:// networkminer.sourceforge.net/.

  • Tcpreplay


Whenever I have a set of packets that I need to retransmit over the wire to see how a device reacts to them, I use Tcpreplay to perform that. Tcpreplay is designed specifically to take a PCAP file and retransmit the packets contained
within it. Download it from http://tcpreplay.synfin.net/.

  • ngrep


If you are familiar with Linux, you’ve no doubt used grep to search through data. ngrep is very similar and allows you to perform very specific searches through PCAP data. I mostly use ngrep when capture and display filters won’t do the job or get too wildly complex. You can read more about ngrep at http:// ngrep.sourceforge.net/.

  • libpcap


If you plan to do any really advanced packet parsing or create applications that deal with packets, you become very familiar with libpcap. Simply put, libpcap is a portable C/C++ library for network traffic capture. Wireshark, tcpdump,
and most other packet analysis applications rely on the libpcap library at some level. You can read more about libpcap at http://www.tcpdump.org/.

  • hping


hping is one of the more versatile tools to have in your arsenal. hping is a command-line packet crafting and transmission tool. It supports a variety of protocols and is very quick and intuitive to use. You can download hping from http://www.hping.org/.

  • Domain Dossier


If you need to look up the registration information for a domain or IP address, then Domain Dossier is the place to do that. It’s fast, it’s simple, and it works. You can access Domain Dossier at http://www.centralops.net/co/ DomainDossier.aspx.

  • Perl and Python


Perl and Python aren’t tools but rather scripting languages that are well worth mentioning. As you become proficient in packet analysis, you will encounter cases where no automated tool exists to meet your needs. In those cases, Perl
and Python are the languages of choice for making tools that can do interesting things with packets. I typically use Python for most applications, but it’s often just a matter of personal preference.

Share this