IT security Engineer How-to: Wireshark: Packet capture file

There is times, when you need to send packet capture files to "some support" but you are unsure if they contains sensitive information. If you are happy to send them just packet headers (in some cases you cannot do this, if problem is at application level), there is command line
tool which go with wireshark which can help you:

editcap -s 52 infile.cap outfile.cap

What it does: it chos everything after 52 bytes from packet. 52 bytes is enough to capture L2/L3/L4 headers.

After this operation packets in file will be like this:

And at the end you will see - Packet size limited during capture.

This method is usefull when debugging communication problems, which is not related to Application layer.

You can check additional options of editcap, using editcap -h:

Usage: editcap [options] ... [ [-] ... ]

and must both be present.
A single packet or a range of packets can be selected.

Packet selection:
-r keep the selected packets; default is to delete them.
-A only output packets whose timestamp is after (or equal
to) the given time (format as YYYY-MM-DD hh:mm:ss).
-B only output packets whose timestamp is before the
given time (format as YYYY-MM-DD hh:mm:ss).

Duplicate packet removal:
-d remove packet if duplicate (window == 5).
-D remove packet if duplicate; configurable
Valid values are 0 to 1000000.
NOTE: A of 0 with -v (verbose option) is
useful to print MD5 hashes.
-w remove packet if duplicate packet is found EQUAL TO OR
LESS THAN prior to current packet.
A is specified in relative seconds
(e.g. 0.000001).

NOTE: The use of the 'Duplicate packet removal' options with
other editcap options except -v may not always work as expected.
Specifically the -r, -t or -S options will very likely NOT have the
desired effect if combined with the -d, -D or -w.

Packet manipulation:
-s truncate each packet to max. bytes of data.
-C chop each packet by bytes. Positive values
chop at the packet beginning, negative values at the
packet end.
-t adjust the timestamp of each packet;
is in relative seconds (e.g. -0.5).
-S adjust timestamp of packets if necessary to insure
strict chronological increasing order. The
adjustment> is specified in relative seconds with
values of 0 or 0.000001 being the most reasonable.
A negative adjustment value will modify timestamps so
that each packet's delta time is the absolute value
of the adjustment specified. A value of -0 will set
all packets to the timestamp of the first packet.
-E set the probability (between 0.0 and 1.0 incl.)
that a particular packet byte will be randomly changed.

Output File(s):
-c split the packet output to different files
based on uniform packet counts
with a maximum of each.
-i split the packet output to different files
based on uniform time intervals
with a maximum of each.
-F set the output file type; default is pcapng.
an empty "-F" option will list the file types.
-T set the output file encapsulation type;
default is the same as the input file.
an empty "-T" option will list the encapsulation types.

Miscellaneous:
-h display this help and exit.
-v verbose output.
If -v is used with any of the 'Duplicate Packet
Removal' options (-d, -D or -w) then Packet lengths
and MD5 hashes are printed to standard-out.

IT security Engineer How-to

Monday, August 26, 2013

Wireshark: Packet capture file - leave only headers

No comments:

Post a Comment