Both tcpdump and Wireshark come with powerful features for capturing and manipulating packet captures. But there are times when something more is needed. Below is a collection of supporting utilities I commonly use when working with pcaps.
tcpflow, written by Dr. Jeremy Elson, is a nifty utility that works both as a sniffer and as a static-capture processor. What is unique about it is its ability to reassemble TCP flows into files. It has not been updated in years, which means it is stable. It handles out-of-order packets and faithfully reassembles them in the proper order, then dumps them all to a unique file for each side of a flow. It does not handle fragments very well, however. The tcpflow binary has made its way into a variety of different POSIX distributions, or you can download the source and compile it yourself from http://www.circlemud.org/˜jelson/software/tcpflow/.
While it would be interesting to run this against live traffic, I typically use this to extract data from a previously captured pcap file. This is useful for when someone else has sent me a pcap of an event, such as a file transfer and I need a copy of what was sent. Usage issimple:
tcpflow -ryourpcap.pcap
It uses the same switch as tcpdump for file reading: -r. When it is done, the subdirectory you ran it in should contain files named something like this:
192.168.001.080.00080-010.164.044.172.01355 010.164.044.172.01355-192.168.001.080.00080
Notice these two entries have the same numbers, only reversed, and that the entry for 192.168.001.080 has a five-digit number after it of 00080. That is the port number and this was a web server. The first file has every byte of data sent from the server to the client, while the second file has everything sent from the client to the server. Taking a look at this file shows us:
HTTP/1.1 200 OK Date: Wed, 01 Nov 2006 14:27:49 GMT Server: Apache/1.3.33 (Unix) DAV/1.0.3 Last-Modified: Tue, 20 Jun 2006 03:14:50 GMT ETag: "8c89bf1-b91-4497682a" Accept-Ranges: bytes Content-Type: text/html; charset=utf-8 Content-Length: 3162 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <html> <head> <title>Security Power Tools</title> ...
With a little bit of editing to remove the initial server response headers, you could easily extract the HTML sent from the server. This can also be used for images and other binaries with a decent binary editor.
According to the official web site (http://netdude.sourceforge.net/), Netdude stands for NETwork DUmp data Displayer and Editor. Despite its nomenclature, it is a very useful program for cleaning up oraltering pcap files captured with tcpdump, Wireshark, or any other libpcap-based capture program.
Netdude can be a challenge to install on some operating systems. For whatever reason, the dependencies on some Linux distributions do not have it correct, which makes it hard to get working. I successfully compiled it on Gentoo using emerge (I had to enable ˜x86 for it, however), but trying from source can be a challenge. Netdude is a GUI-based app, so you need to be running X. It also requires GTK 1.2.10 or higher, but not GTK2.
Once it is installed, open it, then click File → Open and select a pcap to load. When you are finished, you will have a window like Figure 18-20.
One of the most frustrating things when capturing traffic is when your IP, TCP, and/or UDP checksums get mangled during capture. It is not the capturing program's fault, typically. Most modern NIC cards have on-chip checksum encoders that ensure the checksum is good no matter what is sent down to be transmitted over the wire. More and more NIC card drivers are becoming wise to this and therefore neglect to perform checksum calculations themselves, which saves CPU cycles, so it makes sense. But, since you are capturing below the driver but above the NIC, you see those bogus checksums in the capture.
My primary use of Netdude is to fix these botched checksums. There is an easier way to do it, however, if you have scapy installed (see Python/Scapy Script Fixes Checksums). To clean a pcap with Netdude, open a pcap with known checksum problems. Then from the menu bar, choose Edit → Select All (or, you could manually select packets with the mouse). Then choose Protocols → IPv4 → Fix Checksums, Protocols → TCP → Fix Checksums, or Protocol → UDP → Fix Checksums to fix checksums at these different layers as you need it. If there are no bad checksums, nothing happens. If there are bad checksums that were fixed, the green x at the file tab bar across the top changes to a red check mark, indicating the file was changed but not saved. Save your changes by selecting File → Save orFile → Save As.
"But what about the Plugins → Checksum Fixer?" you ask. I really don't know. It's never worked for me.
In another example, assume you know how a particular exploit works, but do not feel like writing client/server code to create the proper connection. Simple! Just capture valid traffic and then edit it using Netdude. By selecting a packet from the packet list, a second pane opens below, with tabs that show what layers were found in this packet (e.g., Ethernet, IP, ICMP, TCP, UDP, or HTTP). By clicking these tabs, you can select the editor view for that layer. See Figure 18-21, Figure 18-22, Figure 18-23, and Figure 18-24 for examples of different editor modes.
In each of these tabs, the content of the bottom pane is completely editable. For the Ethernet, IP, TCP, and UDP header values, a pop-up window allows you to select what values you want for the field. For the application-layer data (in the example, HTTP), you can free-form edit the data in either Hexadecimal or ASCII. Remember that any time you change data, you need to regenerate the checksum. Netdude is not smart about changing the IP data length, so you are better off altering existing data instead of adding additional data to a particular packet. Once you make changes and fix the checksums, save the newly crafted pcap to disk, and the red check will turn to a green X to show your changes were saved.