A key capability required in network forensics is to be able to search for a string in a collection of pcap files or live traffic. You may want to search for a name with the intention of finding any relevant emails, tweets, followers, facebook, etc. Naive packet level string matching wont work for the following reasons.
- The transport is usually TCP so reassembly is needed before matching
- The protocol is usually HTTP, so must process HTTP headers
- Chunked encoding
- GZIPped content
- Encrypted content ( pretty much a dead end unless you are using a non EDH and have access to the private key)
Unsniff Network Analyzer allows you to search inside user objects after taking into account all of the above factors. To use the UI, switch to the User objects sheet, then press Ctrl+F and enter your patterns. The UI works great in many cases, but many times you want to do more automatically.
These days javascript heavy websites like twitter use JSON as the dominant interchange format. Instead of sending back full HTML webpages – chunks of JSON are used to build the final user interface. So in order to present results (such as a twitter followers list) you need to wrap the results in your own application. This post tells you how to use the Scripting Interface to accomplish that.
- Download and install the latest Unsniff from http://www.unleashnetworks.com/downloads.html
Assume you want to search for a pattern “mickey” in all content.
Step 1 : Have your program dump your packets into a libpcap file – say mypackets.pcap
Step 2 : Copy the following script into a directory in a file named searchuo.vbs
Step 3: Run the script like this
|
1 |
cscript searchuo.vbs mypackets.pcap mickey .\outputdir |
Step 4: All user objects – mails, attachments, contacts and any HTTP exchanges gzipped or chunked will be reassembled and put as separate files into that directory
Step 5 : Your code should read these files and integrate them into your UI. For example, Yahoo mails come as JSON, so maybe you can parse the JSON or display raw text with the pattern highlighted etc. Its your call.
In this mode, Unsniff will be the engine for content extraction. You can then integrate the files into your own application.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 |
' ' searchuo - Search all user objects for a string match and dump contents ' of matched user objects to file ' ----------------------- ' Check usage & arguments ' ----------------------- Set Sout = WScript.StdOut if WScript.Arguments.Count <> 3 then Sout.WriteLine "Usage: cscript searchuo.vbs input-tcpdump-file pattern output-dir " WScript.Quit end if InputTCPD = WScript.Arguments.Item(0) Pattern = WScript.Arguments.Item(1) DirName = WScript.Arguments.Item(2) Dim fso Set fso = CreateObject("Scripting.FileSystemObject") If fso.FileExists("temp_cap.usnf") Then fso.DeleteFile "temp_cap.usnf" End If ' ' Check if Directory Exists (Create if it doesnt) ' If Not fso.FolderExists(DirName) Then fso.CreateFolder (DirName) Sout.WriteLine "Created Output Folder " & DirName End If ' Import from tcpdump (libpcap) format Set UnsniffDB = CreateObject("Unsniff.Database") UnsniffDB.New("temp_cap.usnf" ) UnsniffDB.Import "libpcap", InputTCPD Sout.WriteLine "Imported tcpdump file " & InputTCPD Dim UOIndex Dim DupFileCount Set UOIndex = UnsniffDB.UserObjectsIndex DupFileCount = 0 For Each UO In UOIndex With UO If .HasPattern(Pattern) Then PrefName = .PreferredFileName ' Files are saved as U1_xx.data, U2_xx.data etc PrefName = "Match_UserObject.data" ExpFilePath = fso.BuildPath (DirName, PrefName ) If fso.FileExists(ExpFilePath) Then PrefName = "U_" & DupFileCount & "_" & PrefName ExpFilePath = fso.BuildPath (DirName, PrefName ) DupFileCount = DupFileCount + 1 End If .SaveToFile(ExpFilePath) Sout.WriteLine "Found pattern - Saved contents to " & ExpFilePath End If End With Next UnsniffDB.Close() fso.DeleteFile "temp_cap.usnf" |
