This helps during analysing pcap files - Some of these from http://www.malware-traffic-analysis.net/.
To find hostnames and mac addresses search for DCHP messages
tcpdump -nnA -s0 -r exercise.pcap 'src host 192.168.10.10 && arp'
Finding User Agent and OS
tcpdump
-nnA -s0 -r exercise.pcap 'src host
192.168.10.10 &&dst port 80' | grep -A5 -B5 User | tail -5
User Agent - Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
OS - Windows NT 6.1 = Windows 7
Using Wireshark = display filters to show all http requests
http.request
and only to a destination IP highlighted in Snort
http.request && ip.addr==10.10.10.10
No comments:
Post a Comment