driftnet
Driftnet is a network utility that sniffs traffic for images and other media, and displays them in an X window. This is useful during investigations where users’ Internet habits are being monitored. Rather than sniffer all traffic using utilities like Wireshark, Driftnet makes it easier by automatically picking out images and media and displaying it to the user. In the example below, we use the wireless interface wlan0 in promiscuous mode to capture traffic, and instruct driftnet to be verbose in its output.Example Usage: driftnet -i wlan0 -v
 
p0f
p0f is a passive host identifier. p0f uses a fingerprinting technqiue that looks at the structure of TCP/IP packets from the host in order to guess the operating system and other properties of the host. What sets p0f apart from other host analyzers is that p0f is completely passive. All the host has to do is connect to the same network or be contacted by another host on the network. The packets generated through these transactions are enough to give p0f enough data to guess the system. Note that you need a file containing fingerprints in order to identify hosts. In this example, we read fingerprints from /etc/p0f/p0f.fp and listens on wlan0 via libpcap.Example Usage:p0f -f /etc/p0f/p0f.fp -i wlan0
tcpreplay
tcpreplay is a suite of network utilities that can take previously sniffed traffic and replay the packets onto the live network. This is often used for testing devices on the network, such as firewalls or Intrusion Prevention/Detection Systems (IPS/IDS). The suite itself consists of tcpprep, tcprewrite, tcpreplay, tcpreplay-edit, tcpbridge, and tcpcapinfo.tcpprep: analyze packet capture files to determine client/server and create caches for use by tcpreplay and tcprewrite
tcprewrite: edit packet capture files in Layer 2 headers
tcpreplay: inject packet capture files back into the live network
tcpreplay-edit: replay and edit files into the network
tcpbridge: bridge two sections of a network together using tcprewrite
tcpcapinfo: decode raw packet capture files and debug them
Wireshark
Wireshark is the famous packet capture and analysis program that has been used by thousand of professionals and amateurs alike. The program allows users to listen in on a network interface using libpcap, and logs the traffic sniffed. In addition to capturing the data, Wireshark provides an easy, graphical method to filter and analyze the traffic. This includes following TCP/IP streams, filtering out ARP or broadcast packets, and virtually any other filtering option you can imagine.Xplico
Xplico is a Network Forensic Analysis Tool (NFAT) that specializes in extracting application data from packet capture files. Although it includes a live traffic capture feature, it is best suited for pcap anaylsis. Xplico can extract email, HTTP, VoIP, FTP, and other data directly from the pcap file, and presents it to the user as the original application data. For example, it can reconstruct an image sent via FTP from the packet capture of the FTP session. In the example below, we use Xplico to decode the information from capture.pcap.Example Usage: xplico -m pcap -f capture.pcap
No comments:
Post a Comment