Network Forensics Cheat Sheet

Updated: May 14, 2019

I guess we're all a bunch of cheaters! <grin> I'll be putting together additional cheat sheets to make sure you are signed up for the Newsletter to get notified when they release!


The Network Forensics Cheat Sheet went over incredibly well at the RSA Conference this year. Each of the TCP Analysis architectural posters was wrapped with the Network Forensics Cheat Sheet which contains four sections:

1. Cool Wireshark display filters

2. Discount codes for Profitap products and Chappell University training

3. Instructions for spotting suspicious traffic in trace files

4. Step-by-step instructions for embedding a private key in a trace file


Cool Display Filters

You really do want to master display filters in Wireshark. That is the ideal way to find the needle in the haystack.


The first page of the Cheat Sheet lists many of my favorite Wireshark display filters and provides examples of some cool filter techniques including regex filters and inclusion filters.


Some of my favorite display filters are:


dns.count.answers>10 which will detect an unusually high number of DNS answers in a DNS response. Try that one out on sec-sickclient.pcapng (which is included in the .zip file).

http.request.method in {PUT POST} which uses the inclusion operator in - a newer addition to Wireshark's display filtering mechanism.


http.request.uri matches "\.(exe|zip|jar)$" which will detect .exe, .zip, and .jar at the end of the HTTP Request URI field. This filter uses Wireshark's regex operator, matches.


Protocol Hierarchy

How you approach a trace file depends on whether you are looking for anomalies (network forensics) or performance issues (troubleshooting). When looking for anomalies, my first step is always the Protocol Hierarchy window.


Download the .zip file set and you'll see sec-sickclient.pcapng in there. Follow the instructions on the Cheat Sheet to determine what that "Data" actually is in the trace file.

Embedding a Private Key

There's "cool" and then there's "COOL!" This is COOL! Added by core developer Peter Wu, this new feature in Wireshark v3 allows you to embed the private session key in your trace file so you can share an encrypted conversation with someone else without giving away the public key or having them perform extra steps to apply a private key to the trace file.

The feature was added to dear ol' Editcap with the --inject-secrets parameter. Great job, Peter!


Cheers!

  • Facebook - White Circle
  • Twitter - White Circle
  • LinkedIn - White Circle

©2020 Chappell University