Showing blog posts from November 2015
CapLoader comes with support for Berkeley Packet Filter (BPF), which makes it possible to filter network traffic based on IP addresses, protocols and port numbers without using external tools. Being able to filter captured network traffic is crucial when analyzing large sets of PCAP files as well as in order to hunt down compromised hosts with Rinse Repeat Intrusion Detection.
There are two ways to apply filters with BPF in CapLoader; you can either apply an input filter before loading your PCAPs, or you can apply a display filter after the capture files have been loaded.
The fastest way to filter a large set of PCAP files with CapLoader is to enter an Input Filter before loading the capture files. Having an input filter will speed up the loading time significantly, since CapLoader will not need to analyze packets and flows that don't match the BPF syntax. The downside is that you will need to know beforehand what filter you want to use. In order to apply a changed input filter you need to reload the loaded PCAP files (pressing F5 will do this for you).
Image: CapLoader with input filter “tcp port 443”
CapLoader supports display filters in order to allow filters to be changed on the fly, without having to reload the PCAP files. As the name implies, display filters affect what flows that are displayed in CapLoader. A changed display filter does not require the dataset to be reloaded, but it does require the GUI to update the visible flows. This GUI update can be slow if there are many flows in your dataset, you will notice a delay when a display filter is applied to 10.000 flows or more.
Image: CapLoader with display filter “host 126.96.36.199”
CapLoader's BPF implementation does not support the full BPF syntax. In fact, only the most central primitives are implemented, which are:
|host <IP address>||Flows to or from the specified IPv4 or IPv6 address|
|net <CIDR>||Flows to or from the specified IP network, uses CIDR notation|
|port <port>||Flows to or from the specified port number|
|ip6||Flows using IPv6 addresses|
|ip||Flows using IPv4 addresses|
More complex filter expressions can be built up by using the words and, or, not and parentheses to combine primitives. Here are some examples:
- host 188.8.131.52 and udp port 53
- net 184.108.40.206/22 and port 80
- (port 80 or port 443) and not host 192.168.0.1
For all boolean algebra geeks out there we can confirm that our BPF implementation gives and precedence over or, which means that the last example above would give a different result if the parentheses were removed.
Keeping it Short
Steve McCanne gave a keynote presentation at SharkFest 2011, where he talked about how he created BPF. Steve's work was guided by Van Jacobson, who challenged him to make the BPF syntax human friendly rather than requiring the user to type a clunky filtering syntax. We've adopted this thinking and therefore allow filters like these:
Flows to or from IP address 10.1.1.3. Translates to “ip host 10.1.1.3”
Flows to or from the 220.127.116.11/16 network. Translates to “ip net 18.104.22.168/16”
- port 53
Flows to or from TCP, UDP or SCTP port 53.
Try it for Free!
We've made the BPF implementation available even in the free version of CapLoader. You don't need to register to get the free version; just download, extract and run. The tool is portable, so you won't even have to install it. Visit http://www.netresec.com/?page=CapLoader to grab a copy and start filtering!
Posted by Erik Hjelmvik on Monday, 30 November 2015 08:15:00 (UTC/GMT)
4SICS last month and brought back a bunch of PCAP files. Not just any PCAP files, but captured network traffic from the ICS lab that was set up in the Geek Lounge at 4SICS. These PCAP files are now made publicly available here, because captured network traffic from ICS/SCADA networks is a really scarce resource.
4SICS is the the leading Industrial Control System (ICS) security conference in Europe, which brings in speakers and attendees from all around the world. I tought a one-day class on analyzing network traffic as part of the pre-conference training at 4SICS. In this class we analyzed PCAP files containing industrial protocols, such as Modbus/TCP and IEC-104. Unfortunately there aren't many capture files around that carry these protocols, so the ICS analysis part in my class wasn't as advanced as I wanted it to be.
I have been aware of this limited access to ICS traffic for some time now, which is why I decided to work with the 4SICS crew in order to set up a sniffer in the ICS lab at the 4SICS conference. This lab contained devices such as PLCs, RTUs, servers, industrial network equipment (switches, firewalls, etc), which were available for hands-on "testing" by 4SICS attendees.
4SICS ICS Lab. Image Credit: 4SICS
The network TAP vendor Garland were Technology Partners at 4SICS, so I didn't even have to bring a network TAP to the lab. I just connected my sniffer machine and let it record for three days. Chris Sistrunk also joined the sniffing party later in the conference by connecting his SEL-3355, which runs SecurityOnion, to the network TAP.Image Credit: Patrick Nixdorf
The 350MB of network traffic that was captured during the 4SICS conference is now publicly available here:
Posted by Erik Hjelmvik on Wednesday, 04 November 2015 15:45:00 (UTC/GMT)