Tuesday, August 24, 2004

Best Way to Extract a Pcap Session from A Larger Pcap Session?

I was asked today to describe the best way to extract a session from a libpcap file into its own libpcap file. In other words, if I have a large collection of network packets, how can I extract a specific session but keep that information in libpcap format?

The answer I proposed relies on (1) identifying the session of interest and (2) telling Tcpdump what to extract. To meet the first goal, consider using a tool like Tcptrace to identify sessions in a sample.lpc file:

drury:/$ tcptrace -n sample.lpc
1 arg remaining, starting with 'sample.lpc'
Ostermann's tcptrace -- version 6.4.2 -- Sat May 3, 2003

288 packets seen, 280 TCP packets traced
elapsed wallclock time: 0:00:00.002588, 111282 pkts/sec analyzed
trace file elapsed time: 0:00:37.256768
TCP connection info:
1: 10.2.2.99:58583 - 216.239.51.107:443 (a2b) 9> 10< (complete) (reset)
2: 10.2.2.99:58584 - 207.171.163.90:80 (c2d) 54> 70< (complete)
3: 10.2.2.99:58585 - 204.152.184.73:21 (e2f) 43> 60< (complete)
4: 10.2.2.52:22 - 10.2.2.99:54385 (g2h) 1> 1<
5: 10.2.2.99:58586 - 204.152.184.73:24221 (i2j) 4> 4< (complete)
6: 10.2.2.99:58587 - 204.152.184.73:62393 (k2l) 6> 5< (complete)
7: 10.2.2.99:58588 - 204.152.184.73:62189 (m2n) 6> 7< (complete)

If we want to extract session e2f, representing an FTP control channel, we use the following Tcpdump syntax:

drury:/$ tcpdump -n -r sample.lpc
-w sample.e2f.lpc \( host 10.2.2.99 and port 58585 \)
or \( host 204.152.184.73 and port 21 \)

If we look at sample.e2f.lpc, we see it has the packets from both sides of the session:

drury:/$ tcpdump -n -r sample.e2f.lpc -c 4

10:57:08.044699 10.2.2.99.58585 > 204.152.184.73.21:
S 3823095630:3823095630(0) win 65535 wscale 1,nop,nop,timestamp 68783950 0> (DF)

10:57:08.124141 204.152.184.73.21 > 10.2.2.99.58585:
S 2610354460:2610354460(0) ack 3823095631 win 65535
(DF)

10:57:08.124221 10.2.2.99.58585 > 204.152.184.73.21:
. ack 1 win 33304 (DF)

10:57:08.212221 204.152.184.73.21 > 10.2.2.99.58585:
P 1:34(33) ack 1 win 65535 68783958> (DF)

A GUI option involves loading the pcap trace into Ethereal, selecting a packet from the session of interest, rebuilding the stream, and then saving the packets associated with that stream (not the packet contents, however). You could also pass a filter to see only the packets you want and then save them without doing session reconstruction.

If we simply wanted the contents of the session of interest (like application data), not in pcap format, we could use Tcpflow.

No comments: