Manipulating Packet Captures

While capturing traffic at Hack or Halo I realized the timestamps on the packets were off by one hour. Apparently I didn't patch this infrequently used Hacom box for the recent DST change.

I captured traffic using Sguil's log_packets.sh script, which uses Snort to write a new full content trace every hour. For the first round of the contest, the script produced two traces. I combined them using Mergecap, bundled with Wireshark.

richard@neely:/var/tmp/shmoocon2007$ mergecap -w shmoocon_hack_rd1.pcap
snort.log.1174770982 snort.log.1174773600

The Capinfos program accompanying Wireshark summarizes the new trace:

richard@neely:/var/tmp/shmoocon2007$ capinfos shmoocon_hack_rd1.pcap
File name: shmoocon_hack_rd1.pcap
File type: Wireshark/tcpdump/... - libpcap
Number of packets: 719534
File size: 155340234 bytes
Data size: 143827666 bytes
Capture duration: 4587.056482 seconds
Start time: Sat Mar 24 17:17:41 2007
End time: Sat Mar 24 18:34:08 2007
Data rate: 31355.11 bytes/s
Data rate: 250840.89 bits/s
Average packet size: 199.89 bytes

I decided to alter the timestamps using Editcap, also packaged with Wireshark.

richard@neely:/var/tmp/shmoocon2007$ editcap -t 3600 shmoocon_hack_rd1.pcap
shmoocon_hack_rd1_timeadj.pcap

Now the timestamps are correct.

richard@neely:/var/tmp/shmoocon2007$ capinfos shmoocon_hack_rd1_timeadj.pcap
File name: shmoocon_hack_rd1_timeadj.pcap
File type: Wireshark/tcpdump/... - libpcap
Number of packets: 719534
File size: 155340234 bytes
Data size: 143827666 bytes
Capture duration: 4587.056482 seconds
Start time: Sat Mar 24 18:17:41 2007
End time: Sat Mar 24 19:34:08 2007
Data rate: 31355.11 bytes/s
Data rate: 250840.89 bits/s
Average packet size: 199.89 bytes

I'm getting these traces to Shmoo now so they can be shared.

Comments

Anonymous said…
Of course these captures cannot be used as evidence anymore since they've been modified.

Popular posts from this blog

Zeek in Action Videos

MITRE ATT&CK Tactics Are Not Tactics

New Book! The Best of TaoSecurity Blog, Volume 4