Time Issues in Libpcap Traces
Time is an important aspect of Network Security Monitoring. If you don't pay close attention to the time shown in your evidence, and recognize what it means, it's possible you could misinterpret the values you see. My students and I encountered this issue in TCP/IP Weapons School at Black Hat this week. Let's look at the first ICMP packet in one of our labs. I'm going to show the output using the Hd tool and then identify and decode the field that depicts time. In the following output, 2d 0c 65 49 occupies the part of the packet where Libpcap has added a timestamp. Hd output: $ hd icmp.sample.pcap 00000000 d4 c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00 |................| 00000010 ea 05 00 00 01 00 00 00 2d 0c 65 49 5f bf 0c 00 |........-.eI_...| 00000020 4a 00 00 00 4a 00 00 00 00 0c 29 82 11 33 00 50 |J...J.....)..3.P| 00000030 56 c0 00 01 08 00 45 00 00 3c 02 77 00 00 80 01 |V.....E.. 00000040 ea f1 c0 a8 e6 01 c0 a8 e6 05 08 00 43 5c 07 00 |..........