A key capability required in network forensics is to be able to search for a string in a collection of pcap files or live traffic. You may want to search for a name with the intention of finding any relevant emails, tweets, followers, facebook, etc. Naive packet level string matching wont work for the following reasons.
- The transport is usually TCP so reassembly is needed before matching
- The protocol is usually HTTP, so must process HTTP headers
- Chunked encoding
- GZIPped content
- Encrypted content ( pretty much a dead end unless you are using a non EDH and have access to the private key)
Unsniff Network Analyzer allows you to search inside user objects after taking into account all of the above factors. To use the UI, switch to the User objects sheet, then press Ctrl+F and enter your patterns. The UI works great in many cases, but many times you want to do more automatically.
These days javascript heavy websites like twitter use JSON as the dominant interchange format. Instead of sending back full HTML webpages – chunks of JSON are used to build the final user interface. So in order to present results (such as a twitter followers list) you need to wrap the results in your own application. This post tells you how to use the Scripting Interface to accomplish that.
- Download and install the latest Unsniff from http://www.unleashnetworks.com/downloads.html
Assume you want to search for a pattern “mickey” in all content.
Step 1 : Have your program dump your packets into a libpcap file – say mypackets.pcap
Step 2 : Copy the following script into a directory in a file named searchuo.vbs
Step 3: Run the script like this
cscript searchuo.vbs mypackets.pcap mickey .\outputdir
Step 4: All user objects – mails, attachments, contacts and any HTTP exchanges gzipped or chunked will be reassembled and put as separate files into that directory
Step 5 : Your code should read these files and integrate them into your UI. For example, Yahoo mails come as JSON, so maybe you can parse the JSON or display raw text with the pattern highlighted etc. Its your call.
In this mode, Unsniff will be the engine for content extraction. You can then integrate the files into your own application.
'
' searchuo - Search all user objects for a string match and dump contents
' of matched user objects to file
' -----------------------
' Check usage & arguments
' -----------------------
Set Sout = WScript.StdOut
if WScript.Arguments.Count <> 3 then
Sout.WriteLine "Usage: cscript searchuo.vbs input-tcpdump-file pattern output-dir "
WScript.Quit
end if
InputTCPD = WScript.Arguments.Item(0)
Pattern = WScript.Arguments.Item(1)
DirName = WScript.Arguments.Item(2)
Dim fso
Set fso = CreateObject("Scripting.FileSystemObject")
If fso.FileExists("temp_cap.usnf") Then
fso.DeleteFile "temp_cap.usnf"
End If
'
' Check if Directory Exists (Create if it doesnt)
'
If Not fso.FolderExists(DirName) Then
fso.CreateFolder (DirName)
Sout.WriteLine "Created Output Folder " & DirName
End If
' Import from tcpdump (libpcap) format
Set UnsniffDB = CreateObject("Unsniff.Database")
UnsniffDB.New("temp_cap.usnf" )
UnsniffDB.Import "libpcap", InputTCPD
Sout.WriteLine "Imported tcpdump file " & InputTCPD
Dim UOIndex
Dim DupFileCount
Set UOIndex = UnsniffDB.UserObjectsIndex
DupFileCount = 0
For Each UO In UOIndex
With UO
If .HasPattern(Pattern) Then
PrefName = .PreferredFileName
' Files are saved as U1_xx.data, U2_xx.data etc
PrefName = "Match_UserObject.data"
ExpFilePath = fso.BuildPath (DirName, PrefName )
If fso.FileExists(ExpFilePath) Then
PrefName = "U_" & DupFileCount & "_" & PrefName
ExpFilePath = fso.BuildPath (DirName, PrefName )
DupFileCount = DupFileCount + 1
End If
.SaveToFile(ExpFilePath)
Sout.WriteLine "Found pattern - Saved contents to " & ExpFilePath
End If
End With
Next
UnsniffDB.Close()
fso.DeleteFile "temp_cap.usnf"