This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

analysing packets in a cap file

0

Im quite new to wireshark, in fact ive hardly used it.

Basically, we have been set the task to analyse sniffer data in a cap file we have been given. We are also expected to turn all the network packets back into files, web pages emails etc

Does anyone have any idea how i can do this? as im completely confused. I would really appreciate the help

asked 11 May '12, 09:59

algyptalian's gravatar image

algyptalian
1111
accept rate: 0%

One Answer:

0

well, some of that can be done with this options:

  • File -> Export -> Objects -> HTTP
  • by applying the Display filter "http.request". Then right-click on one entry and choose "Follow TCP Stream".
  • by applying the display filter "smtp and tcp.flags eq 0x02". Then again: right-click -> Follow TCP Stream

HOWEVER, what you get is the raw communication for that protocol on the network. Maybe not what your client expected to get, ALTHOUGH you can re-construct downloads and e-mails with that.

There are other tools as well, e.g. tcpflow, tcptrace. Please check the wiki:

http://wiki.wireshark.org/Tools

Wireshark was mainly developed as a network troubleshooting tool, whereas your request sounds like spying on users or finding evidence for whatever ;-)

In that case, you better use a tool suited for that purpose, e.g. NetworkMiner (free version available)

http://www.netresec.com/?page=NetworkMiner

For OpenSource lovers:

http://www.xplico.org/
http://www.xplico.org/screenshot

Regards
Kurt

answered 11 May '12, 10:33

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 11 May '12, 12:55

Thnaks a lot for the reply. I tried your suggestion in wireshark. I got a whole lot of files, some jpeg, some png, and other css files, but theres supposed to be an excel document which contains some information, however i didnt really manage to find that. How would i analyse the packet in network miner? as it wasnt really clear to me.

(11 May '12, 15:50) algyptalian

ok so ive been messing around with network miner, specifically the keyword search facility. Ive pulled up words like "confidential" and a few interesting things came up. What i want to know is, is it possible to download all frame content, or perhaps, all things sent by a particular source/destination host? I mean, the posibilities of what i could find seem to be endless, but i could be wrong (its because i am very new to this software...)

(11 May '12, 16:24) algyptalian

O.K. could you please specify in more detail what you are looking for?

  • Is it an excel in a HTTP up-/download OR an e-mail (or both)?
  • Do you know the name of the Excel sheet?
  • Do you know some content of the execel sheet (confidential?)?
  • Is there a certain IP address you can concentrate your investigation on?
(12 May '12, 01:20) Kurt Knochner ♦

ive been doing further looking around, conversations are taking place on myspace, and also on aussiemail.com.au...but this may not be all there is...the conversations/ transactions are taking place between 2 hosts, 192.168.143.13 & 161.74.26.25...when i use the keyword search in networkminer, i saw parts of messages, some about confidential information, & attachments being sent. This is going on between the 2 above ip addresses mentioned. so is there some sort of way i can view all the messages that they have sent to and from eachother, as well as attachments they may have sent?

(12 May '12, 02:16) algyptalian