DailyBread

{{ SECURITY Network packet Forensic }} 

Chapter 7 : Analysis HTTP Contents

WireShark supports exporting HTTP object from following menu.

Or, you can use following tool to extract the data from html packets.

- https://sourceforge.net/projects/networkminer/

{{ SECURITY Network packet Forensic }} 

Chapter 6 : File Magic Number

If there are only session establishment and termination, this could be an port scan procedure.
From following example 192.168.1.2 seems to try the port scan for port 80 of 192.18.1.157.

From Conversation popup, you can see the data stream with [Following Stream...] button.

The result of [Follow TCP Stream] can be changeable to the different data format.

From above example, the stream has OFT2 character in the head of the contents which is using for "AOL Instant messenger". In the middle of some packets, there is a magic number with 'PK' string. (zip file format)

- http://garykessler.net/library/file_sigs.html

After changing 'Show data as' to RAW format, you can save the 'Follow TCP Stream' as a file.

Reference 

• http://www.parkjonghyuk.net/lecture/2014-1st-lecture/networksecurity/chap06.pdf
  

• https://wiki.wireshark.org/Development/LibpcapFileFormat

• https://mh-nexus.de/en/hxd/

• 
  

{{ SECURITY Network packet Forensic }} 

Chapter 5. Telnet (Telecommunication Network Protocol) packet analysis

Before checking the telnet PCAP log, let's see what is {TCP KEEP ALIVE} packet means.
This packet is normally using to check for dead peers or prevent the disconnection due to network inactivity.

Normally a null packet with ACK flag will send to peer. But in our example, it has a duplicated packet data from previous sent packet with [PSH, ACK].

• TCP KEEP ALIVE
• http://tldp.org/HOWTO/TCP-Keepalive-HOWTO/overview.html

Following is an example of TCP connection. [using Follow TCP Stream menu]

Step 1 has negotiation of sub-options procedure for the telnet connection. After that there is a login prompt as like Step 2. Login has echo characters for the input, but password has no echo characters. Step 3. is an exit the telnet connection.

At the first time, there will be a 3 way handshaking procedure like before for TCP session establishment for port 23 of the destination.

• SYN > SYNC,ACK > ACK

And for disconnection, there are FIN,ACK procedure like below.

Reference

• 1969 beginning with RFC 15, extended in RFC 854

{{ SECURITY Network packet Forensic }} 

 Chapter_4 : FTP packet analysis

• Port TCP 21 (User athentication, sending the commands), TCP 20 (Sending the response) 

• Ethernet II frame, or Ethernet Version 2,^[f] or DIX frame is the most common type in use today, as it is often used directly by the Internet Protocol.

• TCP Flags
• ACK (Acknowledge) : with same sequence number from the sender + len of the data at the TCP layer
  
• SYN (Synchronize) : is used during session setup to agree on initial sequence numbers (random)
  
• FIN (Finish) : graceful session close (no more data)
  
• RST (Reset) : abnormal session disconnection
  
• PSH (Push) : push forces data delivery without waiting for buffers to fill
  
• URG (Urgent) 

• Analyze > Follow TCP Stream

• Statistics > Flow Graph

 References  

https://support.microsoft.com/en-us/kb/169292

http://www.tamos.net/~rhay/overhead/ip-packet-overhead.htm

TCP IP version : RFC 765 (June 1980) and RFC 959 (October 1985)

RFC 2228 (June 1997) proposes security extensions  

FTPS : RFC 4217