{{ SECURITY Network packet Forensic }}
Chapter 6 : File Magic Number
If there are only session establishment and termination, this could be an port scan procedure.
From following example 192.168.1.2 seems to try the port scan for port 80 of 192.18.1.157.
From Conversation popup, you can see the data stream with [Following Stream...] button.
The result of [Follow TCP Stream] can be changeable to the different data format.
From above example, the stream has OFT2 character in the head of the contents which is using for "AOL Instant messenger". In the middle of some packets, there is a magic number with 'PK' string. (zip file format)
- http://garykessler.net/library/file_sigs.html
After changing 'Show data as' to RAW format, you can save the 'Follow TCP Stream' as a file.
Reference
http://www.parkjonghyuk.net/lecture/2014-1st-lecture/networksecurity/chap06.pdf
https://wiki.wireshark.org/Development/LibpcapFileFormat
https://mh-nexus.de/en/hxd/
'Security&Encryption > Network Packet Forensic' 카테고리의 다른 글
| TCP Port Scan (0) | 2016.03.06 |
|---|---|
| Analysis for SMTP (0) | 2016.03.06 |
| Analysis HTTP Contents (0) | 2016.03.03 |
| Telnet packet analysis (0) | 2016.03.01 |
| FTP packet analysis (0) | 2016.02.29 |