There are several command-line tools that can be utilized during the analysis of network packet captures. During more in-depth or lengthy incident response engagements, analysts may gather several packet capture files. It may be beneficial to combine these multiple packet captures into one single file to make analysis easier. The application Mergecap does just that by combining several packet capture files. Mergecap is offered as part of the CAINE OS and can be executed utilizing the following command:

caine@caine:~$ mergecap -w mergedpacketcapture.pcap packetcapture1.pcap packetcapture2.pcap

Another command-line tool that is useful in analyzing packet captures is the tool Editcap. Editcap allows analysts to manipulate the packet capture files into smaller segments for easier review. For example, an analyst may only want to look at captures that are broken up into 50,000 packet segments. This would be helpful if an analyst has a large packet capture and dividing would make searching easier. To do this, the analyst would type the following into the command line:

caine@caine:~$ editcap -F pcap -c evidence.pcap split.pcap

In the preceding command, Editcap took the evidence.pcap evidence file and divided it out into 50,000 packet segments. Another technique that Editcap can be leveraged for is to divide a larger packet capture into time segments. For example, if analysts want to divide a packet capture into 10-minute segments, they type in the following:

caine@caine:~$ editcap -F pcap-t+600 evidence.pcap split.pcap

Analysts may also find that, in some circumstances, they may want to isolate domain name registration traffic. This is due in large part to a variety of adversarial actions such as C2 traffic, data exfiltration, and the possible redirection to compromised websites, often leveraging vulnerabilities in the DNS system. The application dnstop parses packet capture files and ascertains the sources and count of DNS queries from internal hosts. To install on a Linux system, the following command is used:

dfir@ubuntu:~$ sudo apt-get install dnstop

This command will download and install dnstop. In the following example, the following packet capture was taken from the Malware Traffic Analysis site located at https://www.malware-traffic-analysis.net/2019/03/13/index.html. If an incident response analyst wants to determine whether any IP addresses were sending outbound DNS queries for packet capture, they simply execute the following command:

dfir@ubuntu:~/Documents/Packet Captures$ dnstop 2019-03-13-Emotet-with-Trickbot.pcap

The output of the preceding command is as follows:

The output indicates that only one host in the packet capture is the source of DNS queries, having made a total of 10. While this was a simple example, incident response analysts can utilize the preceding technique of combining multiple packet capture files and then utilizing dnstop in order to gain a better sense of what DNS traffic is leaving the internal network, and if that is something that warrants further investigation.