There are several command-line tools that can be utilized during the analysis of network packet captures. During more in-depth or lengthy incident response engagements, analysts may gather several packet captures files. It may be beneficial to combine these multiple packet captures into one single file to make analysis easier. The application mergecap does just that by combining several packet capture files. Mergecap is made as part of the CAINE OS and can be executed utilizing the following command:
caine@caine:~$ mergecap -w mergedpacketcapture.pcap packetcapture1.pcap packetcapture2.pcap
Another command-line tool that is useful in analyzing packet captures is the tool editcap. Editcap allows analysts to manipulate the packet capture files into smaller segments for easier review. For example, an analyst may only want to look at captures that are broken up into 50,000 packet segments. This would be helpful if an analysts has a large packet capture and dividing makes searching easier. To do this, the analyst would type the following into the command line:
caine@caine:~$ editcap -F pcap -c evidence.pcap split.pcap
In the preceding command, editcap took the evidence file evidence.pcap and divided it out into 50,000 packet segments. Another technique that editcap can be leveraged for is to divide a larger packet capture into time segments. For example, if analysts want to divide a packet capture into 10-minute segments, they type in the following:
caine@caine:~$ editcap -F pcap-t+600 evidence.pcap split.pcap
Analysts may also find that, in some circumstances, they may want to isolate Domain Name Registration traffic. This is due in large to a variety of C2 traffic, data exfiltration, and the possible redirection to compromised websites, often leveraging vulnerabilities in the DNS system. The application DNS top parses packet capture files and ascertains the sources and count of DNS queries from internal hosts. For example, if an incident response analyst wants to determine whether any IP addresses were sending outbound DNS queries of the packet capture taken from http://www.malware-traffic-analysis.net/2017/02/21/index.html. The command entered would be:
forensics@ubuntu:~/Documents/Packet Captures$ dnstop -l 3 2017-02-21-Hancitor-malspam-traffic.pcap
The preceding command produces the following output:
The output indicates that only one host in the packet capture is the source of DNS queries, having made a total of 107. While this was a simple example, incident response analysts can utilize the preceding technique of combining multiple packet capture files and then utilizing DNSStop in order to gain a better sense of what DNS traffic is leaving the internal network and if that is something that warrants further investigation.