Threat Level: green Handler on Duty: Pasquale Stirparo

SANS ISC: Internet Storm Center - Internet Security | DShield Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

File2pcap - A new tool for your toolkit!

Published: 2017-05-26
Last Updated: 2017-05-26 18:42:20 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)

One of our readers, Gebhard, submitted a pointer to a tool today, released by Talos, that I wasn't familiar with.  However, when I realized it could generate packets, I had to try it out.  Its called File2pcap.  The concept of the tool is that instead of having to download a file and capture the traffic in order to write detection content, the tool would simulate the download and generate the traffic that you would see.  You get a nice pcap in the end.  I took a relatively benign phishing pdf (it had a link in it) and used it for my test.  The tool doesn't have any documentation until you compile it and run it.  Here are your options:

 

I ran a few test scenarios with it.  One for HTTP and one for SMTP.  For the HTTP, I used the following command line and specified a file name:

./file2pcap -mh -p 45678:8443 Wire_transfer_Notification.pdf -o httpout.pcap
 
It shows you if its working verses just returning a command prompt:
"Writing to httpout.pcap"
 
You can see by the packets, it matches the ports I told it to use:
 
 
Here is what it looks like when you follow the TCP stream:
 
 
For the SMTP I ran the following command:
./file2pcap -ms Wire_transfer_Notification.pdf -o smptout.pcap
 
Here is the data from following the TCP stream:
 

 
 
I played with several of the options.  You can also run more than one protocol in a single command line (you can't specify a file name running multiple modes, it will generate them for you):
 
./file2pcap -msh Wire_transfer_Notification.pdf
Writing to Wire_transfer_Notification.pdf-smtp.pcap
Writing to Wire_transfer_Notification.pdf-http-get.pcap
 
 
This is a very handy tool to have when you need to generate packets quickly to write content for file transfer detection.  Its definately one I'll add to my toolkit!
 

 

Keywords: file2pcap pcap tool
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Critical Vulnerability in Samba from 3.5.0 onwards
May 25th 2017
2 days ago by Xme (1 comment)

Jaff ransomware gets a makeover
May 24th 2017
4 days ago by Brad (2 comments)

What did we Learn from WannaCry? - Oh Wait, We Already Knew That!
May 23rd 2017
4 days ago by Rob VandenBrink (1 comment)

Investigating Sites After They are Gone; And a Case of Uber Phishing With SSL
May 22nd 2017
5 days ago by Johannes (0 comments)

View All Diaries →

Latest Discussions

What bot is that?
created May 5th 2017
3 weeks ago by Visi (2 replies)

Curious Phishing Email
created Apr 27th 2017
1 month ago by Rich (0 replies)

Preventing outside sources accessing the local network via open ports on a networked printer.
created Mar 28th 2017
1 month ago by mrectek (2 replies)

Very High DNS traffic
created Mar 26th 2017
2 months ago by Anonymous (0 replies)

Abnormal DNS Volumes
created Mar 26th 2017
2 months ago by Anonymous (3 replies)

View All Forums →

Latest News

View All News →

Top Diaries

OAUTH phishing against Google Docs ? beware!
May 3rd 2017
3 weeks ago by Bojan (6 comments)

Massive wave of ransomware ongoing
May 15th 2017
1 week ago by Xme (9 comments)

Malspam with password-protected Word documents
Mar 21st 2017
2 months ago by Brad (13 comments)

Dyn.com DDoS Attack
Oct 21st 2016
7 months ago by Johannes (9 comments)

Microsoft Patch Tuesday Delayed
Feb 18th 2017
3 months ago by Johannes (7 comments)