Packet analysis

Display Filter Favorites: Using bookmarks to save and apply filters

4 min read

Tom was looking at a few different malware captures from his honeypot recently and found that he was repeatedly typing the same display filter over and over again on each new file.

We constantly use saved links to share our analysis work, but is there any way we can bookmark a link to just the filter portion of the URL in order to use it on different files? Tom found out there is, and it gives us a new way to save our favorite display filters for CloudShark.

Keep reading

Packet analysis

Using a Raspberry Pi to proxy, capture, and decrypt data from mobile and IoT devices

5 min read

Have you ever wondered what your “smart toaster” was sending back to the internet about you? Or how your WiFi dog food dispenser knows your schedule? Our engineer Tom did, but he didn’t have a great way to capture the network traffic sent by mobile and IoT devices. So he turned a Raspberry Pi into a access point/network proxy capable of capturing packets and decrypting SSL within CloudShark, and now you can too. Keep reading

Capture challenges

How we made the 2018 Halloween capture challenge

7 min read

In depth on creating a capture challenge using custom built captures Every so often we like to come up with a special capture challenge where people can use CloudShark to dive into some packet analysis and find the solution. But often the interesting story is about the methods we use to make the captures themselves - generating and capturing very specific packets to make the challenge interesting. Being packet geeks, it’s also really fun. Keep reading

Packet analysis

How to Identify and Analyze BitTorrent Alerts in Your Network

8 min read

Tracking down BitTorrent activity with packet captures We love the exercises at malware-traffic-analysis.net, and occasionally we’ll pick some that we try to solve using CloudShark and its tools. This time however, we’re going through one armed with tools that we learned from Brad’s class (the author of malware-traffic-analysis) at Sharkfest US 2018, where he gave an in-depth class on using packet captures for malware analysis, as well as a presentation on Analyzing Windows malware traffic. Keep reading

Packet analysis

A Fast Analysis of TCP Fast Open

7 min read

Part 3 of our series exploring TCP examines the TCP “Fast Open” option and what to look for when troubleshooting TCP Fast Open (TFO) is an optional mechanism within TCP that lets endpoints that have established a full TCP connection in the past eliminate a round-trip of the handshake and send data right away. This speeds things up for endpoints that are going to keep talking to each other in the future and is especially beneficial on high-latency networks where time-to-first-byte is critical. Keep reading
TCP

Packet analysis

The TCP Timestamp Option

8 min read

We’re on a mission to tackle TCP, take it apart, and learn more about how it makes the internet work. Sample Captures Ahead! As always, we've gathered up the captures mentioned in this article into this collection over on CloudShark Did you know you can make collections just like this with CloudShark too? Learn more... Sample Captures Ahead! As always, we've gathered up the captures mentioned in this article into this collection over on CloudShark Did you know you can make collections just like this with CloudShark too? Keep reading
TCP

Packet analysis

TCP Window Scaling

8 min read

How Window Scaling keeps TCP moving at top speed Protocol choices made in older internet standards don’t scale to today’s network speeds. TCP (Transmission Control Protocol) has been making networks go for a very, very long time. As with many of the early internet protocols, limitations that seemed reasonable then can have a negative effect on performance now. Protocol designers allowed for future options to augment existing fields in order to keep them working effectively into the future. Keep reading
TCP

Packet analysis

Getting started with packet analysis

4 min read

There’s three questions we get asked the most here at CloudShark: How do I capture packets and get them into CloudShark? Where can I find example packet captures? Where do I start with packet capture analysis? That last question is very important to us, because one of the things we always want to promote is demystifying the use of packet captures to troubleshoot network and security problems. They are really are the best way, and with the right tools and knowledge they can be your first go-to. Keep reading

Packet analysis

What is new with TLS 1.3 - some capture examples

5 min read

In August of 2018, the Internet Engineering Task Force (IETF) moved Transport Layer Security (TLS) Version 1.3 to RFC 8446. In the world of networking standards, this means it has been properly vetted by the community and is officially ready for showtime on clients and servers. About these captures We're able to look at TLS 1.3 handshakes thanks to support for the protocol in tshark 2.6. CloudShark 3.5 and later versions have support for TLS 1. Keep reading

Packet analysis

Packet capture on VMware virtual machines using vmnet-sniffer

5 min read

One of the most powerful tools we use when testing CloudShark is a combination of VMware Workstation and the Vagrant API interface. With Vagrant, we can test every permutation of CloudShark via a barrage of automated testing. Along the way, we had to learn some of the lower level interfaces of these tools. We became aware of a vmnet-sniffer command that comes with VMware Workstation and VMware Fusion, which we use on our OS X workstations for development, and realized that it’s a great tool for capturing on virtual machines or in a cloud environment when used with CloudShark for analysis. Keep reading

Packet analysis

What are some easy to use packet capture tools?

5 min read

A common question we get other than where to find example packet captures is which packet capture tools exist that are either free, work in a command line, work directly with CloudShark, or all of the above. Here’s a list of our go-to capture tools (other than Wireshark of course) and the different scenarios in which they can be used. tshark About ring buffers CloudShark is made to work with capture files directly. Keep reading

Packet analysis

The effects of traffic bursts on network hardware

5 min read

We’ve written extensively about the phenomenon of network microbursts and how to use the iPerf network performance tool to create them in order to test their effects on your network. Our interest in them grew out of our work with Velocimetrics, since microbursts can have pretty significant effects in financial/trade markets. Our journey down the rabbit-hole got us interested in seeing the effects of microbursts on switches and interfaces in a test network. Keep reading

Packet analysis

Finding slow http responses

4 min read

One of the more practical, and yet fundamental uses of packet capture analysis in todays networks is examining HTTP flows to isolate problems with the protocol or underlying network interactions. If you’re writing a web application or trying to debug why a particular service is slow, filtering for and graphing http response times can give you an instant picture of overall performance and outliers. About HTTP response times The http response time is the delta time between when an http request is transmitted, and when the http response is transmitted. Keep reading

Packet analysis

Exploring the memcached DDoS attack

5 min read

During the last week of February in 2018, several big internet sites started seeing a huge increase in a particular style of DDoS attack, taking advantage of the memcached protocol. Being the packet geeks we are, we wanted to explore the attack on one of our own internal servers and get a capture of what’s happening at the packet level so you can see it in action. What is memcached? Keep reading

Packet analysis

Malware Analysis Exercise - When Your Users Run Email Attachments

7 min read

CloudShark developer and packet guru Tom Peterson gives us another example from malware-traffic-analysis.net to learn how to best use CloudShark and our Threat Assessment add-on to get to the root of malicious activity. Let’s join him now for his latest exercise. The exercise: Two Malicious E-mails, Two PCAPs to Analyze In this exercise, we need to find out what happened when some users downloaded some suspicious attachments and executed the attachments contained therein. Keep reading

Packet analysis

Examining Network Delay with Wireless Retries

2 min read

Sometimes using tools such as ping when troubleshooting your Wifi network can show you that a problem exists, but not why it exists. If we look at a Wifi packet capture using CloudShark, the number of 802.11 retry frames can shed some light on the reasons behind poor application or network performance. Keep reading

Packet analysis

Learning how to Troubleshoot WiFi

3 min read

Now that we have our new Aerohive APs in our office, we’ve been excited to learn more about wireless troubleshooting and debugging. The built-in packet capture feature in HiveManager NG makes getting traces into CloudShark for analysis really easy. Now that we have the traces, what do we do with them? We wanted to put together a list of some of the resources that have helped us get started learning about the 802. Keep reading

Packet analysis

Five Reasons to Move to the Pcapng Capture Format

5 min read

The pcap capture file format has been the universal packet capture format since the early days of computer networking. Almost all capture tools support the pcap format. And while vendors have created new formats over the years, most tools support conversion into the pcap format. While pcap continues to be used today, it does have some limitations that make other formats more attractive. A new format called “pcapng” has been under development for a number of years. Keep reading

Packet analysis

Packet Capture of Heartbleed in Action

2 min read

As many are aware (as it’s now become national news), a vulnerability was recently discovered in OpenSSL dubbed Heartbleed. The attack centers around the implementation of the Heartbeat extension in OpenSSL which causes a server to return the contents of memory that should be protected. This blogpost by Troy Hunt describes the vulnerability in detail: Everything you need to know about the Heartbleed SSL bug. Being packet geeks, naturally we wanted to get a capture of the Heartbleed attack in action. Keep reading

Packet analysis

Intel "Packet of Death" Capture

1 min read

Note: Here is Intel’s official statement - it is important to note that this had little to do with Intel and only a specific manufacturer. In 2013, the creator of AstLinux, Kristian Kielhofner, discovered a bug in certain model and version of Intel based Gigabit Ethernet implementations that can result in a “packet of death” that will bring down the network interface, requiring a power cycle of the interface in order to restore functionality. Keep reading

Packet analysis

MITM Attack Capture Shared Through CloudShark

1 min read

Years ago, an apparent Man-In-The-Middle (MITM) Attack on the popular code sharing site github.com occurred, which seemed to originate from China for users trying to traverse the “Great Firewall”. This was strange, as there had been many news stories not even two days before about China blocking and then subsequently unblocking access to github. Whatever the reason, a subject of the attack was able to create a packet trace of it, and uploaded it to our free cloudshark. Keep reading

Packet analysis

Search for *anything* in a capture - did you know?

2 min read

The great thing about CloudShark’s capture decode is that it supports all of the standard Wireshark display filters. You may know the common ones, such as searching on ip address or tcp port, or even protocol; but did you know you can search for any ASCII or Hex values in any field throughout the capture? It’s true. The “frame contains” filter will let you pick out only those packets that contain a sequence of any ASCII or Hex value that you specify. Keep reading