Motivation: I wanted to combine 2 or more packet capture, or pcap, files in order to create an example:
- One that contains just malicious (or simulated malicious) network traffic
- Another contains legitimate, non-malicious network traffic
Many example packet capture files focus either specifically on malware, exploits, C2 traffic, etc. (like Security Onion’s list of PCAPs for Testing) or on examples of legitimate traffic (like Wireshark’s Sample Captures). I wanted to create an example that would interweave such sources and intersperse malicious and legitimate traffic, as they would typically occur concurrently.
In addition to tcpdump
, there are three CLI tools provided by Wireshark that I used to help accomplish this:
- capinfos – provides high-level data about a packet capture file
- mergecap – combines 2 or more packet capture files
- editcap – modified packet details, such as timestamps, in a packet capture file
At first I thought mergecap
alone would be sufficient, but I wanted the packets from the various source pcaps to overlap so that malicious and legitimate network traffic would be intermingled. However, the mergecap
documentation indicates that the timestamps will be preserved:
Packets from the input files are merged in chronological order based on each frame’s timestamp, unless the -a flag is specified. Mergecap assumes that frames within a single capture file are already stored in chronological order. When the -a flag is specified, packets are copied directly from each input file to the output file, independent of each frame’s timestamp.
To accomplish what I wanted, I needed to edit the timestamps in the pcap files. Fortunately, editcap
can do this. As a proof-of-concept, I created 2 simple pcap files using tcpdump
:
First, I created https.pcap
:
In one terminal:
sudo tcpdump -i eth0 -nn -w https.pcap host 216.154.220.53
In another terminal:
curl https://osric.com/chris/accidental-developer/
Next, I created dns.pcap
:
In one terminal:
sudo tcpdump -i eth0 -nn -w dns.pcap host 8.8.8.8
In another terminal:
dig @8.8.8.8 virustotal.com
dig @8.8.8.8 hybrid-analysis.com
dig @8.8.8.8 threatpost.com
dig @8.8.8.8 sans.org
I examined the details of the 2 files using capinfos
:
$ capinfos -ace https.pcap dns.pcap
File name: https.pcap
Number of packets: 66
First packet time: 2020-11-14 11:02:45.010686
Last packet time: 2020-11-14 11:02:45.657428
File name: dns.pcap
Number of packets: 8
First packet time: 2020-11-14 11:03:13.113482
Last packet time: 2020-11-14 11:03:38.526727
Using mergecap
at this point worked, but since all the packets in https.pcap
precede chronologically those in dns.pcap
, mergecap
will respect the timestamps and order them accordingly:
$ mergecap -F pcap -w merged.pcap https.pcap dns.pcap
$ capinfos -ace merged.pcap
File name: merged.pcap
Number of packets: 74
First packet time: 2020-11-14 11:02:45.010686
Last packet time: 2020-11-14 11:03:38.526727
Using the -a
flag to mergecap
ignores the timestamps and reverses the order, listing the packets in dns.pcap
first:
$ mergecap -F pcap -a -w merged.pcap dns.pcap https.pcap
$ capinfos -ace merged.pcap
File name: merged.pcap
Number of packets: 74
First packet time: 2020-11-14 11:02:45.010686
Last packet time: 2020-11-14 11:03:38.526727
However, this didn’t change the timestamps at all. The packets from dns.pcap
still had later timestamps, and the packets in the pcap were no longer listed in chronological order.
Since I wanted the requests in https.pcap
, spanning a fraction of a second, to appear somewhere in the midst of the 25 seconds of DNS requests in dns.pcap
, I needed to adjust the timestamps in https.pcap
. The editcap
command has a -t
flag that can be used to adjust the timestamps up or down by the specified number of seconds (including fractional seconds). In this case, I tried 40 seconds:
$ editcap -t 40 https.pcap https-modified.pcap
$ capinfos -ace https-modified.pcap
File name: https-modified.pcap
Number of packets: 66
First packet time: 2020-11-14 11:03:25.010686
Last packet time: 2020-11-14 11:03:25.657428
The packet times looked good: they would fall between the first packet time of dns.pcap
and the last packet time of dns.pcap
. Now merging them should be simple:
$ mergecap -F pcap -w merged.pcap https-modified.pcap dns.pcap
$ capinfos -ace merged.pcap
File name: merged.pcap
Number of packets: 74
First packet time: 2020-11-14 11:03:13.113482
Last packet time: 2020-11-14 11:03:38.526727
It worked! When I examined the resulting pcap file in Wireshark, the first 2 DNS requests and replies were listed, followed by the HTTPS requests and replies, followed by the remaining 2 DNS requests and replies.