Combining pcap (packet capture) files

Motivation: I wanted to combine 2 or more packet capture, or pcap, files in order to create an example:

• One that contains just malicious (or simulated malicious) network traffic
• Another contains legitimate, non-malicious network traffic

Many example packet capture files focus either specifically on malware, exploits, C2 traffic, etc. (like Security Onion’s list of PCAPs for Testing) or on examples of legitimate traffic (like Wireshark’s Sample Captures). I wanted to create an example that would interweave such sources and intersperse malicious and legitimate traffic, as they would typically occur concurrently.

In addition to tcpdump, there are three CLI tools provided by Wireshark that I used to help accomplish this:

• capinfos – provides high-level data about a packet capture file
• mergecap – combines 2 or more packet capture files
• editcap – modified packet details, such as timestamps, in a packet capture file

At first I thought mergecap alone would be sufficient, but I wanted the packets from the various source pcaps to overlap so that malicious and legitimate network traffic would be intermingled. However, the mergecap documentation indicates that the timestamps will be preserved:

Packets from the input files are merged in chronological order based on each frame’s timestamp, unless the -a flag is specified. Mergecap assumes that frames within a single capture file are already stored in chronological order. When the -a flag is specified, packets are copied directly from each input file to the output file, independent of each frame’s timestamp.

To accomplish what I wanted, I needed to edit the timestamps in the pcap files. Fortunately, editcap can do this. As a proof-of-concept, I created 2 simple pcap files using tcpdump:

First, I created https.pcap:

In one terminal:

sudo tcpdump -i eth0 -nn -w https.pcap host 216.154.220.53

In another terminal:

curl https://osric.com/chris/accidental-developer/

Next, I created dns.pcap:

In one terminal:

sudo tcpdump -i eth0 -nn -w dns.pcap host 8.8.8.8

In another terminal:

dig @8.8.8.8 virustotal.com
dig @8.8.8.8 hybrid-analysis.com
dig @8.8.8.8 threatpost.com
dig @8.8.8.8 sans.org

I examined the details of the 2 files using capinfos:

$ capinfos -ace https.pcap dns.pcap 
File name:           https.pcap
Number of packets:   66
First packet time:   2020-11-14 11:02:45.010686
Last packet time:    2020-11-14 11:02:45.657428

File name:           dns.pcap
Number of packets:   8
First packet time:   2020-11-14 11:03:13.113482
Last packet time:    2020-11-14 11:03:38.526727

Using mergecap at this point worked, but since all the packets in https.pcap precede chronologically those in dns.pcap, mergecap will respect the timestamps and order them accordingly:

$ mergecap -F pcap -w merged.pcap https.pcap dns.pcap
$ capinfos -ace merged.pcap 
File name:           merged.pcap
Number of packets:   74
First packet time:   2020-11-14 11:02:45.010686
Last packet time:    2020-11-14 11:03:38.526727

Using the -a flag to mergecap ignores the timestamps and reverses the order, listing the packets in dns.pcap first:

$ mergecap -F pcap -a -w merged.pcap dns.pcap https.pcap 
$ capinfos -ace merged.pcap 
File name:           merged.pcap
Number of packets:   74
First packet time:   2020-11-14 11:02:45.010686
Last packet time:    2020-11-14 11:03:38.526727

However, this didn’t change the timestamps at all. The packets from dns.pcap still had later timestamps, and the packets in the pcap were no longer listed in chronological order.

Since I wanted the requests in https.pcap, spanning a fraction of a second, to appear somewhere in the midst of the 25 seconds of DNS requests in dns.pcap, I needed to adjust the timestamps in https.pcap. The editcap command has a -t flag that can be used to adjust the timestamps up or down by the specified number of seconds (including fractional seconds). In this case, I tried 40 seconds:

$ editcap -t 40 https.pcap https-modified.pcap
$ capinfos -ace https-modified.pcap 
File name:           https-modified.pcap
Number of packets:   66
First packet time:   2020-11-14 11:03:25.010686
Last packet time:    2020-11-14 11:03:25.657428

The packet times looked good: they would fall between the first packet time of dns.pcap and the last packet time of dns.pcap. Now merging them should be simple:

$ mergecap -F pcap -w merged.pcap https-modified.pcap dns.pcap 
$ capinfos -ace merged.pcap 
File name:           merged.pcap
Number of packets:   74
First packet time:   2020-11-14 11:03:13.113482
Last packet time:    2020-11-14 11:03:38.526727

It worked! When I examined the resulting pcap file in Wireshark, the first 2 DNS requests and replies were listed, followed by the HTTPS requests and replies, followed by the remaining 2 DNS requests and replies.