If we take a packet in the original Pcap and find the exact bytes minus the 8 bytes for the time stamp then open them up in hex editor then we see this. That tells me that it is still using a timestamp but how ? I could not find the timestamp for the normal Wireshark converted timestamp but if you open the original Pcap file and the TShark extracted Pcap file in Wireshark and set the IP filter on the original file then they still line up with the date time stamps. The problem came in when I tried to look for a converted timestamp from Epoch to to Hex like I have in the other post in the hex editor.
In a couple of previous post Here and Here I showed how we can travel back and forth in between Wireshark and a hex editor using the time stamps. Using this method I was able to extract the the packets just for the IP Address that I wanted to a new pcap file to work on just that IP. Note: the “–2” has to be there in the current version or it throws an error and tells you it needs to be in there, and remember to put double quotes around your file paths. What this command does is it launches tshark, with (-2) two pass analysis, (–R ) read filter of “ip.addr=192.168.122.130”, lower case (-r) for read input file ,input pcap file to read, lower case(-w) for write output file, output filename to write. I used the command line to run TShark with this command to extract just the packets with the chosen IP Address.
Titled “ – TRAFFIC ANALYSIS EXERCISE – ALERTS ON 3 DIFFERENT HOSTS” I am currently working on the latest Malware traffic analysis exercise located here
0 kommentar(er)
