Menu Close

Category: Analyzers

Using tcpdump for SIP diagnostics

TCPdump is a powerful command-line packet analyzer, which may be used for a SIP message sniffing/analyzing. TCPdump is preinstalled on many linux distributions, or may be installed directly from debian repository:

apt-get install tcpdump

TCPdump allows write sniff to a file or display it realtime. Its usage for SIP message analysis may look like:

Forensic analytic tools

Forensic analytic tools

  • Author : Tomáš Mokoš

NetworkMiner

NetworkMiner is a Network forensic analysis tool (NFAT) for Windows operating systems. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. NetworkMiner’s primary purpose is collection of data regarding network hosts, rather than data regarding network traffic. In addition to direct file capture, NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files. This function can be used for extraction and archiving of media files transferred through the network. Supported file extraction protocols are FTP, SMB and HTTP. Extracted user credentials (username and password) for supported protocols can be found in the Credentials tab. Other useful features include keyword search in the captured/archived data and Nmap MAC vendor lookup.

Xplico

Xplico is an open-source NFAT. The goal of Xplico is the extraction of application data contained in a capture sample of Internet traffic. For example, Xplico can export all e-mails (POP, IMAP and SMTP), HTTP contents, VoIP calls, FTP and TFTP files, etc.

Elastic Stack

Elastic Stack provides reliable and safe transfer of data of any format from any source and real-time searching analysis and visualization. Elastic Stack consists of Kibana, Elasticsearch, Beats and Logstash. Elasticsearch is a search and analytics engine. Beats is a dta gathering platform. Logstash is a server‑side data processing pipeline that ingests data from multiple sources simultaneously, transforms it, and then sends it to a “stash” like Elasticsearch. Kibana lets users visualize data with charts and graphs in Elasticsearch.

Sguil

Sguil is built by network security analysts for network security analysts. Sguil’s main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis. The Sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, BSD, Solaris, MacOS, and Win32).

Sources:

  • CRZP Komplexný systém pre detekciu útokov a archiváciu dát – Moloch

Moloch – Specification of system load monitoring tools

Specification of system load monitoring tools

  • Authors : Tomáš Mokoš, Marek Brodec

Nload

Version : 0.7.4

Nload is a console application which monitors network traffic and bandwidth usage in real time. The gathered statistics are displayed in two separate graphs (one for uplink and one for downlink). Nload also provides detailed information about the total amount of transferred data and average, minimum and maximum transfer rate. We used this application in its simplest mode – Nload interface. There are, however, many different display options and additional configuration options you can read about in the application’s man page – $ man nload.

Installation:

  • download the package
apt-get install nload 

Use:

  • run on interface enp0s9
nload enp0s9 

Abort: Ctrl+c or “q”

NLoad

Iftop

Version : 1.25

Iftop is an application which monitors network traffic on a specified interface or, if no interface is specified, on the first interface it manages to find. Current bandwidth usage data is displayed as a table in pairs of inbound and outbound communication. Again, it is possible to expand usage with command options found in the application’s man page – $ man iftop.

Installation:

  • download the package
apt-get install iftop 

Use:

  • run on interface enp0s9 in promiscuous mode (-p), we want to monitor an interface with mirrored traffic coming through, therefore we also want to capture packets whose destination IP address is not our own or a broadcast address.
iftop -i enp0s9 -p  

Iftop

Bigdesk

Version : 2.5.0

Bigdesk is the simplest plugin available, that can make monitoring what Elasticsearch is doing at the time, much easier.

Plugin installation consists of several steps:

  • go to elasticsearch directory
cd /data/moloch/elasticsearch-2.4.0/bin  
  • install the plug-in itself while ignoring user access rules (-b) and displaying installation progress on terminal (-v)
./plugin install https://github.com/lukas-vlcek/bigdesk/archive/master.zip -v -b 
  • access the plugin using IP address and port where, depending on configuration, the Elasticsearch cluster is running.

http://IP_adress:port_number/_plugin/bigdesk/

Graph illustration, where the allocated amount of RAM for Elasticsearch and the amount used in the past 5 minutes is displayed. This interval can be changed from the past 10 seconds up to 1 hour, the graph refresh interval can be changed from 1 second up to 30 seconds.

Bigdesk1

In the following illustration, CPU and RAM usage can be seen, in this instance, it is the overall load caused by all processes, not just the instance of Elasticsearch. Since we have turned swapping off during Moloch installation, the respective graph is empty.

Bigdesk2

The last illustration displays miscellaneous search and data indexing statistics as both numbers and time units.

Bigdesk3

Head

Version : 0.1.3

Head is a front-end API that enables browsing and interacting with the Elasticsearch cluster. It also makes Elasticsearch status available for viewing and enables work with the individual daily index batches.

There are several alternatives for plug-in installation, two of the most common are listed down below:

  • download and install plugin repository
git clone git://github.com/mobz/elasticsearch-head.git 
  • go to installation directory
cd elasticsearch-head  
  • run installation
npm install 
  • start the plug-in
npm run start  
  • access the plugin using IP address and port where, depending on configuration, the Elasticsearch cluster is running.

http://IP_address:port_number/_plugin/head/

Alternatively:

  • install the plug-in itself
sh /data/moloch/elasticsearch-2.4.0/bin/plugin install mobz/elasticsearch-head 
  • access the plug-in using IP address and port where, depending on configuration, the Elasticsearch cluster is running.

http://IP_address:port_number/_plugin/head/

Head

Bigdesk and Elasticsearch Head plugins are not working since Elasticsearch 5.x, because of change in Elasticsearch database architecture.

Sources

  • Report Projekt 1-2 – Marek Brodec