Difference between revisions of "Network Traffic Analysis Tools"
From Hack Sphere Labs Wiki
(Created page with "=tcpxtract= *http://taosecurity.blogspot.com/2006/01/network-forensic-traffic.html =chaosreader= *http://www.blackbytes.info/2012/01/four-ways-to-extract-files-from-pcaps/ =...") |
(→==Notes) |
||
| Line 36: | Line 36: | ||
| − | ===Notes= | + | ===Notes== |
*Test php config: | *Test php config: | ||
php -v | php -v | ||
| Line 58: | Line 58: | ||
*a) If you are using the Ubuntu/Debian package, run: "/etc/init.d/xplico start" | *a) If you are using the Ubuntu/Debian package, run: "/etc/init.d/xplico start" | ||
| − | *b) Run: "/opt/xplico/script/sqlite_demo.sh" | + | *b) Run: "/opt/xplico/script/sqlite_demo.sh" |
| − | |||
=dsniff= | =dsniff= | ||
Revision as of 07:39, 2 April 2013
tcpxtract
chaosreader
wireshark
- https://www.wireshark.org/docs/man-pages/dumpcap.html
- http://wiki.wireshark.org/KnownBugs/OutOfMemory?action=AttachFile&do=view&target=Using+Wireshark+to+Create+Network-Usage+Baselines.pdf
xplico
- http://www.xplico.org/download
- http://www.darknet.org.uk/2009/08/xplico-network-forensic-analysis-tool/
Install
yaourt xplico
- Configure php from the wiki: https://wiki.archlinux.org/index.php/LAMP#PHP
sudo nano /etc/php/php.ini
- Enable Also:
extension=pdo_sqlite.so extension=pdo_sqlite.so
- Configure httpd
sudo nano -w /etc/httpd/conf/httpd.conf
- Add this to the end:
Include conf/extra/httpd-xplico.conf
- Restart/Start apache
sudo systemctl start httpd
or
sudo systemctl restart httpd
- http://wiki.xplico.org/doku.php?id=interface
- Navigate to 127.0.0.1:9876
- default admin user/pass: admin/xplico
- default norm user/pass: xplico/xplico
=Notes
- Test php config:
php -v
you are using newer php version. in php 5.4, E_STRICT is part of E_ALL
in cake 1.3, open file /cake/bootstrap.php and change the error_reporting like this
error_reporting(E_ALL & ~E_STRICT & ~E_DEPRECATED);
- php5-sqlite
- http://wiki.xplico.org/doku.php?id=faq#why_xplico_has_blank_page_at_login
- a2enmod not installed?
- Need to link these instructions: https://aur.archlinux.org/packages/xplico/
I can get the software to start, load the webinterface, it seems like everything is running but I cannot get it to accept uploaded pcap files. It seems if you use the command line utilities and import the data it seems to work fine.
For starting Xplico, please choose one of these options as root:
- a) If you are using the Ubuntu/Debian package, run: "/etc/init.d/xplico start"
- b) Run: "/opt/xplico/script/sqlite_demo.sh"
dsniff
Notes
- https://isc.sans.edu/diary/Tools+for+extracting+files+from+pcaps/6961
- Split pcap files:
editcap packetcapture.cap split.pcap -c 100000 split ?
---
