Problem solve Get help with specific problems with your technologies, process and projects.

Traffic Talk: Pcapr.net -- where Web 2.0 meets network packet analysis

Solution providers can better customer networks with network packet analysis collaboration from Pcapr.net, a free packet collaboration site hosted by Mu Dynamics. Learn how to use Pcapr.net in this tip from Richard Bejtlich.

More information on network packet analysis
The Windows TCPdump: WinDump
Wireshark 1.2 tutorial: Open source network analyzer's new features
Using Wireshark and Tshark display filters for troubleshooting

Solution provider takeaway: Pcapr.net is a free packet collaboration site hosted by Mu Dynamics. Solution providers can participate in the community to exchange, analyze and gather traces for testing products or processes for their customers, including network packet analysis.

Not many networking solution providers are happy with the apparently limited number of network traces available for testing their products or processes. Hardly a day goes by on a network-focused mailing list without a participant asking, "Where can I download network traffic to test X?" Fortunately for anyone who wants to take network traffic exchange to a new level, Mu Dynamics has answered the call. Its Pcapr.net site is the self-proclaimed "Web 2.0 for packets." In this edition of Traffic Talk, we'll take a tour of Pcapr.net to see what features it offers networking solution providers, including network packet analysis.

After creating an account at www.Pcapr.net and logging in, the user sees the following page.


Click to enlarge

One safe bet for finding an interesting trace is to select the "tags" link at the top of the page. As of the day this article was written, I was given the following options.


Click to enlarge

The tag "holidays" looks interesting. Selecting that small tag brings me to the following page.


Click to enlarge

Notice that Pcapr.net has the "http" and "tcp" tags applied next to the "proto" field. This means Pcapr.net has decoded the .pcap trace and found those two protocols inside. A user applied the "holidays" tag.

If we want to see the trace, we click on the "turkey-in-packets.pcap" link.


Click to enlarge

If I click the "Download" link and have my OS configured to launch Wireshark, I see the trace loaded once saved to my hard drive.


Click to enlarge

That's convenient, but it sort of misses the point of Pcapr.net. The website itself offers a great deal of interesting capability. For example, take a look at frame 4. I can hit the + button to get a header-by-header breakdown of the frame. If I click on the "GET" statement, I can now see the packet at the bottom of the screen.


Click to enlarge

Now I also have "Select," "Delete," and "Actions" drop-down boxes in two locations. I select the "Reassemble" option in either of the "Actions" drop-downs to get the following.


Click to enlarge

Now Pcapr.net is viewing the trace as a "Stream," with "request" and "response" sides of the conversation available. Because the "response" is larger (since it appears to be a reply from a GET request to a Web server), I select that. Only part of the file is shown next.


Click to enlarge

The file looks like a GIF image. Returning to the "Actions" drop-down on the same page, I select the "Content" option, yielding the following.


Click to enlarge

I chose the "view in browser" option to get the following.


Click here to enlarge

That's cool -- we can extract content in .pcap files using a Web app. Let me show one other aspect of Pcapr.net. Recently, I wrote a rule for a Snort user and posted it to Sourcefire's Snort forum at http://forums.snort.org/forums/rules/topics/incoming-connection-to-windows-workstation#post_56654. The post mentioned looking for "smb.nt_status." That is a reference to a specific Wireshark field. Because Pcapr.net relies on Wireshark to parse traces and exposes those fields to users, we can take advantage of this to find traces of interest.

For example, visit http://www.Pcapr.net/browse/fields. We know "smb.nt_status" is in the SMB protocol filter, so we select "S" and then "SMB" to see the following webpage.


Click to enlarge

Personally, I think this screen alone is very helpful. Instead of working through Wireshark's GTK-rendered, unsorted protocol listing, we can scroll through a webpage with an alphabetical listing of SMB fields. Scrolling down and selecting smb.nt_status brings us to the following page. I reproduced it below with the URL bar to show that, if you know the Wireshark field of interest, you can visit it directly via URL.


Click to enlarge

With these traces to choose from, I'm sure they have the smb.nt_status field present. I can download them or just inspect them in Pcapr.net, according to my needs.

I've only scratched the surface of Pcapr.net. Beyond browsing and reading traces, users are strongly recommended to contribute what they can. For more information on Pcapr.net, keep an eye on the Mu Dynamics blog (http://labs.mudynamics.com/category/Pcapr/) and its Google Group (http://groups.google.com/group/Pcapr-forum).
Richard Bejtlich is director of incident response for General Electric and author of the TaoSecurity blog.


This was last published in March 2010

Dig Deeper on Computer Network Installation and Administration Projects

PRO+

Content

Find more PRO+ content and other member only offers, here.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

MicroscopeUK

SearchCloudProvider

SearchSecurity

SearchStorage

SearchNetworking

SearchCloudComputing

SearchConsumerization

SearchDataManagement

SearchBusinessAnalytics

Close