Problem solve Get help with specific problems with your technologies, process and projects.

Traffic Talk: -- where Web 2.0 meets network packet analysis

Solution providers can better customer networks with network packet analysis collaboration from, a free packet collaboration site hosted by Mu Dynamics. Learn how to use in this tip from Richard Bejtlich.

More information on network packet analysis
The Windows TCPdump: WinDump
Wireshark 1.2 tutorial: Open source network analyzer's new features
Using Wireshark and Tshark display filters for troubleshooting

Solution provider takeaway: is a free packet collaboration site hosted by Mu Dynamics. Solution providers can participate in the community to exchange, analyze and gather traces for testing products or processes for their customers, including network packet analysis.

Not many networking solution providers are happy with the apparently limited number of network traces available for testing their products or processes. Hardly a day goes by on a network-focused mailing list without a participant asking, "Where can I download network traffic to test X?" Fortunately for anyone who wants to take network traffic exchange to a new level, Mu Dynamics has answered the call. Its site is the self-proclaimed "Web 2.0 for packets." In this edition of Traffic Talk, we'll take a tour of to see what features it offers networking solution providers, including network packet analysis.

After creating an account at and logging in, the user sees the following page.

Click to enlarge

One safe bet for finding an interesting trace is to select the "tags" link at the top of the page. As of the day this article was written, I was given the following options.

Click to enlarge

The tag "holidays" looks interesting. Selecting that small tag brings me to the following page.

Click to enlarge

Notice that has the "http" and "tcp" tags applied next to the "proto" field. This means has decoded the .pcap trace and found those two protocols inside. A user applied the "holidays" tag.

If we want to see the trace, we click on the "turkey-in-packets.pcap" link.

Click to enlarge

If I click the "Download" link and have my OS configured to launch Wireshark, I see the trace loaded once saved to my hard drive.

Click to enlarge

That's convenient, but it sort of misses the point of The website itself offers a great deal of interesting capability. For example, take a look at frame 4. I can hit the + button to get a header-by-header breakdown of the frame. If I click on the "GET" statement, I can now see the packet at the bottom of the screen.

Click to enlarge

Now I also have "Select," "Delete," and "Actions" drop-down boxes in two locations. I select the "Reassemble" option in either of the "Actions" drop-downs to get the following.

Click to enlarge

Now is viewing the trace as a "Stream," with "request" and "response" sides of the conversation available. Because the "response" is larger (since it appears to be a reply from a GET request to a Web server), I select that. Only part of the file is shown next.

Click to enlarge

The file looks like a GIF image. Returning to the "Actions" drop-down on the same page, I select the "Content" option, yielding the following.

Click to enlarge

I chose the "view in browser" option to get the following.

Click here to enlarge

That's cool -- we can extract content in .pcap files using a Web app. Let me show one other aspect of Recently, I wrote a rule for a Snort user and posted it to Sourcefire's Snort forum at The post mentioned looking for "smb.nt_status." That is a reference to a specific Wireshark field. Because relies on Wireshark to parse traces and exposes those fields to users, we can take advantage of this to find traces of interest.

For example, visit We know "smb.nt_status" is in the SMB protocol filter, so we select "S" and then "SMB" to see the following webpage.

Click to enlarge

Personally, I think this screen alone is very helpful. Instead of working through Wireshark's GTK-rendered, unsorted protocol listing, we can scroll through a webpage with an alphabetical listing of SMB fields. Scrolling down and selecting smb.nt_status brings us to the following page. I reproduced it below with the URL bar to show that, if you know the Wireshark field of interest, you can visit it directly via URL.

Click to enlarge

With these traces to choose from, I'm sure they have the smb.nt_status field present. I can download them or just inspect them in, according to my needs.

I've only scratched the surface of Beyond browsing and reading traces, users are strongly recommended to contribute what they can. For more information on, keep an eye on the Mu Dynamics blog ( and its Google Group (
Richard Bejtlich is director of incident response for General Electric and author of the TaoSecurity blog.

Dig Deeper on Campus area networks and services