Solution provider takeaway: Pcapr.net is a free packet collaboration site hosted by Mu Dynamics. Solution providers can participate in the community to exchange, analyze and gather traces for testing products or processes for their customers, including network packet analysis.
Not many networking solution providers are happy with the apparently limited number of network traces available for testing their products or processes. Hardly a day goes by on a network-focused mailing list without a participant asking, "Where can I download network traffic to test X?" Fortunately for anyone who wants to take network traffic exchange to a new level, Mu Dynamics has answered the call. Its Pcapr.net site is the self-proclaimed "Web 2.0 for packets." In this edition of Traffic Talk, we'll take a tour of Pcapr.net to see what features it offers networking solution providers, including network packet analysis.
After creating an account at www.Pcapr.net and logging in, the user sees the following page.
One safe bet for finding an interesting trace is to select the "tags" link at the top of the page. As of the day this article was written, I was given the following options.
The tag "holidays" looks interesting. Selecting that small tag brings me to the following page.
Notice that Pcapr.net has the "http" and "tcp" tags applied next to the "proto" field. This means Pcapr.net has decoded the .pcap trace and found those two protocols inside. A user applied the "holidays" tag.
If we want to see the trace, we click on the "turkey-in-packets.pcap" link.
If I click the "Download" link and have my OS configured to launch Wireshark, I see the trace loaded once saved to my hard drive.
That's convenient, but it sort of misses the point of Pcapr.net. The website itself offers a great deal of interesting capability. For example, take a look at frame 4. I can hit the + button to get a header-by-header breakdown of the frame. If I click on the "GET" statement, I can now see the packet at the bottom of the screen.
Now I also have "Select," "Delete," and "Actions" drop-down boxes in two locations. I select the "Reassemble" option in either of the "Actions" drop-downs to get the following.
Now Pcapr.net is viewing the trace as a "Stream," with "request" and "response" sides of the conversation available. Because the "response" is larger (since it appears to be a reply from a GET request to a Web server), I select that. Only part of the file is shown next.
The file looks like a GIF image. Returning to the "Actions" drop-down on the same page, I select the "Content" option, yielding the following.
I chose the "view in browser" option to get the following.
That's cool -- we can extract content in .pcap files using a Web app. Let me show one other aspect of Pcapr.net. Recently, I wrote a rule for a Snort user and posted it to Sourcefire's Snort forum at http://forums.snort.org/forums/rules/topics/incoming-connection-to-windows-workstation#post_56654. The post mentioned looking for "smb.nt_status." That is a reference to a specific Wireshark field. Because Pcapr.net relies on Wireshark to parse traces and exposes those fields to users, we can take advantage of this to find traces of interest.
For example, visit http://www.Pcapr.net/browse/fields. We know "smb.nt_status" is in the SMB protocol filter, so we select "S" and then "SMB" to see the following webpage.
Personally, I think this screen alone is very helpful. Instead of working through Wireshark's GTK-rendered, unsorted protocol listing, we can scroll through a webpage with an alphabetical listing of SMB fields. Scrolling down and selecting smb.nt_status brings us to the following page. I reproduced it below with the URL bar to show that, if you know the Wireshark field of interest, you can visit it directly via URL.
With these traces to choose from, I'm sure they have the smb.nt_status field present. I can download them or just inspect them in Pcapr.net, according to my needs.
I've only scratched the surface of Pcapr.net. Beyond browsing and reading traces, users are strongly recommended to contribute what they can. For more information on Pcapr.net, keep an eye on the Mu Dynamics blog (http://labs.mudynamics.com/category/Pcapr/) and its Google Group (http://groups.google.com/group/Pcapr-forum).
Richard Bejtlich is director of incident response for General Electric and author of the TaoSecurity blog.