I'm trying to get some sort of script made so I can input a PCAP and have it
pull out specific fields. The intent is to make identifying the user and
hostname of an infected machine much faster.
I usually do a String Search for Packet Details in Wireshark for the
following, and it works great, but I'd like to make it automated, if
possible, and have it all output in a single txt file.
===============================
To find the host name:
Workstation
Host Name:
Host=
NetBIOSName
NetBIOS Host
HostAddress
To find the username:
Client Name (Principal)
User name:
COOKIE_last_login=
CN=
Filename:
===============================
Unfortunately most of the fields are listed as "Text" and do not have a
specific name like dns.resp.name or dns.qry.name.
I've tried using tshark, but the output gives the empty fields, as well as
the ones I want. If I output it to a txt file it is usually about 25KB
because of all the new lines.
For tshark I tried to extract dns.srv.name. In Wireshark it shows the field
name with the host name of the computer, but the packet bytes show it in
hex. I tried to have the output converted from hex to ascii but couldn't get
that to work either. All I would get for the output was a txt file full of
new lines and "tcp.local_"
I thought I could use ngrep but I can't seen to figure out how to get it to
output the contents of the named field (ex: dns.qry.name)
Another idea I thought would work would be to use tshark and byte-offsets,
but I can't figure out how to get the proper field name, then the bytes
after that for the "text" field holding the info I want.
I know this is probably a tall order. Any help is greatly appreciated. Let
me know if you need more details.
