sign in sign up
<<
Home , Pcap

pcapFS Mounting Network Data for On-the-Fly Analysis

Fraunhofer Institute for Communication, Information Processing and Ergonomics

OSDFCon 2018 October 17th

Jan-Niclas Hilgert* [email protected] Martin Lambertz [email protected]

1 © Fraunhofer FKIE State-of-the-art network forensics

n is great, but

2 © Fraunhofer FKIE State-of-the-art network forensics

n Wireshark is great, but 1. Usability

Packets: 791615

3 © Fraunhofer FKIE State-of-the-art network forensics wiki.wireshark.org

n Wireshark is great, but 1. Usability 2. Performance Load time: 0:19.210

4 © Fraunhofer FKIE State-of-the-art network forensics

n Wireshark is great, but 1. Usability 2. Performance 3. Resources

5 © Fraunhofer FKIE State-of-the-art network forensics

n Wireshark is great, but 1. Usability 2. Performance 3. Resources n How else can you access a pcap?

6 © Fraunhofer FKIE Idea

n File systems organize unstructured data and make them available to the user ▶ Create a file system for pcaps

7 © Fraunhofer FKIE Idea

n File systems organize unstructured data and make them available to the user ▶ Create a file system for pcaps n Create a structure, which can be used when accessing the same network capture again ▶ Create an index file keeping track of the files in the file system

8 © Fraunhofer FKIE Idea

n File systems organize unstructured data and make them available to the user ▶ Create a file system for pcaps n Create a structure, which can be used when accessing the same network capture again ▶ Create an index file keeping track of the files in the file system n Extracting data in order to process it creates unnecessary overhead ▶ Point directly into the data in the pcap

9 © Fraunhofer FKIE Concept

TCP file UDP file

pcap

10 © Fraunhofer FKIE Concept

TCP file UDP file TCP and UDP files point directly into the pcap

pcap

11 © Fraunhofer FKIE Concept

HTTP HTTP DNS Application protocols can then file file file point into the TCP and UDP files

TCP file UDP file

pcap

12 © Fraunhofer FKIE Concept

Other protocols add new virtual HTTP HTTP layers in between file file

DNS SSL file file

TCP file UDP file

pcap

13 © Fraunhofer FKIE Concept

An index file is stored together HTTP HTTP with each pcap file file

DNS SSL file file

TCP file UDP file Index

pcap

14 © Fraunhofer FKIE pcapFS

n pcapFS is a FUSE module mounting captured network data as a virtual file system n Filesystem in Userspace is part of the kernel and available for multiple operating systems including FreeBSD, OpenBSD and MacOS n Another ”pcapFS” was already released as part of the PyFlag framework by Michael Cohen n Unfortunately deprecated and not maintained ☹ n Index files can be stored in memory or on disk for future mounts n Protocols are implemented by virtual file classes

15 © Fraunhofer FKIE Demo pcapFS vs. Wireshark

Demo

16 © Fraunhofer FKIE Demo pcapFS vs. Wireshark

n Usability n Data is presented using the virtual file system n Its hierarchy can be specified using multiple sorting options n Performance n First mount of a pcap creates an index file n Browsing through the mounted data takes almost no time n Mounting with a used index is significantly faster than Wireshark n Resources n Files in pcapFS point directly into the pcap or other virtual files n They are only extracted on demand

17 © Fraunhofer FKIE Demo Beyond Wireshark

Demo

18 © Fraunhofer FKIE Demo Beyond Wireshark

n pcapFS supports mounting of split pcap files n File system level tools can be used on the mounted data without any extraction n Metadata can be preprocessed and displayed as an own file as for example: n HTTP header n DNS requests and responses (e.g. as JSON) n Missing data in streams can easily be padded for reconstruction

19 © Fraunhofer FKIE Demo Working with pcapFS

Demo

20 © Fraunhofer FKIE Demo Working with pcapFS

n Decryption of data by providing the corresponding key files n More cipher suites for SSL will be added in the future n Key files can be implemented for multiple protocols n Configuration files force a protocol decoding on files with specified properties: n e.g. XOR dstPort 31489 protocol http

21 © Fraunhofer FKIE Summary

n pcapFS gives investigators the possibility to n quickly take a look at the relevant data of a network capture n order the data by different criteria n use file system level tools for their analysis n Keeping an index file for each pcap significantly increases the performance of analyzing pcaps n Using virtual files eliminates the overhead of extracting data out of pcaps

22 © Fraunhofer FKIE Future Plans

n Add support for more protocols (wishes are more than welcome!) n Particularly add support for other cipher suites in SSL n BitTorrent, HTTP2, SMB n Add support for more metadata n e.g. SSL certificates n Make use of Symbolic Links (e.g. reverse connections) n Add support for pcapng

23 © Fraunhofer FKIE Thanks for your attention!

https://github.com/fkie-cad/pcapfs

[email protected]

24 © Fraunhofer FKIE