Where To Start Capturing Packets

Whether you’re a network engineer or security analyst at some point you’re going to need to dive into the packets to help solve a problem.Story Time:Shortly after I earned my CCIE I was faced with a packet analysis challenge. I was on-site visiting with some team mates who managed a customer’s ne...
Published on June 05, 2022 | 10 min read

pcap Wireshark tcpdump

Modifying PCAPng File Structure using a Raw Hex Editor

tl;dr By manually changing the Linktype using a hex editor in the Interface Description Block (IDB) of the PCAPng file will convince the packet analysis software that only 1 type of interfaces were available at the time of capture.WARNING: Throughout this post I reference “PCAP” and “PCAPng” int...
Published on April 14, 2021 | 9 min read

pcap hex zeek suricata brim

Working With Linux Cooked Capture Headers Using TraceWrangler

The ProblemSometimes when loading a PCAP into various tools you get a cryptic error: an interface has a type 1 different from the type of the first interface. I had one PCAP that would generate various errors in different tools.The EvidenceBrim:See this Github issue I raised.Zeek:[email protected]:~/ct...
Published on April 12, 2021 | 3 min read

pcap tracewrangler tcpdump

My First 2 Zeek Scripts

tl;dr This blog post was for documentation purposes. Nothing to see here.Problem Statement: I need to have Zeek log every UDP packet instead of only per UDP session/conversationBecause of Zeek’s session tracking it will only log one connection “uid” at the start of a session and for all subseque...
Published on April 09, 2021 | 4 min read

zeek scripts pcap

What I learned From Sharkfest '20

I learned a ton of great things that will help me as a better network engineer, and analyst. This will be a recap of a couple important take aways that everyone can use any time they are looking at PCAPs. If you find any of this interesting go subscribe to the Sharkfest YouTube channel and start ...
Published on October 25, 2020 | 6 min read

sharkfest wireshark pcap