Categories
Forensics

Export packet data

One of the recent challenges I completed consisted of identifying specific data exchanged over the network in a Wireshark file. I noticed one ip was sending to another ip small packets of data using the ICMP protocol.

The first package contained the PNG hex headers so I figured the sender was trying to pass an image to the recipient without being detected. Because small packets were being sent, Wireshark did not identify the image as an object sent over the network, so I had to combine the packages in a single file. There were around 2000 packages sent, so this is definitely not manual work.

For this task I used tshark, another network traffic analyzer. After running the command in the terminal:

tshark -r capture.pcap -Y 'icmp and ip.dst == 10.0.0.41' -T fields -e data > output.png

the exported file contained a full PNG built using the data sent over all the ping requests. Indeed, the user sent an encrypted password as a screenshot.

Leave a Reply

Your email address will not be published. Required fields are marked *