![]() ![]() What’s nice, you can also search/display comments with command line tools:ĩ16 177.563553 Cisco_5a:fa:30 CDP/VTP/DTP/PAgP/UDLD CDP 370 This is Cisco CDP packet. If you need to save the PCAP to share it with other handlers or colleagues, Wireshark will automatically select the PCAP-ng format (because extra metadata have been added - comments in this case). This filter displays all packets that belong to the incident “1234”: To display the existing comments when you open an existing PCAP-ng file (or to see yours), you can add an extra column to the main Wireshark windows:Īnd of course, you can search for comments. ![]() You can now enter your comment in a small editor window. While reviewing traffic, it’s easy to add a comment: Select the packet, right click and select “Packet Comment”. ![]() ![]() The latest information is definitively a nice feature. to store more capture related information.It extends the simple PCAP format features with more options like: How to add them to the PCAP itself? To achieve this, let’s have a look at the PCAP-ng format. If you export the data in PCAP format, you will lose your tags. I’m a big fan of Moloch but, with this kind of tools, added tags are stored in the ElasticSearch database. Tags are helpful to assign some flows to a case being investigated or to categorize them (“suspicious”, “exfiltration”, “exploitation”, etc). Later, you can search for them to find back interesting traffic: Some tools, like Moloch, allow you to “tag” some conversations. Many security tools can record samples of network traffic or you can maybe need a full-packet capture. Just keep in mind: it must be properly performed if your notes will be used as evidence later… With investigations, there are also chances to you will have to deal with packet captures. There is no “best” way to take notes, some people use electronic solutions while others are using good old paper and pencil. When you are investigating a security incident, a key element is to take notes and to document as much as possible. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |