Data byte rate suggests that the network was not under heavy load during the time. We therefore immediately see that this packet capture ran for a few minutes, with the first and last packet seen 5 minutes apart. In my case (MacOS), capinfos was found here: It resides in the Wireshark directory, same as tshark and reordercap – the other CLI tools that ship with Wireshark. Grab a sample PCAP fileĬapinfos is a CLI tool that ships with Wireshark and can be useful to derive quick insights about the PCAP. We will be using sample pcaps in this post. How do we then swiftly perform a PCAP analysis that covers maximum ground? This post provides a quick summary of analysis that can be done by Wireshark and its accompanying CLI tool, tshark. However, PCAPs contain massive amounts of data that is difficult to parse and time is valuable, especially during live investigations.
PacketSource := gopacket.NewPacketSource(handle, handle.LinkType())įor packet := range packetSource.PCAPs can greatly aid an investigation after an incident has occurred. Use the handle as a packet source to process all packets Handle, err = pcap.OpenLive(device, snapshot_len, promiscuous, timeout) Find devices package mainįmt.Println("Description: ", device.Description)įmt.Println("Devices addresses: ", device.Description)įor _, address := range device.Addresses Open Device for Live Capture package main
You might also want to check out the gopacket project on GitHub and documentation on GoDoc gopacket. You may need to set GOARCH=386 if you get an error like cc1.exe: sorry, unimplemented: 64-bit mode not compiled in. These examples should work in Linux/Mac using libpcap and on Windows with WinPcap.
You can learn how to use libpcap in C for a deeper understanding. Since gopacket is built on top of libpcap, I highly recommend you understand how that library works. You will need go, libpcap and the gopacket package. Here is a recording of that presentation. UPDATE: Since writing this article, I had the privilege of speaking at GopherCon 2016 in Denver, CO. It provides additional functionality and takes advantage of Go things like interfaces, which makes it incredibly powerful.
It is more than just a simple wrapper though. The gopacket package provides a Go wrapper for libpcap written in C. It contains 14 chapters with various red and blue team topics covered. If you found this page helpful you should check out the book. UPDATE: My book, Security with Go, is now published.
0 kommentar(er)
