Ask Your Question
0

Excercise for school regarding pcap

asked 2018-06-08 16:03:02 +0000

frankenstein gravatar image

Hi,

i need to do an excercise for my school.

The excercise is as followed:

I need to create a pcap file that contains a certain ascii string in either the header or the payload. My wireshark knowledge is very limited so it would be helpful if someone could point me in the right direction.

edit retag flag offensive close merge delete

Comments

Do you need to include some given ascii strings? Or do you just need to include some ascii strings in general in your pcap?

If the second is answered with yes, than you just need to capture a normal http session for example...

Christian_R gravatar imageChristian_R ( 2018-06-09 09:48:31 +0000 )edit

Yeah i made it work with HTTP aswell as with nping. I just had a slight misunderstanding but it clicked for me now. Thanks for the answer.

frankenstein gravatar imagefrankenstein ( 2018-06-09 14:03:44 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2018-06-08 18:57:39 +0000

grahamb gravatar image

The -p option for ping to set the packet contents is only valid on Linux and BSD (and possibly others), but not on Windows.

You can include any arbitrary string in a URL in your browser that will transmit it, so simply append it as a value to a URL, e.g. https://ask.wireshark.org/my-arbitrar...

edit flag offensive delete link more

Comments

Thanks so much for the answer. Like I said in the other answer I forgot to mention that the packet has to use TCP. So when I do your tip with the URL it only comes up on HTTP unfortunately.

frankenstein gravatar imagefrankenstein ( 2018-06-09 01:42:34 +0000 )edit

Which is the application protocol, transported by..... TCP. So the TCP packet has a payload, which contains the HTTP message (Protocol Data Unit, or PDU for short) Wireshark tends to dissect as far up as it can, in this case it can see it's HTTP over TCP over IP over Ethernet, so it dissects up to the HTTP layer. Don't want that? Disable the HTTP dissector, it will stop at the TCP payload, where your string is.

Jaap gravatar imageJaap ( 2018-06-09 07:14:33 +0000 )edit

Thanks for explaining that to me. That makes things a lot clearer. I managed to do it by downloading nping. It has an option --tcp and an option --data <hex value>. I can then easily capture that with frame contains "MY_ASCII_STRING".

frankenstein gravatar imagefrankenstein ( 2018-06-09 10:52:09 +0000 )edit

I think you got it, awesome. Now try it with a webbrowser in the HTTP request URL.

Jaap gravatar imageJaap ( 2018-06-09 13:24:11 +0000 )edit

Done. It works of course, it just confused me that it said protocol HTTP but it makes sense now since the HTTP part is in the TCP Payload. If I search the string value with frame contains "MY_ASCII_STRING" the frame shows up with this method too. I mean it makes total sense because when I filtered for frame contains "MY_ASCII_STRING" && tcp, the frame naturally showed up aswell. Thank you very much for your answers it helped a ton.

frankenstein gravatar imagefrankenstein ( 2018-06-09 13:57:54 +0000 )edit
0

answered 2018-06-08 18:14:28 +0000

Jaap gravatar image

You can start here finding out how you can do a capture. That's one.

Sending a packet with the defined payload can be done via various means, e.g. using the command line tool ping. By using the option -p you can define the payload in the packet.

edit flag offensive delete link more

Comments

Using netcat is another easy way. Or you could create a file that text2pcap could read and convert to a pcap file. See also some of the Traffic generators listed on the Wireshark Tools wiki page.

cmaynard gravatar imagecmaynard ( 2018-06-08 18:58:02 +0000 )edit

Thanks so much for the answer.

I should have added that the packet has to use TCP. Since ping uses ICMP its not suited for that or am I missing something?

frankenstein gravatar imagefrankenstein ( 2018-06-09 01:39:04 +0000 )edit

You left out a lot of details, so we're guessing here. But you are right, ping uses ICMP (echo), which is a different protocol than TCP.

Jaap gravatar imageJaap ( 2018-06-09 07:11:38 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2018-06-08 16:03:02 +0000

Seen: 447 times

Last updated: Jun 08 '18