View unanswered posts | View active topics It is currently Fri Aug 23, 2019 5:28 am



Post new topic Reply to topic  [ 12 posts ]  Go to page 1, 2  Next
 Wireshark File Import 
Author Message

Joined: Sat Sep 18, 2010 12:06 pm
Posts: 8
Reply with quote
Post Wireshark File Import
First off I want to say great work, and finally something that is close to Cain for Linux.

i am not sure if I am not doing something right, but it is seems like I cannot parse a saved file from Wireshark. The reason I am using Wireshark for the captures is I am having problems with doing a live capture with WiFi with Xplico., but that does not matter since I mostly want to use Xplico as a decoder. Once i get some traffic going in Wireshark I save the file as a "wireshark/Tcpdump - Libcap" file.

During my "test" I know there was lots of HTTP traffic and the such, but when I import the file and Xplico has decoded, it shows nothing.

My WiFi network is open so no WEP /WPA or anything to decrypt. to start Xplico, I open FF after I start Apache, and go to the address 127.0.0.1:9876 and everything fires up. Now what I am not sure of, and what may be the problem is that I am not running the sqlite_demo.sh script as I have seen in a few example because I cannot find it.

I installed Xplico on BT4, using "Apt-get install xplico", could this be problem and I need to do it the "long" way?

Thanks,
Mongoose


Sat Sep 18, 2010 12:22 pm
Profile

Joined: Wed Sep 16, 2009 10:45 pm
Posts: 128
Reply with quote
Post Re: Wireshark File Import
Hello,

for diagnostics, first follow these tips:

1º) Are you using the last version of Xplico?
2º) With your Xplico installation, have you got to decode a sample catpure? (download them wiki.xplico.org)
3º) Have you activated the "No checksum mode"? (wiki.xplico.org)

Probably your installation is not working (you must have a process called "dema" running), bet for the long method or use a Virtualbox machine sample (downloable from Xplico's web).

Carlos.


Sat Sep 18, 2010 5:06 pm
Profile

Joined: Sat Sep 18, 2010 12:06 pm
Posts: 8
Reply with quote
Post Re: Wireshark File Import
Thanks Carlos, I will follow your steps and do the long install and see what is going on. If I do not have any luck I will post the cap file.

I have been looking for something like this for Linux for a long time, and very happy to come across you and your team's work =).

Mongoose


Sat Sep 18, 2010 5:14 pm
Profile

Joined: Sat Sep 18, 2010 12:06 pm
Posts: 8
Reply with quote
Post Re: Wireshark File Import
I did some digging and it looks like Wireshark is not creating the proper Cap file. I DL'd the samples and decodes like a charm, so I opened the samples in a text reader and then opened the Wireshark Cap in another and took a look at them. they look totally different, the Wireshark cap format seems to be "encrypted" or in a raw format, versus the samples are in somewhat plain text.

I tried all of the cap formats that Wireshark had to offer and none of them look like your samples. I am using the latest versions of Xplico (5.8) and Wireshark (1.4), I also did an update / upgrade for BT4.

Is there one more step for decoding a Wireshark cap file? my WiFi network is completely open, no WEP or WPA or other protection.

I know from reading on the BT4 forum that there was some issues with BT4 and Xplico. I am more than happy to use Deft, but I cannot find any support on installing Deft to the HD, since I need to do that because Deft is lacking a couple of tools I use such as Airmon.

It just came to me, could it be that Airmon is causing the difference on the cap? I can only see full traffic in monitor mode, and only half to none on the Wlan adapter.

Thanks,

Mongoose


Mon Sep 20, 2010 6:34 pm
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Wireshark File Import
Hi Mongoose,
it is probably only a problem of protocols (dissectors), not of pcap the file format.
Can you send us (post it in this forum or: bug[@]xplico.org) an example of your pcap (capture from your network)?

Ciao.
Gianluca


Tue Sep 21, 2010 8:12 am
Profile WWW

Joined: Sat Sep 18, 2010 12:06 pm
Posts: 8
Reply with quote
Post Re: Wireshark File Import
Here is just a quick cap for an example.

Thanks,

Mongoose


Tue Sep 21, 2010 10:35 pm
Profile

Joined: Sat Sep 18, 2010 12:06 pm
Posts: 8
Reply with quote
Post Re: Wireshark File Import
It looks like it will not let me UL, I attached the file but it is not showing. Does it need to be zipped or something?

Thanks,

Mongoose


Tue Sep 21, 2010 10:39 pm
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Wireshark File Import
Hi Mongoose,
the procedure to attach a file is this:
  • click to "Browse..." button (and select a file)
  • click to "Add the file"
  • and (it is not necessary) click to "Place inline" (this link/button appears if and only if the two previous steps were successful )
I think the maximum file size is 2M, but I'm not sure.

Ciao.
Gianluca


Wed Sep 22, 2010 5:14 am
Profile WWW

Joined: Sat Sep 18, 2010 12:06 pm
Posts: 8
Reply with quote
Post Re: Wireshark File Import
Wireshark Upload sample

Attachment:
Wireshark Sample.zip


You do not have the required permissions to view the files attached to this post.


Wed Sep 22, 2010 2:43 pm
Profile

Joined: Sat Sep 18, 2010 12:06 pm
Posts: 8
Reply with quote
Post Re: Wireshark File Import
I think the file limit is 1M, before the zip I was at 1.2M and would not take.

Sorry for all the problems, I am having one of those weeks where I should not be touching anything LOL.

Thanks,

Mongoose


Wed Sep 22, 2010 2:44 pm
Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 12 posts ]  Go to page 1, 2  Next


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by Vjacheslav Trushkin for Free Forums/DivisionCore.