SharkFest 2022: Logray and scavenger hunts in PCAP files

0
79
sharkfest 2022 logray and scavenger hunts in pcap files.jpg
sharkfest 2022 logray and scavenger hunts in pcap files.jpg

At the SharkFest, which is considered the stage for the Wireshark network analysis tool, the organizers announced that the Wireshark universe would be doubled.

 

For the SharkFest 2022, the organizers chose a hybrid form for the first time. In July, for example, about half of the participants met in Kansas City, Missouri, while the remainder joined online. Unlike last time, it was not the Riverbed company that sponsored the conference, but Sysdig, which had a far greater impact than the mere change of funding source suggests.

Because Sysdig is closely linked to Wireshark, the main tool used by network analysts: the company’s founder, Loris Degioanni, developed the WinPCAP library, with the help of which Ethereal, Wireshark’s ancestor, gained a foothold on Windows. WinPCAP had to make way for the modern npcap library long ago, but Degioanni stayed connected to WireShark. After working separately for a few years, Gerald Combs, creator of Ethereal/Wireshark, and Loris Degioanni are now back on a joint project: Logray. The tool (loosely translated: Log-Rochen) looks pretty much like Wireshark, but instead of analyzing network packets, it analyzes log data.

In their joint keynote, Combs and Degioanni showed an early version in which they analyzed logs from Amazon Cloudtrail and looked for hacked EC2 instances infected with a bitcoin miner. They could use the same filter engine, coloring and context menus as they are used to from Wireshark. The tool can currently read PCAPNG files with log data and integrate plug-ins. On the roadmap are “Live Capture”, i.e. the live view of incoming log data and a sensible use of the “third panel”; with Wireshark this is the hex view. The big vision on the horizon is the unification of network packets, system calls and log data in a common recording format, giving analysts a combined overall view of the events relevant to them. Many are likely already eagerly awaiting this welcome, even overdue synthesis.

SEE ALSO  Microsoft's first AI PCs are official: this is the new Surface with a very special key

The conference program consisted of presentations for beginners, advanced users and experts as well as a security track with Wireshark topics. These were recorded, but unlike in the past, they were initially only made accessible to participants. In September or October, the release for everyone else should follow on YouTube.

Also this year there was an “esPCAPe Challenge”, i.e. a kind of scavenger hunt in which participants have to trawl through network data (PCAP files) for clues to solving puzzles. For example, a recorded VoIP telephone call had to be reconstructed and played back in order to find a piece of the puzzle.

In general, the name of the recording format “PCAP” was omnipresent, because in addition to the corresponding T-shirts, there were also many baseball caps with the inscription “PCAP or it didn’t happen!” – i.e. the humorous announcement “Show me the network recording, otherwise I won’t believe you and it never happened”, which should be the unofficial motto of all network analysts.

Sake Blok, who is part of Wireshark’s core development team, took on one of the most significant security vulnerabilities of recent times in his presentation on Log4Shell. Attackers can use them with prepared inputs to get the very common Java-based log system Log4j to reload malicious code from a URL they control. Sake carried out the attack himself in a closed environment and recorded traffic.

However, Wireshark initially opposes such analyzes because it does not automatically correctly decode the LDAP traffic via port 389. Alternatively, you can set up LDAP manually using the “Decode As” function from the context menu of the package list. If you want to investigate the attack yourself, you can download the recording from the Cloudshark platform.

SEE ALSO  Bombshell at Carrefour: Samsung's cheap mobile phone with battery is reduced to less than 130 euros

Sake went a step further and set up a honeypot to test how often it was attacked and saw some amusing attempted break-ins. You could watch live how attacks failed due to incorrectly configured parameters. One attempt led to a conversation with an attacker from Brazil, to whom Blok kindly explained that his attempts were unsuccessful.

As every year, the presentation by the “Packet Doctors” attracted a great deal of interest. At this panel event, several experienced analysts have to diagnose network problems based on network packets submitted by participants. Using the error description, they try to identify the cause of the problem To show the audience different approaches, because unlike the usual troubleshooting presentations, none of the speakers know in advance how they will get there, which is what makes the format so appealing.

This year, among other things, a problem in a NAT implementation was analyzed, which caused a connection to fail with the TCP handshake. Because instead of sending its own public IP address in the SYN/ACK packet, the router reported the public address of the computer behind its NAT. Actually, one would have expected a private IP address for the computer instead; then the solution would be easier to find.

But the router and machine addresses came from two very similar subnets, which is very unusual. Why it was configured that way remained open; it may have been an unclean application design or a computer that has moved should remain accessible at the previous address. In any case, the other side could not assign the address of the computer to any connection. And although the cause was almost obvious, the first Doc didn’t make it during his analysis time because he initially looked at other aspects.

SEE ALSO  With this trick you can search and find files in Google Drive, even if it is not yours. This is how I discovered a lot of books

Fast forward to Wireshark 4.0 (currently version 3.6.x is current), the network analyst community is looking forward to the European edition of SharkFest in Portugal in early November. This should also be a hybrid in order to give as many interested parties as possible the opportunity to participate.

In c’t 18/2022 we bring Windows and Linux together and explain how you can use both systems hand in hand on one computer. We also focus on used hardware, because it’s as easy on the wallet as it is on the environment – at least a little. You can find these and many other topics in the current issue of c’t.

  • Windows or Linux? Both!
  • Second-hand hardware: benefits, dealers, risks
  • Mobile phone contracts with a short term in comparison
  • Test: Radar rear light for bicycles
  • Test: Discount drone quadrocopter Maginon QC-90 GPS
  • Test: Four vacuum robots with self-cleaning
  • Security made easy Threat modeling with a deck of cards
  • Folding@Home: Two years of Heise Falter
  • Calculate bridge days with Microsoft Excel
  • FAQ: In-App Purchases on Android
  • c’t 18/2022 in the Heise shop