Want to See What Port Is Most Commonly Used in a Packet Capture File? – Video Blog

Video – See What Port Is Most Commonly Used in a Packet Capture File



Commands Used

ls -alh sample-packets.pcap

tcpdump -qtnp -r sample-packets.pcap 2>/dev/null | wc -l

tcpdump -qtnp -r sample-packets.pcap 2>/dev/null | egrep -v '(^ARP|ICMP6)' | sed -e 's/UDP,/udp/' | awk '{print $2 " " $5 "\n" $4 " " $5}' | sed -e 's/: / /' -e 's/^.*\.//' | sort | uniq -c | sort -nr | head -20

tcpdump -qtnp -r sample-packets.pcap 'tcp port 443' 2>/dev/null | head -1


Video Transcript

Good afternoon everybody. This is Bill from Active Countermeasures. In today’s screencast I want to take a look at how we can quickly analyze large packet capture files to get a sense of what’s in them. What I want to be able to do is take a look at these files and get a sense of what particular ports are being used very heavily inside a particular P cap. Or if you’re capturing this live off of a network, what’s happening on your network very commonly. So we’re going to count the packets according to their port and protocol. We start off with a P cap file that has just under 10 million packets in it. I certainly don’t want to be looking down through that by hand to see what type of traffic is most common. So we’re going to let the computer do the work for us. What I’m going to do is pull up a command and I’m going to start it up here and then I’ll explain what it’s going to do.

We’re going to use tcpdump, which is available on Mac, Linux and Windows. They’re available on all three. It may even be pre-installed for you. I’m going to pull out all of the packets and create a one line summary of each packet and then send that along to the rest of the commands in this pipeline. The egrep command throws away both ARP and ICMP6 packets. We want to do that because the format of those lines is slightly different and since those are generally pretty uncommon and not likely to be taking up huge amounts for our traffic, we’re just going to ignore them for the purpose of this sample. We’re going to slightly clean up the output so that if it says capital “UDP,” we’re going to change that to a “udp“.

Now what we’re left with is aligned somewhat like this. IP, source and then the source IP of the packet and source port, going to the destination IP of the packet and the destination port with a protocol over here. And then there’ll be some more things to the right that we can basically ignore. With this, I now want to pull out the interesting parts to me. As far as I’m concerned the first part that I care about is the source port, which is part of field number two. I care about the destination port, which is part of field number four. Remember that the greater then is its own field. And I care about the protocol which is field number five. So what I’m going to do is use the awk command to take this text and create two lines, one with the source port and protocol, and one with the destination port and protocol. And then I’ll do a little bit more cleanup on that.

Pull all of the identical ports and protocols together, count them with uniq-C and then ask for the most common ones to sort up to the top of the list. And finally ask for the top 20 of those. And while I was doing that explanation, we got our results. Out of that 9.7 million packet capture file, seven and half million of them are port 5353 udp. That’s multicast DNS. It seems rather high. I might want to go and figure out why this is doing huge amounts of DNS lookups, or receiving huge amounts of DNS and multicast DNS packets.

The second most common type of traffic is port 8333 tcp, and some of you may recognize that as the port most commonly used by Bitcoin miners. So in just a couple of seconds, we’ve quickly summarized what is the most common type of traffic on this particular system. And it looks like in terms of packet counts, it’s multicast DNS. But these tend to be very small packets. So in terms of total number of bites coming in and out of this system, the most common type of traffic is likely to be Bitcoin mining. Thanks so much, if you have questions, feel free to get in touch. Cheers.



Interested in threat hunting tools? Check out AC-Hunter

Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!

Share this:
AC-Hunter Datasheet
AC-Hunter Personal Demo
What We’re up To