Getting Started in Packet Decoding w/ Chris Brenton Day One!
Like all the classes, workshops, webcasts and in person events that are hosted by Antisyphon, the class kicked off with banter and friendly back and forth. The social aspect of taking these classes live, even through you can grab past recordings and slides, is phenomenal. The community is supportive and welcoming. Chris is not only deeply knowledgeable and experienced, but the guy is so personable, funny, and warm. Loving this class so far.
The day started with some basic networking. Like what is a frame, what is a packet, how does a packet get from A to B, basic switching and routing, etc. Also talked about how firewalls use offsetting to work their way through a packet to determine protocol, etc. Then we moved into some packet capturing and different tools for doing so.
- tcpdump – Good for dumping traffic, but it is a bit limited.
- tshark – Great for big data sets.
- Wireshark – A drawback is that you need to load full pcap to review it (and those files can be rather large), the whole thing has to load into RAM, but with tshark you can go off and do stuff while it loading. Wireshark is great for analyzing one specific traffic pattern.
- zeek – An Open Source Network Security Monitoring Tool
- ngrep – ngrep strives to provide most of GNU grep’s common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.
- RITA – Real Intelligence Threat Analytics (R-I-T-A) is an open-source framework for detecting command and control communication through network traffic analysis. The RITA framework ingests Zeek logs or PCAPs converted to Zeek logs for analysis.
NOTE: ETHERNET FRAME CHECK SEQUENCE INCORRECT – The error – network card CPU – ethernet CRC checks, no CRC value assigned yet. It’s all zeros. It’s sniffed too early because it’s on the system originating it, out in the traffic if you were to sniff that same packet, it would be valid. Usually happens in dev, not prod. You can usually tell the tool you are using to shut off crc check to avoid, network driver will do that anyway.
There are walk through labs and labs we do on our own and come back together to discuss, which is a brilliant way to lead a class and to learn. When you sign up for the class you are told through email that you will be getting some emails closer to the start of the class. Basically access to the Zoom call and access to specific channels in Discord. Along with this information is a link to download the VM we use in class for the labs.
In the chat today there were lots of great jokes, memes and insightful comments. We learned about PROMPT# zine which I subscribed too (can’t wait for the hard copy!) and we also learned about Wicked Dolphin. I am not a big drinker, but apparently this is pretty good Rum. A video worth catching, and that is scheduled to be refreshed soon, was also mentioned. I also had a cool TIL with this OUI Lookup Tool.
I am looking forward to tomorrow’s class. I am thankful to work for a company that allows us unlimited time off, I usually use it for my kids and life/family balance, but it’s really great to be using it to continue learning. Currently taking 1/2 days off because there are some 1:1 meetings this week that are pretty important, but I can fit training around those meetings.
Stay tuned for Day II!