diff --git a/.gitbook/assets/image (567).png b/.gitbook/assets/image (567).png new file mode 100644 index 00000000..c98c8042 Binary files /dev/null and b/.gitbook/assets/image (567).png differ diff --git a/.gitbook/assets/image (570).png b/.gitbook/assets/image (570).png new file mode 100644 index 00000000..c98c8042 Binary files /dev/null and b/.gitbook/assets/image (570).png differ diff --git a/.gitbook/assets/image (571).png b/.gitbook/assets/image (571).png new file mode 100644 index 00000000..c9c778b2 Binary files /dev/null and b/.gitbook/assets/image (571).png differ diff --git a/.gitbook/assets/image (572).png b/.gitbook/assets/image (572).png new file mode 100644 index 00000000..07d2d492 Binary files /dev/null and b/.gitbook/assets/image (572).png differ diff --git a/.gitbook/assets/image (573).png b/.gitbook/assets/image (573).png new file mode 100644 index 00000000..e73c8449 Binary files /dev/null and b/.gitbook/assets/image (573).png differ diff --git a/.gitbook/assets/image (574).png b/.gitbook/assets/image (574).png new file mode 100644 index 00000000..4d6681de Binary files /dev/null and b/.gitbook/assets/image (574).png differ diff --git a/.gitbook/assets/image (575).png b/.gitbook/assets/image (575).png new file mode 100644 index 00000000..da99a7c6 Binary files /dev/null and b/.gitbook/assets/image (575).png differ diff --git a/.gitbook/assets/image (576).png b/.gitbook/assets/image (576).png new file mode 100644 index 00000000..5d656008 Binary files /dev/null and b/.gitbook/assets/image (576).png differ diff --git a/forensics/basic-forensic-methodology/pcap-inspection/README.md b/forensics/basic-forensic-methodology/pcap-inspection/README.md index e0290266..dfe34fc8 100644 --- a/forensics/basic-forensic-methodology/pcap-inspection/README.md +++ b/forensics/basic-forensic-methodology/pcap-inspection/README.md @@ -50,7 +50,15 @@ Then create a **new case**, create a **new session** inside the case and **uploa ### NetworkMiner -Like Xplico it is a tool to analyze and extract objects from pcaps. It has a free edition that you can download [here](https://www.netresec.com/?page=NetworkMiner). +Like Xplico it is a tool to **analyze and extract objects from pcaps**. It has a free edition that you can **download** [**here**](https://www.netresec.com/?page=NetworkMiner). +This tool is also useful to get **other information analysed** from the packets in order to be able to know what was happening there in a **quick** way. + +### NetWitness Investigator + +You can download [**NetWitness Investigator from here**](https://www.rsa.com/en-us/contact-us/netwitness-investigator-freeware). +This is another useful tool that **analyse the packets** and sort the information in a useful way to **know what is happening inside**. + +![](../../../.gitbook/assets/image%20%28570%29.png) ### [BruteShark](https://github.com/odedshimon/BruteShark) diff --git a/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md b/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md index d25019d7..69fe1288 100644 --- a/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md +++ b/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md @@ -11,6 +11,45 @@ The following tutorials are amazing to learn some cool basic tricks: * [https://unit42.paloaltonetworks.com/using-wireshark-identifying-hosts-and-users/](https://unit42.paloaltonetworks.com/using-wireshark-identifying-hosts-and-users/) * [https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/](https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/) +### Wireshark analysed Information + +#### Expert Information + +Clicking on _**Analyze** --> **Expert Information**_ you will have an **overview** of what is happening in the packets **analised**: + +![](../../../.gitbook/assets/image%20%28571%29.png) + +#### Resolved Addresses + +Under _**Statistics --> Resolved Addresses**_ you can find several **information** that was "**resolved**" by wireshark like port/transport to protocol, mac to manufacturer... +This is interesting to know what is implicated in the communication. + +![](../../../.gitbook/assets/image%20%28574%29.png) + +#### Protocol Hierarchy + +Under _**Statistics --> Protocol Hierarchy**_ you can find the **protocols** **involved** in the communication and data about them. + +![](../../../.gitbook/assets/image%20%28576%29.png) + +#### Conversations + +Under _**Statistics --> Conversations**_ you can find a **summary of the conversations** in the communication and data about them. + +![](../../../.gitbook/assets/image%20%28572%29.png) + +#### **Endpoints** + +Under _**Statistics --> Endpoints**_ you can find a **summary of the endpoints** in the communication and data about each of them. + +![](../../../.gitbook/assets/image%20%28575%29.png) + +#### I/O Graph + +Under _**Statistics --> I/O Graph**_ you can find a **graph of the communication.** + +![](../../../.gitbook/assets/image%20%28573%29.png) + ### Filters Here you can find wireshark filter depending on the protocol: [https://www.wireshark.org/docs/dfref/](https://www.wireshark.org/docs/dfref/)