Although Wireshark is a powerful, versatile tool, there are times when you may need to involve your team in a packet analysis exercise. One site that makes it easy to share your packet captures with co-workers is CloudShark (CS). CS does not have as many features as Wireshark; however, you can still complete a number of functional tasks during an analysis. In this chapter, we'll discover CS, a browser-based solution that offers several of the same benefits as Wireshark.
You'll learn that, in addition to the basic tasks, you can create an account and perform more advanced functions such as uploading and sharing captures. So that you can get the full benefit of CS, we'll step through basic packet capture analysis, such as applying filters to narrow the scope. In addition, we'll learn how to create graphs that provide a visual representation of the data. We'll also explore some of the built-in analysis tools. CS has several tools, which allow us to dissect a Voice over Internet Protocol (VoIP) call, complete a Hypertext Transfer Protocol (HTTP) analysis, and monitor for possible threats. Finally, so that you continue to improve your packet analysis skills, we will take a look at the many online repositories where you can obtain sample captures.
This chapter will address all of this by covering the following topics:
Most of us would agree that Wireshark is a great tool for troubleshooting, along with identifying malware and other anomalies on a network. However, Wireshark has some limitations in that it must be installed on a local machine to gather traffic, and it can be resource-intensive. In addition, Wireshark is not designed to be used concurrently by multiple people, such as in a team.
CS is a browser-based Software as a Service (SaaS) that provides a way to upload packet captures and share them with co-workers or even the world. You can also do an analysis on the fly, or simply use it as a browser-based solution to learn about protocol behavior.
CS offers the following features:
You can find CS at https://www.qacafe.com/analysis-tools/cloudshark/qa-cloudshark-personal-saas/. On the main page, you can either log in or set up a free trial. To get the most out of CS, create a trial account. Once your account is active, you will begin on the welcome page, as shown in the following screenshot:
From the welcome page, you can upload files from your PC or laptop or import them from a Uniform Resource Locator (URL), as shown on the left-hand side of Figure 20.1.
After you have uploaded your files, they will be listed on the right-hand side of the screen. Once you become familiar with the CS interface, you can adjust many aspects of your account, as we'll see next.
In CS, there are several areas that you can customize and fine-tune, such as account information, managing your uploads, creating collections, and enforcing quotas. To get to the Preferences menu, go to the top right-hand side of the screen, where there is a drop-down menu that allows you to modify the following variables:
When you are done with your selections, select Save, and CS will rearrange the columns according to your preferences.
Once the files are loaded, you can further restrict what group members can do with the files, by selecting either Read-Only or Read/Write. In addition, CS can provide guest access to your uploaded files.
After modifying your preferences, you're ready to upload your captures, to share with your team or the world, as discussed next.
To upload and share your captures, go to the left-hand side of the CS welcome page, as shown in Figure 20.1. You can either drag them from your file manager and drop them in the Upload Files area, or you can click and browse to a file location. Once a file is uploaded, CS will display a summary, as shown here:
After uploading your files, click Done to return to the Capture Index main menu, which will display a list of the files in your repository. Once there, select the check mark to the left of a file and the menu choices along the top will become active, as shown in the following screenshot:
The menu choices will allow you to complete several tasks with each file. Let's explore this concept next.
CS has several menu choices. For example, you can conduct a DeepSearch capture, which will allow you to search specific fields within a capture. In addition, you can also search using an Index Filter, found on the lower left-hand side of the Capture Index feature, as shown here:
To launch a search, click on the drop-down menu and select an option, as shown in the following screenshot:
Once you have selected an option, CS will generate a form below where you can fill in the requested variables.
You can improve the searching process by using the Add Tags feature to a file, to help identify the contents. For example, if you have a capture obtained from Building 4: East Hall, you can add a tag, as follows:
Over time, there may be many files in your repository. Adding tags helps you narrow your search.
When you are done with a file, you can select the Delete menu choice, which will permanently remove the file(s).
Next, we'll explore other tasks that you can do with your captures, including setting sharing permissions and adding to your collections.
CS provides a way to securely share your captures and allow packet analysis from a wide array of devices. When you want to share a file, select Sharing, which will open a window as shown here:
You can share with one of your groups and define what they can do once they access the file using either View Only or Modify & Delete. You can also set Share with Guests to one of the following options: No Change, Not shared, or Public.
In addition to sharing, you can also create capture collections to group and organize similar captures together.
Collections are like a folder and provide a handy way to organize similar types of files. To add a file to a collection, select the Collections button. If you do not have any collections, you can create a new collection from the drop-down menu, as shown here:
To begin, drop down the menu choice, select Create a new collection…, and then select Save. This will then open a form where you can enter a name for your collection. In my example, I used the name Basic Analysis. After the name, you can provide a brief description, as shown in the following screenshot:
Below the form is where you can set the access privileges to either Private or Public. In addition, you can select individual file permissions, as shown in the following screenshot:
When done, select Save to return to Capture Index. Once at Capture Index, you can select a file and either double-click or select the Open Tab menu choice to open the file in the analysis window.
After you create an account, CS provides a way to customize the interface for you and your team. In the next section, we'll discover how to create a custom profile to personalize your workflow.
Once in CS, you'll find an interface that looks similar to the Wireshark interface. CS is flexible in that you can make some modifications. To show you some of the features, we'll use the HTTP.cap file, located at https://www.cloudshark.org/captures/0012f52602a3.
After you open the file, you can adjust the interface. For example, to give you more room, you can move the packet bytes window to the right so that you can expand the protocol trees, as shown in this screenshot:
In addition, you can make modifications to customize your workflow by creating a unique profile. Select the Profiles drop-down menu choice, and then select New Profile, which will launch the following window:
Within the interface, you can select one of the tabs that include Columns, Filters, and Protocol Preferences to create your custom profile.
Now that your capture is open and you have modified and customized the interface, you are ready for your analysis. In the next section, we'll evaluate the choices for filtering and graphing traffic.
Within CS, there are several ways to view your captures. Filters narrow a capture to display only the traffic you want to see, and graphs provide a visual representation of the data.
One common task is to apply a display filter. CS's easy-to-use interface provides a way to narrow your scope. Let's learn more about this in the next section.
Display filters in CS are comparable to the way Wireshark filters data. Filters can be applied to identify packets with specific ports, IP addresses, or protocols by entering a filter in the upper left-hand side of the interface. After you enter a filter, select Apply to run the filter.
In the following screenshot, I used the http filter, which narrowed the capture to show only HTTP traffic:
When using display filters, the syntax must be correct, or you will see an error. For example, the TCP filter (using capital letters) does not use the correct syntax and will generate an error, as shown here:
To effectively run this filter, you must enter tcp (using lowercase letters), which is similar to the way Wireshark uses filters.
In addition to the standard filters, you can also create a search by string or hexadecimal (hex) values, as outlined in the following examples:
CS will then search and present the results, if any.
Filters help to narrow the scope. Now, let's take a look at the various graphs you can quickly apply while in CS to help visually represent the data.
Once in your capture, you may want to create a graph of either all traffic or of the filtered capture. In the upper right-hand corner, there is a drop-down Graphs menu, as shown here:
After you select the type of graph you would like, CS will display the graph. If you would like more interactivity, select Open in new window and then select Open in Editor, found in the upper right-hand corner, as shown in the following screenshot:
This will open a window that displays the graph, as shown:
Along the bottom right-hand side of the graph, select Edit this Graph, which will open a new window, as shown here:
Once there, you can add or modify the following options:
Once you have completed the graph, you can either print the graph or export it as an image in one of the following formats:
In addition to graphs and filters, there are times when you need to perform more advanced analysis. The next section provides an overview of a variety of tools for quickly examining data.
CS offers a solution to share packet captures with your team. Several analysis tools are available via a web interface. In addition to the graphs in CS, there are many other built-in analysis tools. The drop-down menu for the Analysis Tools is located in the upper right-hand part of the screen, where you will find various menu choices, as shown here:
If any of the options are dimmed, such as Follow SSL and Follow HTTP, as shown in Figure 20.22, that means the tool is not applicable to the current capture.
From the top of the list, you will find many tools to use in your analysis. Let's begin with viewing conversations, ladder diagrams, and filtering the stream.
Within Wireshark, we have many tools under the Statistics menu that help us make sense of a packet capture. While CS doesn't have as many features, you'll see that you can do a preliminary evaluation on the fly with the built-in analysis tools.
The following list outlines the first few selections in the Analysis Tools menu choice:
CS is populated with many tools that you can use to analyze data. The next section shows how we can take a look at the details of a VoIP call, graph packet lengths, and Domain Name System (DNS) activity.
Some of the analysis tools may not make sense when you look at them; however, they do provide value while troubleshooting, so it's worth running a few of the graphs to see the results.
The next grouping of analysis tools includes the following options:
Another grouping of tools can dissect HTTP traffic and help identify wireless network issues.
When either troubleshooting HTTP or wireless networks, CS analysis tools include the following options:
CS has many tools that are similar to those found in Wireshark. However, this last grouping offers the unique ability to quickly assess a packet capture for potential malicious activity.
CS has two tools that allow you to determine if there is any suspicious activity within the capture, as follows:
These tools will aid the analyst when assessing threats on the network. To see an example of a capture that contains malicious activity, go to https://www.cloudshark.org/captures/f35aa6fcd160. Select Analysis Tools | Threat Assessment, and CS will display the following output:
By running a quick report, you can immediately see that there is a High Severity threat assessment level. Select View Advanced Threat Analysis, found in the middle of the screen, which will open another window, as shown here:
In addition, you can run a report on Zeek Logs found within the capture. Select Analysis Tools | Zeek Logs, and CS will bring up a summary of the log information found in the file, as shown here:
Once in the summary, you can select Explore All Logs, as shown in the lower right-hand corner of Figure 20.30, to discover more details.
Now that you have seen the many ways in which you can analyze data using CS, let's take a look at where you can get packet captures to strengthen your analysis skills.
While learning about packet analysis, it's important to study a variety of captures until you are proficient at knowing what to look for in a file. This may take a while, but it will be well worth the effort.
First, let's see how PacketLife.net provides a handy way to open and examine a packet capture, right in CS.
When working with packet captures, you may want to learn about an unfamiliar protocol with your team. Today there are many places to obtain packet captures; one site I visit often is https://packetlife.net/.
Once at PacketLife.net, navigate to http://packetlife.net/captures/, where you can search for captures. For example, I found snmp-ipv4.pcap, as shown in the following screenshot:
After you have found a packet capture, you can open it directly in CS, as shown here:
While in CS, you can use a variety of built-in tools to study the capture, or you can download the file and open it in Wireshark, for better visualization or a more advanced analysis of the data.
To continue with building your skills in packet analysis, I have listed a few more sites where you can find a variety of captures.
Here are a few websites that can give you a variety of real network traffic:
This is only a partial list of where you can get samples to hone your skills. As you become more involved in analyzing traffic, you will most likely find many more online repositories with sample captures. Visit them, download the captures, and continue to improve your packet analysis skills.
In this chapter, we took a look at CS, a tool that allows you to view and analyze packet captures in a browser. We learned some of the ways CS provides the ability to examine captures, many of which are similar to Wireshark. We started by discovering CS and learned ways to modify the preferences, work with captures, and create customized profiles. We then evaluated ways to filter a capture to show only a specific type of traffic, as well as creating a variety of graphs.
In addition, we learned that CS has a rich variety of analysis tools. Tools include Follow Stream, Network Endpoints, GeoIP World Map, Packet Lengths, DNS Activity, VoIP Calls, and Wireless Networks, with methods to assess threats. We discovered that, in general, there are many resources for packet captures that you can visit and download a capture file to study and improve your packet analysis skills. We then took a look at PacketLife.net, which has an online repository of capture files for download, or an option to open them and analyze them in CS. Finally, we reviewed a few of the locations you can search for packet captures, to further your skills in packet analysis with Wireshark.
Now, it's time to check your knowledge. Select the best response to the following questions and then check your answers, which can be found in the Assessment appendix:
Refer to the following links for more information: