Disclaimer: I'm not the best at scripting, i'm old and literally started on DOS before Windows, can sometimes pull things off in powershell but sometimes still avoid it. I apologize in advance for any mistake here and will attempt to edit/correct if needed. These are re-written samples and not exactly what i use, so hopefully there aren't any mistakes. If anyone wants to contribute or convert anything into powershell here that's fine.
On one of the networks i manage i use a few simple, free things to keep packet storage going. This is super handy, and when it's 24/7 you can always watch it live without referring to stored PCAP files too.
Here's what's needed:
- Dedicated (Windows) workstation for captures
- Wireshark
- TZSP rules
- 7zip
- Batch file scripts -->
The Mangle rule:
chain: prerouting
action: sniff TZSP
sniff target: 192.168.x.x - (IP of dedicated workstation)
sniff target port: 37008
This is the simplest to get started, but in some cases you might want to avoid capturing certain things, and things can get a little more tricky.
When it comes to anticipated large file transfers on a windows network, for example, you could specify tcp, but avoid port !445 - you then might also want to capture UDP with its own prerouting sniff rule etc. When capturing anything more specific than just a simple sniff tzsp prerouting, you kinda have to think ahead as to what might end up missing.
Wireshark:
You need to figure out which Windows Network Interface to listen on, and Windows SOMETIMES likes to play musical chairs if you have multiple NICs (but not too often) - so keep an eye on it particularly when inserting or disconnecting NICS or full Windows version upgrades.
Identify which NIC interface to listen on:
Code: Select all
C:\Program Files\Wireshark\tshark.exe -D
Once you have the correct interface, you can start working on the .bat files:
- WSHARK.BAT
Code: Select all
"C:\Program Files\Wireshark\tshark.exe" -i 4 -b filesize: 250000 -w C:\PCAP\TZSP.PCAP
- Listening on interface #4
- File size ~250MB per PCAP file.
- Wireshark will start automatically naming .PCAP files in a date+time format.
- Using Task Scheduler, you could launch this at system startup, but i recommend adding a 3min+ delay.
I've found 250MB is about the right size to keep files snappy enough to open up, take a peek and do searches. I probably wouldn't recommend more than 500MB - but if you're running a fast CPU/SSD maybe.
Next, 7zip
Disk space can be valuable and with small .7z (ie 250mb PCAPs) scheduling a compression script daily seems to work out for me:
- COMPRESS.BAT
Code: Select all
SET PATH02="C:\Progra~1\7-zip\7z.exe"
forfiles /d -1 /p "C:\PCAP" /m *.PCAP /c ^"cmd /c ^
&%PATH02% a -bb2 -t7z -mx9 -sdel @path.7z @path^" >>C:\PCAP\SEVEN.TXT
Now, eventually even with 7zip's great compression you're going to be running out of disk space.
- DELETER.BAT
Code: Select all
forfiles /p "C:\PCAP" /m *.7z /c "cmd /c Del @path && echo Removing: @path >>C:\PCAP\SEVEN.TXT" /d -29
Using Task scheduler and running daily, this will delete any *.7z files older than 29 days.
Now, let's say you've really got your .7z/.PCAP storage system figured out and you're thinking of something crazy like, what else could i stuff in those PCAP files?
Well, how about syslogs?
Using the Log Action in ROS:
Name: WSHARK
type: remote
Remote Address: 192.168.x.x (IP of dedicated workstation)
Remote Port: 37009
Src Address: 0.0.0.0
[x] BSD Syslog
Syslog Facility: 3 (daemon)
Wait, 37009 is that a mistake? No it's not. This way you can apply a specific filter in Wireshark: udp.port==37009 - to pull just those logs, and it's kinda magical
Okay enough of that nonsense, back to PCAP files.
Because i rarely have to do this i'm a little rusty, but you can automate decompressing and searching the PCAPs within the .7z files.
On a mechanical drive that kinda becomes a nightmare though, so tread lightly if you're going to take a stab at this.
- DECOMP.BAT
Code: Select all
SET PATH02="C:\Progra~1\7-Zip\7z.exe"
forfiles /p "C:\PCAP" /m *.7z /c ^"cmd /c ^
ECHO Decompressing: @path^
&%PATH02% x @path -oC:\PCAP^" >>C:\PCAP\SEVEN.TXT
Here is an example of a search:
- FINDER.BAT
Code: Select all
SET PATH01="C:\Progra~1\Wireshark\tshark.exe"
forfiles /p "C:\PCAP" /m *.PCAP /c ^"cmd /c ^
ECHO Searching File: @path^
&%PATH01% -r @path -Y 0x22ip.addr==8.8.8.0/240x22 -Ebom=y^" >>C:\PCAP\SEVEN.TXT
This will search the .PCAP files within C:\PCAP for 8.8.8.0/24 and give you a clue which PCAP file to start looking at.
Basically get familiar with what will/will not work within the boundries of 0x22wiresharkfilter0x22
- another example:
Code: Select all
0x22udp.port==37009 and !ip.addr==192.168.x.x0x22
- Don't forget about the built-in "tzsp" wireshark filter - (i only use it in the GUI) (using it is optional depending on scenario)
Okay well i guess that will be it for now, i think some will laugh at this and i don't think i'll be able to provide much support but if anything comes to mind i'll chime in.