Dripcap is a modern, graphical packet analyzer based on Electron.
We should all be deeply familiar with the venerable Wireshark , as it has long been the forerunner for packet analysts seeking a graphical interface to their PCAPs. Occasionally though, it’s interesting to explore alternatives. I’ve long lovedNetworkMiner, and the likes of Microsoft Message Analyzer andXplico each have unique benefits.
For basic users comfortabel with Wireshark, you’ll likely find Dripcap somewhat rudimentary at this stage, but it does give you opportunities to explore packet captures at fundamental levels and learn without some of the feature crutches more robust tools offer.
I built Dripcap from source on Windows as follows, using Chocolatey .
From a administrator PowerShell prompt (ensure Get-ExecutionPolicy is not Restricted), execute the following (restart your admin PS prompt after #2):
- iwr https://chocolatey.org/install.ps1 -UseBasicParsing | iex
- choco install git make jq nodejs
- git clone https://github.com/dripcap/dripcap.git
- cd dripcap
- npm install -g gulp node-gyp babel-cli
- npm install
Step 1 installs Chocolatey, step 2 uses Chocolatey to install tools, step 3 clones Dripcap, steps 5 & 6 install packages, and step 7 builds it all.
Execute dripcap , and you should be up and running.
You can also use npm, part of Node.js’ package ecosystem to install Dripcap CLI with npm install -g dripcap , or just download dripcap-windows-amd64.exe from Dripcap Releases .
I’ll walk you through packet carving of sorts with Dripcap. One of Dripcap’s strongest features is its filtering capabilities. I used an old PCAP with an Operation Aurora Internet Explorer exploit ( CVE-2010-0249 ) payload for this tool test.
Ctrl+O will Import Pcap File for you.
Click Developer , then Toggle Log Panel for full logging.
|Figure 1: Dripcap|
You’ll note four packets with lengths of 1514, as seen in Figure 1 . Exploring the first of these packets indicates just what we’d expect: an Ethernet MTU (maximum transmission unit) of 1500 bytes, and a TCP payload of 1460 bytes, leaving 40 bytes for our header (20 byte IP and 20 byte TCP).
|Figure 2: First large packet|
Hovering your mouse over the TCP details in the UI will highlight all the TCP specific data, but you can take such actions a step further. First, let’s filter down to just the large packets with tcp.payload.length == 1460 .
|Figure 3: Filtered packets|
With our view reduced we can do some down and dirty carving pretty easily with Dripcap. In each of the four filtered packets I hovered over Payload 1460 bytes as seen in Figure 4 , which highlighted the payload-specific hex. I then used the mouse to capture the highlighted content and, using Dripcap’s Edit and Copy, grabbed only that payload-specific hex and pasted it to a text file.
|Figure 4: Hex payload|
|Figure 5: ASCII results|
You can just as easily use online converters as well. I saved the ASCII results to a text file in a directory which I had excluded from my anti-malware protection. After uploading the file to VirusTotal as payload.txt, my expectations were confirmed: 32 of 56 AV providers detected the file as the likes of Exploit:JS/Elecom.D or, more to the point, Exploit.JS.Aurora.a.
Perhaps not the most elegant method, but it worked quickly and easily with Dripcap’s filtering and editing functions. I hope to see this tool, and its community, continue to grow. Build dissector packages, create themes, become part of the process, it’s always good to see alternatives in available to security practitioners.
Cheers…until next time.