I'm using WireShark to capture network information for a little network analysis project. One of the things I would like to do is look at what files have been accessed on shared drives (that is, using the SMB protocol).
Is it possible to recover the full path name (e.g. \server\path\to\file.txt) from only the captured packet? Based on this resource, the fourth packet should contain the UNC path name, but I'm not finding it anywhere in the captured session.
If it's not possible to recover the full path from the packet alone, is there some other way using hte information in the packet? I know, for example, that the packet contains the source IP and a file ID generated by source. Are those helpful?
Thanks
You dig it in the wrong place.
You should gather and log that information within Samba Server.
If you consist to do that analyze with sniffering software, then you have to reconstruct SMB session.
P.S. To be more specific , you need to recover all previous requests to subdirectory tree. If you need to recover \server\path\to\asdf1\file.txt, then you have to find requests to directory "to" first, also to directory "asdf1" too. Directory is a file itself, with attribite D.
Related
I have more than 900 receive locations associated with the same host.
All receive locations are enabled but sometimes some of them are not working (and are still enabled).
When I disabled and re-enabled it, the receive location works but another one is going into trouble.
Are there any known limitations of the number of receive locations that can be associated with the same host in BizTalk 2016?
I don't know if there is a limitation number, but if you associate all the receive locations to the same Host, problably your problems are due to the Throttling mechanism.
While there are no hard limits to Receive Locations or Send Ports, there are still practical limits based on available resources.
900 is a lot for a single Host. Even if everything was running perfectly, I would still break that up across ~3 Hosts.
If these are File Receive Locations, there are other techniques to reduce the amount even more. Some options:
Use a Windows Scheduler task to move files from various locations to fewer, or maybe one location. If 'source' information is necessary, you can add a tag to the file name which can be extracted in a custom Pipeline Component.
Modify the sample File Adapter in the SDK to scan sub-folders as well. You can combine this with option 1 if you cannot modify the filename for some reason.
Similar to option 1, the script can write a meta-data file before moving the file with any data you need to preserve. The meta-data can then be read in a Pipeline Component.
I have a question that I can't seem to find a complete answer for. This may not be something that is possible, but I am hoping someone will have a solution.
At my work, we process wireless sniffs in wireshark. We have a shell script to merge and filter the files into the forms that we want, but we still have to manually generate a PSK and add it in wireshark preferences to decrypt each file for analysis. I would like to add a line to decrypt the main file before filtering and save it in a decrypted format.
Here is the problem:
I know I can use the -o flag when running tshark to add the psk to the computers decryption keys, but the processing is done on one computer then the files are distributed among many employees for analysis, so I need the files themselves decrypted.
I know I can use aircrack-ng to decrypt pcap files, but we use pcapng files and aircrack does not recognize those.
Is there any solution? It would even help if I could somehow generate a psk from ssid and password and save that as a text file, but there does not even seem to be a clean way to do that.
We use Ubuntu 16.04 as our OS. Wireshark version 2.0.2.
You could possibly just append the psk information directly to the 80211_keys file located in your Wireshark personal configuration folder then distribute that file along with the capture file. If you don't want (or if users don't want) to overwrite the existing 80211_keys file, they could set the WIRESHARK_DATA_DIR environment variable so the distributed file is used instead when they run Wireshark for this type of analysis.
Refer to the Wireshark man page for more information on the various Wireshark environment variables.
If aircrack-ng only supports pcap files, then I suppose another possible solution might be to simply convert the pcapng files to pcap using something like editcap, or just change the default capture file format to pcap if you're not making use of any of pcapng's features anyway, e.g., you're not capturing on multiple interfaces simultaneously, you don't use packet comments, etc.
Is there any way, commonly known or purely theoretical, to have a single link to a single file -- say, a typical download file on your regular browser -- but split the transfer itself into multiple parts from the client side?
Essentially, I want to know if it's possible for a computer to split a single network file transfer into two (or more) so that if the computer has multiple network cards (assuming that ISP isn't causing bottleneck), they can effectively download the file at twice the rate. Assume that the download source isn't doing anything to monitor this probably-angering behavior.
FTP supports this via the REST command: http://www.ipswitch.com/support/ws_ftp-server/guide/v5/a_ftpref3.html#10694
Clients usually do feature detection on the FTP server to see if it supports this by issuing the FEAT command.
HTTP also supports this via the Range request header: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35
My favourite client that can do above is aria2: http://aria2.sourceforge.net/
If I have a truecrypt file on a shared drive, if I mount it by using the shared path does my password data get sent in plain text across the network? Basically my question: is it safe to mount a truecrypt file across a network without copying the file to your local machine first.
Your password data is not sent across the network, because the cryptographic operations takes place on your computer, in the TrueCrypt driver. The password is used to derive a key that is used on your computer to decrypt the encrypted sectors sent across the network.
TrueCrypt FAQ has a section on this. I beleive item 2 is what you want to acheive. Their warning is that someone looking at the encrypted trafic could get some side-channel information, like the amount of data read and written, and the offset in the encrypted file.
Unless you want protection from your government or other well funded attacker, I beleive you should be ok, password wise. You might test what happens when a network failur occurs while writing a large file. It might corrupt the file system you mounted.
What I did:
mounted the TrueCrypt Drive and a TrueCrypt-Container with VeraCrypt (is newer)
created a windows (samba) and mac (afp) share of the drive and container with a password in the share settings (whatever software you use)
Mounting the container prevented it from being overwritten from some one else opening the container directly.
I need to be able to read and write .txt files to a folder that is on a server. if it is possible do you have any advice as to how to get started?
Scanner can work with a number of sources, including a File, Sting, and an InputStream.
If the remote computers filesystem was mounted via SMB ("Windows Shares") or NFS or similar, then it could be transparently accessed "as a normal file".
If the remote file is accessible as the response content of an HTTP GET request then getInputStream of HttpURLConnecction might be appropriate. (Or, just read the entire response into a String and use that...)
Otherwise, find out how the remote file/resource can be accessed and use that: break down the problem and requirements, come up with a set of solutions, pick the least painful approach, and get to work :-)
Happy coding.