Still, we should confirm these files are what we think they are. Fortunately, the first pcap in this tutorial is a very straight-forward example.
In some cases, Windows executables are intentionally labeled as a different type of file in an effort to avoid detection. Of note, the Content Type from the HTTP object list shows how the server identified the file in its HTTP response headers. Saving the suspected Windows executable file from the HTTP object list. Saving the suspected Word document from the HTTP object list.įigure 4. Select the second line with smart-faxcom as the hostname and save it as shown in Figure 4.įigure 3. Select the first line with smart-faxcom as the hostname and save it as shown in Figure 3. This menu path results in an Export HTTP object list window as shown in Figure 3. Figure 2 show this menu path in Wireshark.įigure 2. We can export these objects from the HTTP object list by using the menu path: File -> Export Objects -> HTTP.
You could also use a virtual machine (VM) running Linux. Since these files are Windows malware, I recommend doing this tutorial in a non-Windows environment, like a MacBook or Linux host. Warning: Most of these pcaps contain Windows malware, and this tutorial involves examining these malicious files. The instructions also assume you have customized your Wireshark column display as previously demonstrated in this tutorial. We will use these pcaps of network traffic to practice extracting objects using Wireshark.
The instructions assume you understand network traffic fundamentals. This tutorial offers tips on how to export different types of objects from a pcap. When reviewing packet captures (pcaps) of suspicious activity, security professionals may need to export objects from the pcaps for a closer examination.
0 kommentar(er)
