Analysing PCAPNG files from Wireshark traffic captured with Zeek or Spicy

Zeek
1

Hi all,
I have installed Zeek successfully using a container. i am having some challenges.
I want the zeek to be able to analyze protocols and elements of exhanged messages in saved pcapng file.
The pcapng files are traffic generated from wireshark.
I have executed zeek -r commands with bash, from home with no success so far with my zeek.
I need help in using the zeek to analyse this pcapng files.
i have also tried cd spicy and tried to use spicy with no success.

can someone help me please.

2

Hello @b1152669 - if you’re able to provide a copy of the commands you ran and the output produced, your expectations and your discoveries, it might help us to provide a bit of guidance.

I presume you’ve started here?

https://docs.zeek.org/en/master/quickstart.html#zeek-as-a-command-line-utility

3

Thank you Awelzel,

Below is the execution command and output I received.

docker exec -it 7d879e048a4f bash
root@7d879e048a4f:/# zeek -r ~/Downloads/23032023SSLTLSHTTP.pcapng
fatal error: problem with trace file /root/Downloads/23032023SSLTLSHTTP.pcapng (/root/Downloads/23032023SSLTLSHTTP.pcapng: No such file or directory)
root@7d879e048a4f:/# zeek -r 23032023SSLTLSHTTP.pcapng
fatal error: problem with trace file 23032023SSLTLSHTTP.pcapng (23032023SSLTLSHTTP.pcapng: No such file or directory)

My expectation is to get an output analysis of the pcapng file.

That will tell me the protocols used and elements of messages in the application run.

I am an MSC student doing a project on Deep Packet Analysis of Security protocols using Wireshark and Spicy/zeek.

My details is b1152669@live.tees.ac.uk

adejokefemi@gmail.com

Regards

4

docker exec -it 7d879e048a4f bash
root@7d879e048a4f:/# zeek -r ~/Downloads/23032023SSLTLSHTTP.pcapng
fatal error: problem with trace file /root/Downloads/23032023SSLTLSHTTP.pcapng (/root/Downloads/23032023SSLTLSHTTP.pcapng: No such file or directory)

Okay - I suspect you’ll need to learn a bit about Docker containers and volume mounts. The error message says pretty concretely that Zeek was unable to open file /root/Downloads/23032023SSLTLSHTTP.pcapng (/root/Downloads/23032023SSLTLSHTTP.pcapng. It says β€œNo such file or directory”.

When you enter a docker container with exec -it, it has no access to the files on your host system. You can easily verify this by first running ls /root/Downloads within the container.

You’ll need to start the container with a volume mount to make the pcap available, like maybe so:

docker run -it -v $(realpath ~/Downloads):/Downloads zeek/zeek

At this point, running zeek -r /Downloads/23032023SSLTLSHTTP.pcapng in the container might do what you expect and you can find conn.log or ssl.log files produced by Zeek. You may nee to add -C depending on where you got the trace file from.

This all isn’t very Zeek related yet. You may want consult reading an introduction to Docker, namespaces and containers and how they run in isolation from the rest of the system. Read the documentation about the -v parameter, too :slight_smile:

Good luck!

5

Thank you for your reoly.
i have red through the documentation very well. let me update you please.
I tcpdump -r after i copied the pcapng into the docker and it returned results as belowroot@7d879e048a4f:/# tcpdump -r /tmp/27032023Fresh_From_A.pcapng
reading from file /tmp/27032023Fresh_From_A.pcapng, link-type NULL (BSD loopback), snapshot length 262144
08:41:04.406256 IP 192.168.1.133.52120 > 192.168.1.133.6666: Flags [S], seq 2081152554, win 65535, options [mss 65495,nop,wscale 8,nop,nop,sackOK], length 0
08:41:04.406286 IP 192.168.1.133.6666 > 192.168.1.133.52120: Flags [R.], seq 0, ack 2081152555, win 0, length 0
08:41:05.024588 IP 192.168.1.133.52120 > 192.168.1.133.6666: Flags [S], seq 2081152554, win 65535, options [mss 65495,nop,wscale 8,nop,nop,sackOK], length 0
08:41:05.024728 IP 192.168.1.133.6666 > 192.168.1.133.52120: Flags [S.], seq 3717634052, ack 2081152555, win 65535, options [mss 65495,nop,wscale 8,nop,nop,sackOK], length 0
08:41:05.024776 IP 192.168.1.133.52120 > 192.168.1.133.6666: Flags [.], ack 1, win 1279, length 0
08:41:05.028152 IP 192.168.1.133.6666 > 192.168.1.133.52120: Flags [P.], seq 1:5, ack 1, win 8442, length 4
08:41:05.028186 IP 192.168.1.133.52120 > 192.168.1.133.6666: Flags [.], ack 5, win 1279, length 0
08:41:05.028396 IP 192.168.1.133.52120 > 192.168.1.133.6666: Flags [P.], seq 1:5, ack 5, win 1279, length 4
08:41:05.028421 IP 192.168.1.133.6666 > 192.168.1.133.52120: Flags [.], ack 5, win 8442, length 0
08:41:05.190002 IP 192.168.1.133.52120 > 192.168.1.133.6666: Flags [P.], seq 5:90, ack 5, win 1279, length 85
08:41:05.190052 IP 192.168.1.133.6666 > 192.168.1.133.52120: Flags [.], ack 90, win 8442, length 0
08:41:05.194631 IP 192.168.1.133.52120 > 192.168.1.133.6666: Flags [P.], seq 90:157, ack 5, win 1279, length 67
08:41:05.194676 IP 192.168.1.133.6666 > 192.168.1.133.52120: Flags [.], ack 157, win 8442, length 0
08:41:05.194981 IP 192.168.1.133.52120 > 192.168.1.133.6666: Flags [P.], seq 157:159, ack 5, win 1279, length 2

I decided to run the zeek -r or -c it returned the below

root@7d879e048a4f:/# zeek -r /tmp/27032023Fresh_From_A.pcapng
root@7d879e048a4f:/# zeek -cc -r /tmp/27032023Fresh_From_A.pcapng
root@7d879e048a4f:/# zeek -c -r /tmp/27032023Fresh_From_A.pcapng
error in /tmp/27032023Fresh_From_A.pcapng, line 2: unrecognized character: β€˜\x0d’
error in /tmp/27032023Fresh_From_A.pcapng, line 3: unrecognized character: β€˜\xc0’
error in /tmp/27032023Fresh_From_A.pcapng, line 3: unrecognized character: β€˜β€™
error in /tmp/27032023Fresh_From_A.pcapng, line 3: unrecognized character: β€˜β€™
error in /tmp/27032023Fresh_From_A.pcapng, line 3: unrecognized character: β€˜β€™
error in /tmp/27032023Fresh_From_A.pcapng, line 3: unknown identifier M, at or near β€œM”
root@7d879e048a4f:/# editcap -F pcap /tmp/27032023Fresh_From_A.pcapng /tmp/27032023Fresh_From_A.pcap
root@7d879e048a4f:/# zeek -c -r /tmp/27032023Fresh_From_A.pcap
error in /tmp/27032023Fresh_From_A.pcap, line 1: unrecognized character: β€˜\xd4’
error in /tmp/27032023Fresh_From_A.pcap, line 1: unrecognized character: β€˜\xc3’
error in /tmp/27032023Fresh_From_A.pcap, line 1: unrecognized character: β€˜\xb2’
error in /tmp/27032023Fresh_From_A.pcap, line 1: unrecognized character: β€˜\xa1’
error in /tmp/27032023Fresh_From_A.pcap, line 1: unrecognized character: β€˜\x02’
error in /tmp/27032023Fresh_From_A.pcap, line 1: unrecognized character: β€˜β€™
error in /tmp/27032023Fresh_From_A.pcap, line 1: unrecognized character: β€˜\x04’
error in /tmp/27032023Fresh_From_A.pcap, line 1: unrecognized character: β€˜β€™
error in /tmp/27032023Fresh_From_A.pcap, line 1: unrecognized character: β€˜β€™
error in /tmp/27032023Fresh_From_A.pcap, line 1: unrecognized character: β€˜β€™
error in /tmp/27032023Fresh_From_A.pcap, line 1: unrecognized character: β€˜β€™
error in /tmp/27032023Fresh_From_A.pcap, line 1: unrecognized character: β€˜β€™
error in /tmp/27032023Fresh_From_A.pcap, line 1: unrecognized character: β€˜β€™
error in /tmp/27032023Fresh_From_A.pcap, line 1: unrecognized character: β€˜β€™
error in /tmp/27032023Fresh_From_A.pcap, line 1: unrecognized character: β€˜β€™
error in /tmp/27032023Fresh_From_A.pcap, line 1: unrecognized character: β€˜β€™
error in /tmp/27032023Fresh_From_A.pcap, line 1: unrecognized character: β€˜β€™
error in /tmp/27032023Fresh_From_A.pcap, line 1: unrecognized character: β€˜β€™
error in /tmp/27032023Fresh_From_A.pcap, line 1: unrecognized character: β€˜\x04’
error in /tmp/27032023Fresh_From_A.pcap, line 1: unrecognized character: β€˜β€™
error in /tmp/27032023Fresh_From_A.pcap, line 1: unrecognized character: β€˜β€™
error in /tmp/27032023Fresh_From_A.pcap, line 1: unrecognized character: β€˜β€™
error in /tmp/27032023Fresh_From_A.pcap, line 1: unrecognized character: β€˜β€™
error in /tmp/27032023Fresh_From_A.pcap, line 1: unrecognized character: β€˜β€™
error in /tmp/27032023Fresh_From_A.pcap, line 1: unrecognized character: β€˜\xa0’
error in /tmp/27032023Fresh_From_A.pcap, line 1: unknown identifier V, at or near β€œV”

zeek -r is not returning output error but i can not find the log. while zeek -c -r is returning error.

6

Great, this looks like progress.

After running this command, is there a file conn.log in the directory?

Run cat conn.log or ls conn.log or zeek-cut < conn.log.

The -c should be an upper-case -C. You can run zeek --help to see what each of the option means. -C and -c mean do different things.

1 Like
7

Hello Awelzel, i have done so much with your massive input.
Just like i have earlier said, i am doing this for the purpose of school project.
But, I am already in love with DPI.
I would like to seek some professional input from this group on a research project I am presently working on at the University.
See details of what i have done, and where i am at the moment.
I am working on Deep Packet Inspection of security protocols Using Zeek.
The Protocols are automatically generated by Anbx compiler through Eclipse.
when i run the AnBx compiler, i used Wireshark to capture the traffic generated and in-turn saved this pcapng file. I am using zeek to analyse the pcapng file with zeek -r
I do not have any error returned but i don’t find the analysis in the zeek logs. I have tried to move the pcapng file into my container tmp, yet same issue.

I want to achieve two things;

  1. either to capture the traffic of the Anbx compiler running’ or
  2. to analyze the pcapng file and see the log file.

I want the analyses to show me elements of the messages in the AnBx compiler, and show me the security protocols in the messages.

Please, i need someone to help out on this.