Open xeen3d opened 5 years ago
@xeen3d Thanks for using our tool! We are looking into it and will post an update here soon.
@xeen3d We looked into it and found out that multiple field names are changed between v2.6 and v2.9
For example
This is causing the issue because in tor_detection and http_website_list, we have used ssl.handshake.extensions_server_name. It will also cause issue for DHCP part. And there can be other such changes which may affect the rest functionality.
Quick fix You have to replace ssl occurances with tls and so on if you want it to work on v2.9.
Our plan As the changes will not be compatible with current stable version and we don;t know the quantum of change yet, we won't be making changes to main branch. However, we will create a new branch for v2.9 in a few days.
Hope it helps. Thanks !
Hi many thanks for that fast answer, ist not a main problem missing one or two of the Plugins ;-) i am not sure when 2.9 shark branch will go more public, I like some of the new features very well that's why I use that dev edition and for testing too.
If I know that the field names was the Problem is not a real big task do some own work with search and replace ;-) Your Tools are a very well enhancement for network forensic tasks in my normal work I do more computer forensic work but mostly on offline copy of infected or hacked system. But often I need Information about what would be permitted from a malware or a dangerous bin file and for such tasks your tools make my live a little bit more easy ;-)
is it maybe possible with Lua script find out what shark version was used and make a block of field names for the variables ? I am not a good coder if so I can try that self ;-) like if < 2.8 use x
many thanks
Andre
Hi i see too late that other plugins also be affected and more field names was changed so for now I use a second installation of shark for use it with your tools, I do my hole forensic work in vm´s it is not a problem running different versions ;-)
best
Andre
@xeen3d You are welcome man! The team is happy to know that our tool is able to help you with your work.
We will definitely put the version checks in place but it will require significant work and unfortunately, we have our hands full as of now with attackdefense.com. But rest assured, we will roll out next version (with v2.9 compatibility and support for more protocols) in a few days.
Hi thanks again from here, I take a closer look at the field names that was changed (not all but some) and in my eyes many of those changes are good changes like bootp to DHCP
Your Plugin set does a great job and is perfect for live investigation from a small foresic USB Stick. In live Forensic you cannot install something on the target and many commercial network analyst systems like from riverbed packet analyzer need installation.
Wireshark and tcpdump can run from a Stick and on newer Windows are netsh is your friend for capturing without install something. (Unix/Linux is never a problem for capturing without installation)
Nex Week I try my new Portable WS with your Tools ;-)
Don´t misunderstood me I need such tools not every day but some times they are fast and helpful and last better than install a tap and using a second Laptop for sniffing. Such Stick is more like a multi tool in Pocket than a hole set of special Tools installed on a Laptop. I put your tools to my watch list too see what you are doing ;-)
best
Andre
@xeen3d It is always good to hear about real world experience/requirements of a practitioner. I can completely relate to the issues that one can face while working with licensed analysis solutions. Also, most of analysis tools (especially for Linux) are pretty hard to install and take time. And, then there is one's love towards a specific OS (Linux vs Windows vs MacOS). These were the main reasons to take this universally compatible copy-paste plugins approach.
Thanks for the feedback and you will see major code contribution to this repository by end of march 2019. :)
Hi I would give you a short feedback . I run your Plugin set now with Wireshark stable version, all works well. If you planning enhancing your Tool it would be very cool if there will be a LDAP Plugin for extracting hole LDAP traffic in a readable format. I am not a programmer so I cannot make it self ;-) and If I can I not need such Tools ;-) why ldap ? answer is simple most Directory Servers use it and here in Germany most Companys use Microsoft Software like Active Directory for authentication and in many of my searches I must take a closer look to that. The Wireshark follow tcp Stream give a Result but is far away from looking like results from your Tools.
And a second enhancement was also cool , a select the packages Button that the plugin have touched for getting result, then I can export that stream (in pcap) for having a evidence.
If you would ask me the select button was for me self more important than a new plugin ;-)
Many thanks for all your Time you put in such a project
Andre
Hi first of all very cool Tool. Second a small issue with Wireshark 2.9 Dev
Lua: Error during loading: ...uzona/.local/lib/wireshark/plugins/web/tor_detection.lua:14: bad argument #1 to 'new' (Field_new: a field with this name must exist)
Hole other Tools working very well only in this script I have the small problem above maybe Wireshark 2.9 dev or my OS is the Problem or a simple Mistake in script self.
If you have some idea it was Coll otherwise I not use the tor_detection
thanks
Andre