TZWorks LLC
System Analysis and Programming
www.tzworks.com
(Version 0.40)
TZWorks LLC software and related documentation ("Software") is governed by separate licenses issued from TZWorks LLC. The User Agreement, Disclaimer, and/or Software may change from time to time. By continuing to use the Software after those changes become effective, you agree to be bound by all such changes. Permission to use the Software is granted provided that (1) use of such Software is in accordance with the license issued to you and (2) the Software is not resold, transferred or distributed to any other person or entity. Refer to your specific EULA issued to for your specific the terms and conditions. There are 3 types of licenses available: (i) for educational purposes, (ii) for demonstration and testing purposes and (iii) business and/or commercial purposes. Contact TZWorks LLC (info@tzworks.com) for more information regarding licensing and/or to obtain a license. To redistribute the Software, prior approval in writing is required from TZWorks LLC. The terms in your specific EULA do not give the user any rights in intellectual property or technology, but only a limited right to use the Software in accordance with the license issued to you. TZWorks LLC retains all rights to ownership of this Software.
The Software is subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations. The Export Control Classification Number (ECCN) for the Software is 5D002, subparagraph C.1. The user shall not, directly or indirectly, export, re-export or release the Software to, or make the Software accessible from, any jurisdiction or country to which export, re-export or release is prohibited by law, rule or regulation. The user shall comply with all applicable U.S. federal laws, regulations and rules, and complete all required undertakings (including obtaining any necessary export license or other governmental approval), prior to exporting, re-exporting, releasing, or otherwise making the Software available outside the U.S.
The user agrees that this Software made available by TZWorks LLC is experimental in nature and use of the Software is at user's sole risk. The Software could include technical inaccuracies or errors. Changes are periodically added to the information herein, and TZWorks LLC may make improvements and/or changes to Software and related documentation at any time. TZWorks LLC makes no representations about the accuracy or usability of the Software for any purpose.
ALL SOFTWARE ARE PROVIDED "AS IS" AND "WHERE IS" WITHOUT WARRANTY OF ANY KIND INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT SHALL TZWORKS LLC BE LIABLE FOR ANY KIND OF DAMAGE RESULTING FROM ANY CAUSE OR REASON, ARISING OUT OF IT IN CONNECTION WITH THE USE OR PERFORMANCE OF INFORMATION AVAILABLE FROM THIS SOFTWARE, INCLUDING BUT NOT LIMITED TO ANY DAMAGES FROM ANY INACCURACIES, ERRORS, OR VIRUSES, FROM OR DURING THE USE OF THE SOFTWARE.
The Software are the original works of TZWorks LLC. However, to be in compliance with the Digital Millennium Copyright Act of 1998 ("DMCA") we agree to investigate and disable any material for infringement of copyright. Contact TZWorks LLC at email address: info@tzworks.com, regarding any DMCA concerns.
pic is an evaluation version of a tool that was initially prototyped while attending a forensics networking class [1]. In its current form, pic is restricted to reading packet capture (pcap) files and concentrates on the Internet Control Message Protocol (ICMP). The various options available allow one to specify which internal metadata one wishes to key on and filter out or to chain portions of packets together.
While much of the utility in pic could be obtained by using tcpdump, tshark, ngrep, and other available tools, it was suggested during the course [1] that a custom ICMP packet trace and carving tool would be of use to the forensics community.
There are both Windows and Linux versions of pic. Whether using either the 32 bit or 64 bit version of the tool, the internal architecture is geared toward (a) minimizing memory usage and (b) reading and analyzing very large pcap files that may exceed the 32 bit size restrictions. As a convenience option, pic allows files to be piped in from standard input which allows one to process a number of pcap files in one run.
To use this tool, an authentication file is required to be in the same directory as the binary in order for the tool to run.
One can display the menu options by typing in the executable name without parameters. Below is the menu with the various options. Details of each option can be found here.
Usage
pic64 [-ifile <pcap file> | -pipe | -help] [options]
Any combination of these options can be used for filtering
-frame <"1 2 3 .."> - only process the frame numbers specified
-srcip <src ip> - src ip use dotted decimal notation
-dstip <dst ip> - dst ip use dotted decimal notation
-srcipv6 <src ip> - src ip v6 use colon delimited hex notation
-dstipv6 <dst ip> - dst ip v6 use colon delimited hex notation
-track_replies - given src & dst above, process replies
-min_size <size> - output those frames >= the specified size
-start_time <"mm/dd/yy hh:mm:ss">
-stop_time <"mm/dd/yy hh:mm:ss">
-find_pattern <"byte sequence delimited by spaces">
-icmp_type <"type1 type2"> - process only these icmp types
-icmp_code <"code1 code2"> - process only these icmp codes
-icmp_id <"1 2 3 ..."> - process only these icmp ID numbers
-filter <*partial*|*.ext> - filters stdin data from -pipe option
Any combination these options can be used for output
-dump_meta - output metadata (only for non-binary output)
-dump_hdr - output packet header
-dump_payload - output packet payload data
-ofile <out file> - output results to specified file
Only one of these options can be used for formatting (default is hex)
-binary - output data as binary (use with -ofile option)
-ascii - output data in ascii form
-strings - output any strings (include unicode)
1. The 2 main modes of operation include:
a. To process a single pcap file
pic -ifile <pcap file> [options]
b. To process a number of pcap files that can be enumerated by some tool
dir <pcap directory>\*.pcap /b /s | pic -pipe [options]
2. Any combination of options below can be used to filter desired ICMP packets (note: for options that can take a combination of values, one needs to delimit each value by a space and enclose the entire set of values in double quotes).
-frame "1 2 3" = only look at pcap frames 1, 2 and 3
-srcip 192.168.1.10 = only consider those packets with the src IP address specified
-dstip 10.0.0.5 = only consider those packets with the dst IP address specified
-srcipv6 1080::8:800:200C:417A = src ip v6 use colon delimited hex notation
(notation is per RFC 1884 [5] and allows for compressed form)
-dstipv6 1080::8:800:200C:417A = dst ip v6 use colon delimited hex notation
(notation is per RFC 1884 [5] and allows for compressed form)
-track_replies = special case that allows src/dst ip's above to be reversed
-min_size <size> = only consider those packets with a minimum specified size
-start_time "mm/dd/yy hh:mm:ss" = only consider packets at or later than this time
-stop_time "mm/dd/yy hh:mm:ss" = only consider packets at or earlier than this time
-icmp_type "8 0" = consider echo request (8) and reply(0) for icmp-v4
(note: echo request/reply is 128/129 respectively for icmp-v6)
-icmp_code "0 1" = consider codes w/ 0 or 1 (note: doesn't apply to type 8 or 0 above)
-icmp_id <id nums> = consider ICMP packets with id's of the specified value
if more than one id is desired, values must be delimited with
a space and entire set of values enclosed in quotes.
-find_pattern "0x90 0x90 0x90" = looks for pattern "0x90 0x90 0x90" in the payload
portion of the packet (eg. doesn't look at the packet
header metadata).
3. Any combination of these options can be used for output
-dump_meta = dump the metadata of the packet
-dump_hdr = dump the header of the packet
-dump_payload = dump the payload of the packet
-ofile <results> = dump the results to a file (useful for binary data)
otherwise one can just redirect std output to a file
4. Only one of these options can be used for format [default is hex]
-binary = output data as binary (use w/ -ofile opt above)
-ascii = output data in ascii format
-strings = output any strings (include ascii as well as unicode)
The '-find_pattern' option is restricted to the payload portion of the icmp packet. It allows one to specify a number of pattern formats to scan. The pattern string needs to be: (a) double quoted, and (b) each byte value needs to be spaced delimited. The pic parse engine allows for certain formats to be specified. For example, if one was looking for the string pattern 'su ', one could specify this as:
a. -find_pattern "'s' 'u' ' '" (the character representation of 'su ')
b. -find_pattern "0x73 0x75 0x20" (the hexadecimal representation of 'su ')
c. -find_pattern "115 117 32" (the decimal representation of 'su ')
For certain queries, it is useful to specify wildcards. pic allows for limited, single byte wildcards, using the '??' characters. For example, to search for a hexadecimal pattern: 'aa bb, skip 2 characters, ee ff', one would specify:
-find_pattern "0xaa 0xbb ?? ?? 0xee 0xff"
a. Metadata (option -dump_meta) - outputs basic frame statistics, such as frame number, date, time (in UTC), protocol, src ip, dst ip, ttl, packet size, payload size, computed payload MD5 hash, and comments. This is the default option if no types of output are specified and output is on 1 line per frame processed.
b. Packet header (option -dump_hdr) - outputs the packet header, which includes the layer 2 (MAC addresses), layer 3 (IP addresses) and ICMP header data. The ICMP header in this tool is defined as the 8 bytes from the end of the IP header.
c. Payload data (option -dump_payload) - outputs the ICMP payload data. This is the data after the 8 bytes of ICMP header data. (see graphic below).
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Code | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Contents depend on the Type and Code |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... |
| optional payload |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
a. Dumping ICMP packets bigger than 512 bytes
pic -ifile ..\pcap\tcpdump.log.1237921419 -min_size 512
Processing file: ..\pcap\tcpdump.log.1237921419
frame , date [utc] , time [utc] , proto , source ip , destination ip , ttl , Tsize , Psize , payload md5 hash , comments
611 , 03/24/2009 , 21:24:11.240 , icmp , 192.168.1.50 , 172.16.16.218 , 64 , 1066 , 1024 , 09e8588434fe5aa73c1402fcb1b4dccc , id: 0x3d11, echo request
612 , 03/24/2009 , 21:24:11.269 , icmp , 172.16.16.218 , 192.168.1.50 , 127 , 1066 , 1024 , 09e8588434fe5aa73c1402fcb1b4dccc , id: 0x3d11, echo reply
613 , 03/24/2009 , 21:24:11.269 , icmp , 172.16.16.218 , 192.168.1.50 , 127 , 1066 , 1024 , 09e8588434fe5aa73c1402fcb1b4dccc , id: 0x3d11, echo reply
614 , 03/24/2009 , 21:24:11.269 , icmp , 172.16.16.218 , 192.168.1.50 , 127 , 1066 , 1024 , 09e8588434fe5aa73c1402fcb1b4dccc , id: 0x3d11, echo reply
615 , 03/24/2009 , 21:24:14.252 , icmp , 192.168.1.50 , 172.16.16.218 , 64 , 1066 , 1024 , 8ac99f3fe9d8bb8180e84479e64ff627 , id: 0x3d11, echo request
616 , 03/24/2009 , 21:24:14.253 , icmp , 172.16.16.218 , 192.168.1.50 , 127 , 1066 , 1024 , 8ac99f3fe9d8bb8180e84479e64ff627 , id: 0x3d11, echo reply
617 , 03/24/2009 , 21:24:14.253 , icmp , 172.16.16.218 , 192.168.1.50 , 127 , 1066 , 1024 , 8ac99f3fe9d8bb8180e84479e64ff627 , id: 0x3d11, echo reply
618 , 03/24/2009 , 21:24:14.253 , icmp , 172.16.16.218 , 192.168.1.50 , 127 , 1066 , 1024 , 8ac99f3fe9d8bb8180e84479e64ff627 , id: 0x3d11, echo reply
....
b. Find any packets that contain the word 'root' in the ICMP payload
pic -ifile ..\pcap\tcpdump.log.1237921419 -find_pattern "'r' 'o' 'o' 't'" -icmp_type 8
Processing file: ..\pcap\tcpdump.log.1237921419
frame , date [utc] , time [utc] , proto , source ip , destination ip , ttl , Tsize , Psize , payload md5 hash , comments
611 , 03/24/2009 , 21:24:11.240 , icmp , 192.168.1.50 , 172.16.16.218 , 64 , 1066 , 1024 , 09e8588434fe5aa73c1402fcb1b4dccc , id: 0x3d11, echo request
619 , 03/24/2009 , 21:24:24.594 , icmp , 192.168.1.50 , 172.16.16.218 , 64 , 1066 , 1024 , de3153381a02cd94c1ea462c28ea41e4 , id: 0x4211, echo request
c. Of those the contained the word 'root', dump the strings of the payload
pic -ifile ..\pcap\tcpdump.log.1237921419 -dump_payload -strings -frame 611
Processing file: ..\pcap\tcpdump.log.1237921419
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
...
d. Find any packets that contain the word 'Sheet' in the ICMP payload (or one can search on magic patterns used by the 'file' utility)
pic -ifile ..\pcap\tcpdump.log.1237921419 -find_pattern "'S' 'h' 'e' 'e' 't'" -icmp_type 8
Processing file: ..\pcap\tcpdump.log.1237921419
frame , date [utc] , time [utc] , proto , source ip , destination ip , ttl , Tsize , Psize , payload md5 hash , comments
639 , 03/24/2009 , 21:25:11.078 , icmp , 192.168.1.50 , 172.16.16.218 , 64 , 1066 , 1024 , 78d4728210d0e26417c4d96698408839 , id: 0x4411, echo request
e. After analyzing the above packet certain keywords suggest an excel file. This analysis could be done via wireshart or by
using pip using the options [-ascii] to view the packet printable text or via the [-strings] option to view the strings in the
payload portion of the packet. At this point, one can pull like packets (w/ the same ID).
pic -ifile "..\pcap\tcpdump.log.1237921419" -srcip 192.168.1.50 -destip 172.16.16.218 -icmp_id "0x4411" -icmp_type "8"
Processing file: ..\pcap\tcpdump.log.1237921419
frame , date [utc] , time [utc] , proto , source ip , destination ip , ttl , Tsize , Psize , payload md5 hash , comments
631 , 03/24/2009 , 21:25:05.061 , icmp , 192.168.1.50 , 172.16.16.218 , 64 , 1066 , 1024 , 05bdb0b85fe3a525d1da2df939d72e4e , id: 0x4411, echo request
635 , 03/24/2009 , 21:25:08.071 , icmp , 192.168.1.50 , 172.16.16.218 , 64 , 1066 , 1024 , 551ad51919db9ff89990c73ca7c2e06c , id: 0x4411, echo request
639 , 03/24/2009 , 21:25:11.078 , icmp , 192.168.1.50 , 172.16.16.218 , 64 , 1066 , 1024 , 78d4728210d0e26417c4d96698408839 , id: 0x4411, echo request
643 , 03/24/2009 , 21:25:14.087 , icmp , 192.168.1.50 , 172.16.16.218 , 64 , 1066 , 1024 , e30571b0ab769ee99bd0abd76d857561 , id: 0x4411, echo request
647 , 03/24/2009 , 21:25:17.091 , icmp , 192.168.1.50 , 172.16.16.218 , 64 , 1066 , 1024 , 8c2cb6abecdc189bb874e010aad189e3 , id: 0x4411, echo request
651 , 03/24/2009 , 21:25:20.099 , icmp , 192.168.1.50 , 172.16.16.218 , 64 , 1066 , 1024 , 196e47cf49aebc97dbb921ff46a18f4f , id: 0x4411, echo request
...
f. Peform the same filter as (e) above, but reconstruct all the payload data into a binary file
pic -ifile ..\pcap\tcpdump.log.1237921419 -srcip 192.168.1.50 -destip 172.16.16.218 -icmp_type 8 -icmp_id 0x4411 -ofile results.bin -binary -dump_payload
[for the above example, an excel file was embedded in the outgoing ICMP packets and the above command carved the excel data
out of the ICMP payload portion of the packets and stored the results of the carve in the file: results.bin]
Output from ipv6 does not require any special parameters unless filter on a specfic IP address
pic -ifile "..\pcap\ipv6.ping.pcap"
Processing file: ..\pcap\ipv6.ping.pcap
frame , date [utc] , time [utc] , proto , source ip , destination ip , ttl , Tsize , Psize , payload md5 hash , comments
3 , 08/11/2011 , 23:10:04.295 , icmpv6 , fe80::d6a:16ca:76af:5426 , fe80::2509:4e8a:7d6:3437 , 128 , 94 , 32 , b97d6cfce32659677b4b801caa1754b8 , id: 0x0001, echo request
4 , 08/11/2011 , 23:10:04.295 , icmpv6 , fe80::2509:4e8a:7d6:3437 , ff02::1:ffaf:5426 , 255 , 86 , 24 , 3c40e5dbe965ae26d428cca572d49cbd , neighbor solicitation
5 , 08/11/2011 , 23:10:04.297 , icmpv6 , fe80::d6a:16ca:76af:5426 , fe80::2509:4e8a:7d6:3437 , 255 , 86 , 24 , ffcda436655beb42bb96da498645e386 , neighbor advertisement
6 , 08/11/2011 , 23:10:04.297 , icmpv6 , fe80::2509:4e8a:7d6:3437 , fe80::d6a:16ca:76af:5426 , 128 , 94 , 32 , b97d6cfce32659677b4b801caa1754b8 , id: 0x0001, echo reply
7 , 08/11/2011 , 23:10:05.297 , icmpv6 , fe80::d6a:16ca:76af:5426 , fe80::2509:4e8a:7d6:3437 , 128 , 94 , 32 , b97d6cfce32659677b4b801caa1754b8 , id: 0x0001, echo request
8 , 08/11/2011 , 23:10:05.297 , icmpv6 , fe80::2509:4e8a:7d6:3437 , fe80::d6a:16ca:76af:5426 , 128 , 94 , 32 , b97d6cfce32659677b4b801caa1754b8 , id: 0x0001, echo reply
...
pic -ifile "..\pcap\ipv6.ping.pcap" -srcipv6 "fe80::d6a:16ca:76af:5426"
Processing file: ..\..\pcap\ipv6.ping.pcap
frame , date [utc] , time [utc] , proto , source ip , destination ip , ttl , Tsize , Psize , payload md5 hash , comments
3 , 08/11/2011 , 23:10:04.295 , icmpv6 , fe80::d6a:16ca:76af:5426 , fe80::2509:4e8a:7d6:3437 , 128 , 94 , 32 , b97d6cfce32659677b4b801caa1754b8 , id: 0x0001, echo request
5 , 08/11/2011 , 23:10:04.297 , icmpv6 , fe80::d6a:16ca:76af:5426 , fe80::2509:4e8a:7d6:3437 , 255 , 86 , 24 , ffcda436655beb42bb96da498645e386 , neighbor advertisement
7 , 08/11/2011 , 23:10:05.297 , icmpv6 , fe80::d6a:16ca:76af:5426 , fe80::2509:4e8a:7d6:3437 , 128 , 94 , 32 , b97d6cfce32659677b4b801caa1754b8 , id: 0x0001, echo request
9 , 08/11/2011 , 23:10:06.297 , icmpv6 , fe80::d6a:16ca:76af:5426 , fe80::2509:4e8a:7d6:3437 , 128 , 94 , 32 , b97d6cfce32659677b4b801caa1754b8 , id: 0x0001, echo request
17 , 08/11/2011 , 23:10:07.297 , icmpv6 , fe80::d6a:16ca:76af:5426 , fe80::2509:4e8a:7d6:3437 , 128 , 94 , 32 , b97d6cfce32659677b4b801caa1754b8 , id: 0x0001, echo request
19 , 08/11/2011 , 23:10:08.807 , icmpv6 , fe80::d6a:16ca:76af:5426 , fe80::2509:4e8a:7d6:3437 , 255 , 86 , 24 , 4bf7de02f21ad6e735743737b8707690 , neighbor solicitation
...
| Option | Description |
|---|---|
| -frame | Only process packets with the frame number specified. The syntax is: -frame <"1 2 3 ..">. |
| -srcip | Only process packets with the specified source IPv4 address. The syntax is: -srcip <src ip>. |
| -dstip | Only process packets with the specified destination IPv4 address. The syntax is: -dstip <dst ip>. |
| -srcipv6 | Only process packets with the specified source IPv6 address. The syntax is: -srcipv6 <src ip>. |
| -dstipv6 | Only process packets with the specified destination IPv6 address. The syntax is: -dstipv6 <dst ip>. |
| -pipe | Used to pipe files into the tool via STDIN (standard input). Each file passed in is copied in sequence. |
| -enumdir | Experimental. Used to process files within a folder and/or subfolders. Each file is parsed in sequence. The syntax is -enumdir <"folder"> -num_subdirs <#>. |
| -filter | Filters data passed in via stdin via the -pipe option. The syntax is -filter <"*.ext | *partialname* | ...">. The wildcard character '*' is restricted to either before the name or after the name. |
| -track_replies | Given a source and destination IP address (using the above syntax), process the replies. |
| -min_size | Output those frames with size (or greater) specified. The syntax is: -min_size <size>. |
| -start_time | Process those packets after or equal to the time specified. The syntax is: -start_time <"mm/dd/yy hh:mm:ss">. |
| -stop_time | Process those packets before or equal to the time specified. The syntax is: -stop_time <"mm/dd/yy hh:mm:ss">. |
| -find_pattern | Process those packets that contain the pattern specified. The syntax is: -find_pattern <byte sequence delimited by spaces>. |
| -icmp_type | Process only the specified ICMP types. The syntax is: -icmp_type <"type1 type2 ...">. |
| -icmp_code | Process only the specified ICMP codes. The syntax is: -icmp_code <"code1 code2 ...">. |
| -icmp_id | Process only the specified ICMP identifier numbers. The syntax is: -icmp_id <"1 2 3 ...>. |
| -dump_meta | Output any metadata (only for non-binary output). |
| -dump_hdr | Output the packet header. |
| -dump_payload | Output the packet payload data. |
| -ofile | Output the results to the specified file. The syntax is: -ofile <output file>. |
| -binary | Output the data as binary. Use with the -ofile option. |
| -ascii | Output the data in ASCII form. |
| -strings | Output any strings (ASCII and UNICODE) found. |
This tool has authentication built into the binary. The primary authentication mechanism is the digital X509 code signing certificate embedded into the binary.
The other mechanism is the runtime authentication, which ensures that the tool has a valid license. The license needs to be in the same directory of the tool for it to authenticate. Furthermore, any modification to the license, either to its name or contents, will invalidate the license.
The tools from TZWorks will output header information about the tool's version and whether it is running in limited, demo or full mode. This is directly related to what version of a license the tool authenticates with. The limited and demo keywords indicates some functionality of the tool is not available, and the full keyword indicates all the functionality is available. The lacking functionality in the limited or demo versions may mean one or all of the following: (a) certain options may not be available, (b) certain data may not be outputted in the parsed results, and (c) the license has a finite lifetime before expiring.