A little more on Wireshark and Pcap time stamps

In my last post I talked about getting a unique list of User-Agent strings and as a bonus I discovered that you can travel back and forth from Wireshark to a hex editor and back using the time stamps.

In this post I will attempt to explain the conversion process and show a couple of problems that you may be faced with  while converting.

Lets start with the actual conversion process.

Epoch to Hex:

Epoch (Unix) time stamp. This value is in seconds since January 1, 1970 00:00:00 GMT

A normal timestamp in Wireshark will be like this

Epoch Time: 1451438186.506533000 seconds

To convert this we first split it at the decimal point. like so 1451438186   506533000

Next we take the first part, before the decimal point, 1451438186 and convert it to Hex like this 56 83 30 6A

Next we reverse the “Bytes” of 56 83 30 6A  to  6A 30 83 56 , this part contains the time for seconds, days, month and year.

Next we take the last half  506533000 we cut the length down to 6 , 506533 dropping the last 3 “0” zeros then we convert the remaining Decimal value to Hex like this  7BAA5

If we do not drop those 3 zeros then it converts to 1E311488 which is an incorrect conversion for our time precision used while capturing the packets. See this in the reference for more Information.

7.4.2. Capture file formats

The next step is to left pad this 7BAA5 with zeros to this 0007BAA5, we want it to be 4 bytes.

Next we reverse this Hex value, 00 07 BA A5 to get this A5 BA 07 00, this is the sub second part of the time stamp or Milliseconds in our case.

Finally we end up with a Hex timestamp of  6A308356 A5BA0700.

This Hex time stamp can now be used to search the Pcap file opened up in a hex editor to find the exact packet that the timestamp was pulled from in Wireshark.

Hex to Epoch:

From Hex timestamp in the hex editor we see this 6A308356 A5BA0700.

In this case the first thing we do is split this into two, 4 byte sections.

Take the first one and reverse the bytes, 6A308356 to 5683306A

Next we convert this from hex to decimal, 5683306A to 1451438186 we can use the built in calculator to do this conversion also. This is now the first part before the decimal point.

Next we take the second half  reverse those bytes  A5BA0700 to 0007BAA5.

Next we convert 0007BAA5 to decimal 506533 .

So our final timestamp would be 1451438186[add the decimal point .] 506533

“1451438186.506533” , we can now use this timestamp to search in Wireshark for the exact packet in question from the hex editor.

But say our hex timestamp was like “E1 28 3D 56 AE 6E 00 00”. The first part would convert normally but the second part AE 6E 00 00 reversed to 00006EAE

Then converted to decimal , 00006EAE to 28334 .

Do you see the problem here? I didn’t at first.

This part needs to be 6 Characters long so in order to find this in wire shark we need to pad this with a leading “0” (zero) to be correct 028334.

So our final conversion with be 1446848737.028334 instead of 1446848737.28334 , missing the leading Zero. You would most likely never find that in the current Pcap or it would be the incorrect packet if it you did find that value.

Now that we know how the actual conversion works lets go thru some examples I wrote up for a couple of people that wanted a copy of the tools in the last post.

Examples:

I will use 4 pcap files downloaded from http://www.malware-traffic-analysis.net/2015/index.html

We can take any pcap file and open it up in Wireshark and get the Epoch time timestamp.

To get that we open the top part of the packet marked   “Frame” ( and a number)

Unless the capture crossed midnight (GMT) or the month or year changed during the capture it should be the same 2 bytes for the whole Pcap file.(I have not tested this theory in full yet.)

Next we convert the Epoch Time stamp to Hex using my time stamp converter

PcapTimeConv1.

If you need a copy of this please email me at pcsxcetra [at] consolidated [dot] net. “(As with all “free” software this is as is without warranty of any kind. I don’t have a good place to really drop them or download them from.)

There are 8 bytes in the time stamp we take bytes 3,4  for “our bytes to search for”, for “That” .Pcap file.

I will give 4 Examples to help it be more clear.

2015-01-01Nuclear EK (Operation Windigo) from 67.215.2.195 (Main page)

PCAP of the infection traffic: 2015-01-01-Windigo-group-Nuclear-EK-traffic.pcap This is the pcap download

Arrival Time: Dec 31, 2014 19:42:01.338041000 Central Standard Time

Epoch Time: 1420076521.338041000 seconds  Paste this value into the time stamp converter.

E9 A5 A4 54 79280500  This is the resulting conversion in hex.

Take bytes 3 and 4 from the hex timestamp for our bytes to search up for.

A4 54 These are the 2 bytes we need to search “UP” for, in “This” Pcap file.

2015-02-13Magnitude EK – 46.166.182.101 (Main page)

PCAP of the infection traffic: 2015-02-13-Magnitude-EK-traffic.pcap This is the Pcap download.

Arrival Time: Feb 12, 2015 18:49:12.234666000 Central Standard Time

Epoch Time: 1423788552.234666000 seconds

08 4A DD 54 AA940300  This is the resulting conversion in hex.

Take bytes 3 and 4 from the hex timestamp for our bytes to search up for.

DD 54  These are the 2 bytes we need to search “UP” for, in “This” Pcap file.

2015-06-17Angler EK from 213.133.111.21 sends CryptoWall 3.0 (Main page)

PCAP of the traffic: 2015-06-17-Angler-EK-and-CryptoWall-3.0-traffic.pcap  This is the Pcap download

Arrival Time: Jun 17, 2015 11:17:03.663940000 Central Daylight Time

Epoch Time: 1434557823.663940000 seconds

7F 9D 81 55 84210A00  This is the resulting conversion in hex.

Take bytes 3 and 4 from the hex timestamp for our bytes to search up for.

81 55  These are the 2 bytes we need to search “UP” for, in “This” Pcap file.

2015-11-23BizCN gate actor from 5.175.193.253 sends CrytpWall 4.0 (Main page)

2015-11-23-BizCN-gate-actor-Nuclear-EK-sends-CryptoWall-4.0-traffic.pcap  This is the Pcap download

Arrival Time: Nov 22, 2015 18:39:53.898161000 Central Standard Time

Epoch Time: 1448239193.898161000 seconds

59 60 52 56 71B40D00  This is the resulting conversion in hex.

Take bytes 3 and 4 from the hex timestamp for our bytes to search up for.

52 56  These are the 2 bytes we need to search “UP” for, in “This” Pcap file.

Notice how as the months changes  so do the bytes to search for.

I purposely chose files that spanned the year to better demonstrate the change.

I split the first 4 bytes and highlighted the 2 bytes in red  to better see them.

More Examples:

Now lets do this is pictures to better view the process using this last pcap file.

Open this in Wireshark and we navigate to the section showing the timestamps. The first one will do.

TimeStamp1

TimeStamp2

From above select the Epoch timestamp –> copy –> Value. That Copies only the value to the clipboard.

Next we Paste to the input box of the converter and click convert.

TimeStamp3TimeStamp4

TimeStamp5

timestamp5A

So here is our converted timestamp “59605256 71B40D00”

Now that we have that what good does it do us? These would be the “bytes to search for” while viewing “This” .pcap file in the hex editor to find the timestamp.

From the last post we were looking at User-Agent Strings in the the pcap file using the hex editor. So just for a starting point I will use this example again.

ua-1b 

Say we see something strange like in the red box and using the value from the blue box “0x3B8B” which is the file offset location in the pcap file opened in the hex editor, we do a “Goto” for the hex value from the blue box and land at the location where the String “User-Agent” starts at..

Hex-1a

We select the “Goto” and enter the value for the Offset “3B8B” from the other program.

Hex-2

Hex-3a

Next we search “UP” for the 2 bytes for the timestamp.(This versions list it as Backward)

hex-4C

Once we find the timestamp for this packet we can extract and convert it to a Epoch time stamp.

Hex-5

Next we search for the timestamp (1448239201.417989 ) in Wireshark.

We select Edit –> Find Packet, then the search box pops up.

WS-1a

WS-2

Next we select the Radio button “String” , Enter our search term of the timestamp “1448239201.417989” , Select the Radio button “Packet Details” and depending on where we are currently at in the in the capture file select the Radio button “Up” or “Down” to find the packet by the timestamp. If we just start at the beginning of the capture then we can always search down.

WS-3

Click find, then we see.

ws-4a

This post has shown us how we can navigate easily and confidently back and forth between Wireshark and a hex editor with the same .pcap file open in both using the timestamps.

Note: Open the file in the Hex editor in “Read only mode” or it may block other programs from being able to open it at the same time , it can also help to keep you from accidently overwriting the .pcap file.

You may have Notice in the example I quoted the word “UP” , that is a reminder to search “UP” because the timestamp is the start of each packet otherwise you will be finding the timestamp for the packet in Wireshark after the one you are actually looking for.

Using this method is not not just for User-Agent strings. In a matter of fact I used it in the the Sans Holliday Hack Challenge 2015 to help find and extract the commands from the command and control server that were base64 encoded. Navigating back and forth between Wireshark and the Hex editor was helpful to me to see what I was missing.

I hope everyone learned something from this as I did.

If you have any question please ask.

Thank you for reading.

Advertisements

About pcsxcetrasupport3

My part time Business, I mainly do system building and system repair. Over the last several years I have been building system utility's in vb script , HTA applications and VB.Net to be able to better find the information I need to better understand the systems problems in order to get the systems repaired and back to my customers quicker.
This entry was posted in Networking, security, System Tools and tagged , , , . Bookmark the permalink.

One Response to A little more on Wireshark and Pcap time stamps

  1. Pingback: Wireshark and TShark Timestamps | PC's Xcetra Support

Comments are closed.