Monday, March 12, 2012

Identifying computers behind NAT with plotpcap

Following on from my last post Identifying computers behind NAT with pyflag I've made a stand alone script plotpcap that can produce similar graphs without needing to install pyflag.

The results aren't as pretty and you miss out on some of pyflag's analytical tools (such as filtering streams by user agents). On the other hand you do gain the ability to filter your output by tcpdump style filter strings and with a little bit of pcap preprocessing from tshark you can perform almost all the same comparisons.

plotpcap requires the python modules dpkt, pcap (from pypcap) and matplotlib. I used the versions available from the Ubuntu 10.04 repository but other versions are probably good too.

Here's some output generated from the same example data as the last post:
IPID versus Packet Number (note that without stream highlighting it gets a bit hard to read)
IPID versus Packet Number after excluding packets with TCP timestamp options (ipid2)
TCP Timestamps versus Packet Number
If you wanted to do some of the tricks from the last post you can apply wireshark display filters to the pcap and then run it through plotpcap. For example:

tshark -r test.pcap -w test_chrome.pcap -R "http.user_agent contains Chrome"
python plotpcap.py test_chrome.pcap number ipid


Produces something like:
IPID versus Packet Number after matching the wireshark display filter "http.user_agent contains Chrome"

4 comments:

  1. Hello, I've been getting into STFS file structure, and I currently only have free60.net and the x360 source for information. Between the two (although I'm having a bit of trouble understanding x360) I should be able to find anything I want to know, but where did the authors find their information? Thanks!

    ReplyDelete
    Replies
    1. A lot of their information comes from reverse engineering and experimenting with STFS files, besides that a lot of bits and pieces are avilable from various forums around the net. A lot of people have done at least a little bit of looking at these formats.

      If you're trying to understand the filesystem structure on Xbox 360 I'd recommend reading up on how FAT works on PCs and then reading the Xbox 360 specific parts. As for how STFS works, I'd recommend the Free360 Wikipedia page and reading the source code for any of the tools that handle it (including py360). You can also read my mini-guide to the file format that I released when I released py360. http://www.arkem.org/xbox360-file-reference.pdf

      Sadly there aren't any definitive works on the STFS filesystem. Hope this helps send you in the right direction.

      Delete
  2. That's the general response I've been getting when I ask about it, but there's too much specificity in the information from free60 for it to have come from reverse engineering or from experimenting with the files. It's understandable to some extent, but how would they know that the byte at 0x366 is the disc number? And for the forums, which were you looking at. I've checked out se7ensins, xboxmb, scenex, etc., but having trouble finding anything useful.

    Also, I couldn't find anything in your py60 source code about the rsa signature. I spent the last three days trying to get the RSA to work like it does in the C# for x360, and I finally did with M2Crypto, so if you were looking for something, that works.

    ReplyDelete
  3. Feel free to email me: arkem@arkem.org

    ReplyDelete