capME fails to pivot to PCAP because of port 0 "

16 views
Skip to first unread message

rex warnert

unread,
Aug 30, 2017, 2:20:55 PM8/30/17
to security-onion
We have been getting this Alert "Protocol 41 IPv6 encapsulation potential 6in4 IPv6 tunnel active" looked into it and it looks like there are 4 -5 machines that are misconfigured for IPv6 on the network. They keep trying to reach out to the
"192.88.99.1 is the 6 to 4 relay anycast address".
So the problem is when we are trying to see the pcap so we can determine what the machines were trying to communicate with when it does this.

When I pivot to capME it pulls the information but both the src and dst ports are "0". It does not like that at all.
In Elsa it looks like this
srcip=xxx.xxx.164.139 srcport=0 dstip=192.88.99.1 dstport=0 Tunnel_type=Tunnel::IP.

Then in capME is gives error:badport These are the times 1503952829 1503956429 and those are a lot of 150MB pcaps to try and combine and get the info out of.

Is there a way to allow capME to accept port 0 as a valid input so it will pull the transcript for me??? I've seach through the config files but don't find anything.

Thanks

Wes

unread,
Aug 30, 2017, 2:40:38 PM8/30/17
to security-onion

Rex,

You are correct in that CapMe cannot pull transcripts when requests contain a port of "0". In this case, you may be able to get what (the pcap) you are looking for by using something like the following on the sensor that saw such traffic:

https://github.com/weslambert/misc/blob/master/packet_find

Thanks,
Wes

rex warnert

unread,
Aug 30, 2017, 3:49:23 PM8/30/17
to security-onion
Thanks Wes I will try that tomorrow.
Reply all
Reply to author
Forward
0 new messages