ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Wireshark" and "GRR"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
(Publications)
 
Line 1: Line 1:
 
{{Infobox_Software |
 
{{Infobox_Software |
   name = Wireshark |
+
   name = Rekall |
   maintainer = The Wireshark team |
+
   maintainer = [[Darren Bilby]] and others |
   os = {{Linux}}, {{Windows}} |
+
   os = {{Cross-platform}} |
   genre = Network forensics |
+
   genre = {{Incident response}} |
   license = {{GPL}} |
+
   license = {{APL}} |
   website = [http://www.wireshark.org/ www.wireshark.org] |
+
   website = [https://code.google.com/p/grr/ code.google.com/p/grr/] |
 
}}
 
}}
  
'''Wireshark''' is a popular network protocol analyzer.
+
GRR is an Incident Response Framework focused on Remote Live Forensics.
  
== Overview ==
+
= See also =
 +
* [[rekall]]
  
Wireshark has a rich feature set which includes the following:
+
= External Links =
 +
* [https://code.google.com/p/grr/ Project site]
 +
* [https://code.google.com/p/grr/wiki/ProjectFAQ Project FAQ]
 +
* [http://grr.googlecode.com/git/docs/index.html Documentation]
  
* Deep inspection of hundreds of protocols;
+
== Publications ==
* Live capture and offline analysis;
+
* [http://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/37237.pdf Distributed forensics and incident response in the enterprise], by [[Michael Cohen]], [[Darren Bilby]], G. Caronni. Digital Investigation, 2011.
* Standard three-pane packet browser;
+
* [https://googledrive.com/host/0B9hc84IflFGbN2IwMTUyYTUtMTU0Mi00ZWQ3LWFhNDktM2IyMTg5MmY3OWI0/Hunting%20in%20the%20Enterprise:%20Forensic%20Triage%20and%20Incident%20Response Hunting in the enterprise: Forensic triage and incident response], by [[Andreas Moser], [[Michael Cohen]], Digital Investigation, 2013.
* Multi-platform: runs on [[Windows]], [[Linux]], [[Mac OS X]], [[Solaris]], [[FreeBSD]], [[NetBSD]], and many others;
+
* Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility;
+
* Powerful display filters;
+
* Rich [[VoIP]] analysis;
+
* Read/write many different capture file formats: tcpdump (libpcap), Catapult DCT2000, Cisco Secure IDS iplog, [[Microsoft Network Monitor]], Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others;
+
* Capture files compressed with gzip can be decompressed on the fly;
+
* Live data can be read from [[Ethernet]], [[Wireless forensics|IEEE 802.11]], PPP/HDLC, ATM, [[Bluetooth]], [[USB]], Token Ring, Frame Relay, FDDI, and others (depending on your platfrom);
+
* Decryption support for many protocols, including [[IPsec]], ISAKMP, Kerberos, SNMPv3, [[SSL forensics|SSL/TLS]], [[Wireless forensics|WEP, and WPA/WPA2]];
+
* Coloring rules can be applied to the packet list for quick, intuitive analysis;
+
* Output can be exported to [[XML]], PostScript®, [[CSV]], or plain text.
+
  
== Network Forensics ==
+
== Presentations ==
 +
* [https://googledrive.com/host/0B1wsLqFoT7i2N3hveC1lSEpHUnM/Docs/GRR%20Rapid%20Response%20-%20OSFC%202012.pdf OSDFC 2012 GRR Overview], by [[Darren Bilby]]
  
Wireshark can be used in the [[network forensics]] process. There are some limitations:
+
== Workshops ==
 
+
* [https://drive.google.com/?usp=chrome_app#folders/0B1wsLqFoT7i2eU1jU0JldW9JUU0 OSDFC workshop 2013] , by [[Darren Bilby]]
* Wireshark is packet-centric (not data-centric);
+
* Wireshark doesn't work well with large network capture files (you can turn all packet coloring rules off to increase performance);
+
 
+
=== Wireless Forensics ===
+
 
+
Wireshark can decrypt IEEE 802.11 WLAN data with user specified encryption keys.
+
 
+
== External Links  ==
+
 
+
* [http://wiki.wireshark.org/ Wireshark Wiki]
+
 
+
== See Also ==
+
 
+
* [[tcpdump]]
+
 
+
[[Category:Network Forensics]]
+

Revision as of 19:20, 12 January 2014

Rekall
Maintainer: Darren Bilby and others
OS: Cross-platform
Genre: Incident Response
License: APL
Website: code.google.com/p/grr/

GRR is an Incident Response Framework focused on Remote Live Forensics.

See also

External Links

Publications

Presentations

Workshops