Wednesday, December 5, 2018

Comparing Packet Captures to Procmon Traces Revisited

In my previous post, Comparing Packet Captures to Procmon Traces, I demonstrated how to match Procmon to pcap data. When I looked at this again, I noticed something peculiar. When Procmon's shows a length of 3760, everything gets thrown off.

Looking at the output from Procmon and TCPdump, everything matches up until we hit a length of 3760. So what is happening here? It turns out, if you want to match the packets up, one of them needs to be split.

So it turns out there is an exception to the rule. If the length equals 3760, we have to add the length of the next entry to it. The packets in TCPdump should add up to this combined number. Looking at the example, the third packet will be split between the two Procmon entries.

No comments:

Post a Comment