Comments on: Second Network Forensics Contest http://blog.kiddaland.net/2009/11/second-network-forensics-contest/ Some useless talk mixed with hopefully interesting points every now and then Thu, 15 Jul 2010 14:48:53 +0000 hourly 1 http://wordpress.org/?v=3.0 By: kiddi http://blog.kiddaland.net/2009/11/second-network-forensics-contest/comment-page-1/#comment-1739 kiddi Mon, 21 Dec 2009 12:45:13 +0000 http://blog.kiddaland.net/?p=151#comment-1739 Thank you for this, and thanks for the point about argus, I will keep that in mind in the next contest ;) Thank you for this, and thanks for the point about argus, I will keep that in mind in the next contest ;)

]]> By: OE http://blog.kiddaland.net/2009/11/second-network-forensics-contest/comment-page-1/#comment-1687 OE Fri, 18 Dec 2009 17:44:44 +0000 http://blog.kiddaland.net/?p=151#comment-1687 Hi Kristinn, As usual, your solution is more elegant than mine :) I just wanted to point out a small improvement. Your tcpdump commands don\'t extract all the source and destination IPs. For example, 192.168.1.10 is both a source and a destination IP. Argus is a lot better in things like this. To get the source IPs: $ racluster -m saddr -s saddr -r evidence02.ra | sort -n | uniq 192.168.1.10 192.168.1.159 192.168.1.2 192.168.1.30 To get the destination IPs: $ racluster -m daddr -s daddr -r evidence02.ra | sort -n | uniq 10.1.1.20 64.12.102.142 192.168.1.10 192.168.1.159 192.168.1.255 192.168.1.30 HTH :) Hi Kristinn,

As usual, your solution is more elegant than mine :) I just wanted to point out a small improvement. Your tcpdump commands don\’t extract all the source and destination IPs. For example, 192.168.1.10 is both a source and a destination IP. Argus is a lot better in things like this. To get the source IPs:

$ racluster -m saddr -s saddr -r evidence02.ra | sort -n | uniq
192.168.1.10
192.168.1.159
192.168.1.2
192.168.1.30

To get the destination IPs:

$ racluster -m daddr -s daddr -r evidence02.ra | sort -n | uniq
10.1.1.20
64.12.102.142
192.168.1.10
192.168.1.159
192.168.1.255
192.168.1.30

HTH :)

]]> By: Franck GUENICHOT http://blog.kiddaland.net/2009/11/second-network-forensics-contest/comment-page-1/#comment-1180 Franck GUENICHOT Fri, 27 Nov 2009 13:32:12 +0000 http://blog.kiddaland.net/?p=151#comment-1180 Really nice ! Good job ! Please, don't win this one too :-) Your analysis is very detailled and really interesting. Feel free to read my own solution :http://malphx.free.fr/dotclear/index.php?post/2009/11/24/Network-forensics-contest-Puzzle2%3A-my-solution Good luck. Really nice ! Good job !
Please, don’t win this one too :-)

Your analysis is very detailled and really interesting.

Feel free to read my own solution :http://malphx.free.fr/dotclear/index.php?post/2009/11/24/Network-forensics-contest-Puzzle2%3A-my-solution

Good luck.

]]>