9. Appendix B - Capturing network packets

For the malware analysis it may be interesting to have a look to the information transmitted over Internet. That´s why a packet sniffer has been added to Buster Sandbox Analyzer.

Note: From version 1.19 the packet sniffer included in BSA requires WinPCap to work.

WinPCap can be downloaded from: http://www.winpcap.org

Previous packet sniffer was supporting only Windows XP and Windows 7 systems. The new packet sniffer supports all systems, both 32 and 64 bits.

Previous packet sniffer was capturing all packets being transmitted. The new packet sniffer is able to filter packets and capture only TCP packets generated by sandboxed applications.

Note: UDP packets from both sandboxed and unsanboxed applications will be captured.

Previous packet sniffer was unable to show what program generated the packet. The new packet sniffer shows what program generated the packet.

The packet sniffer can be configured from "Options > Packet Sniffer" menu. Available options:

Do Not Capture Packets: This option disables the packet sniffer.

Ignore UDP Packets: UDP packets will not be listed in the packet viewer or reports and they will not be captured to PCAP files.

DNS queries are an exception: they will be reported but not captured neither showed in the packet viewer.

Select Adapter: Before using the packet sniffer you must select what network adapter you want to use to capture packets. This selection must be done only one time.

Note: If you add or remove an adapter you must select the adapter to use again.

Save Capture To File: When this option is enabled BSA will save packets to a .pcap compatible file. This file can be used for network forensic analysis purposes.

Show Full Path: When this option is enabled BSA will display the full path of the application that generated the packet. When disabled only the file name will be displayed.

Note: In Connections.TXT the full path will be saved always.

After clicking "Finish Analysis" button, if any packet was sniffed the option "Viewer - View Packets" will be available.

Clicking over a packet will show the data transmitted at the bottom.