Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: BPF, PCAP, Binary, hex, why they matter? - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
BPF, PCAP, Binary, hex, why they matter?

*A call for more blue defenders*

In a couple weeks I will be a TA for Mr. Mike Poor  in DC at CDI (Shameless plug, if you are a reader and see me in DC say so!!!) for SANS 503. We often get asked, why does BPF matter || why should I bother with hex || why do I need to learn this???? My  APP does all the work for me!

I would like to share a ‘vet’ U.S. Navy story and shout out a thanks to, at the time QM2(SW), a talented navigator. He was telling me the “Stars never lie” and in that they always show the way. If you learn to read them, take my GPS, take my N take my Y technology, I have the star. If we know where the north star is? We can always find north! After watching him dismiss a senior inspector with core math and navigation skills and the stars? I was a believer!

At the core our minds are powerful processors. According the quad process model we can calculate at rates that far surpass computers ‘in certain circumstances, linearly we’ll get p0wn’3d’ (Conrey, Sherman, Gawronski, Hugenberg, & Groom, 2005). This is likely why there are times when a 'solution' to a problem just somehow pops into your mind.

If we understand the “Core” network communication we can build all protocols!

A couple of opinions/facts/ideas/comments/<insert favorite polarized media narrative here>;


1 – Most if not all IDS/IPS/HIDS/NIDS speak BPF [1]

2 – And another thing? RAW packets ‘usually’ cannot lie (it’s the RAW factor that counts)

3 – Most if not all sniffers/HIDS/NIDS/IPS/IDS/Firewalls speak PCAP

4 – Understanding the root language can help you understand new code built into that language

Coming to my point? For $DayJob I have been asked to prepare an Incident Management workshop, which has become a more common request. Why I highlight this is mostly even. In this I hope to shed light on the important of core skills like TCPDumpFU || HexFU || BinaryFU || ProtocolFU. Most importantly I want to emphasis that a core understanding can help in the critical thinking process in understanding new or unknown problems or challenges.

To share another quick story? I was asked to come up to speed on a core DLP technology quickly. If you understand the core science the ‘application’ or ‘technology’ is a matter of perhaps GUI/Commands and ‘admin manual.’ The same can be said about packets! Our faithful readers know the near axiomatic statement from any handler “got packets?”

Lately I have been asked to consult on more incidents than normal (for me) and in that I have noticed that although the operators are quite intelligent with fundamental problem solving skills, yet they are not effectively equipped. We need better blue defenders!!!!

It’s easier to attack than defend (Tzu, 1889). My most favorite moment is making most glorified attacker for “said G groups” unplug laptops and say “how did you do that?”…  (read active defense is not to attack but to fatigue your enemy, frustrate them, make them tired of attacking, deny them the ability to attack!)

Back to the point, we have been under attack for so long and breach after breach after breach aft……………. It has become the ‘new norm’ and I wanted to address the Pachyderm in the room! We are short of blue defenders! It’s easy, perhaps sexy to download “Kali” linux? But… How many have heard of HoneyDrive [2]? Or perhaps SecurityOnion [3]?

[4] “If I make an attacker spend an extra 9 hours attacking my website? I’ve won!” John Strand, SANSFire 2013.

Hard data, according to the Verizon DBIR [5] HIDS, NIDS, Log Review and Incident Response are responsible for between 1-4% of discovery methods (Figure, 44, p.54). The facts point to unrelated parties as a primary means of deteaction. Getting a phone call is not a good way to receive an Indicator of Compromise (IOC).

Back to the origin of the post to come full circle? Why BPF, why  PCAP, why hex? To first defend against a thing you must understand a thing (Tzu, 1899). If we form a base understanding of opponents tactics along with the battlefield we can better defend!



Conrey, F. R., Sherman, J. W., Gawronski, B., Hugenberg, K., & Groom, C. J. (2005). Separating multiple processes in implicit social cognition: the quad model of implicit task performance. J Pers Soc Psychol, 89(4), 469-487. doi:10.1037/0022-3514.89.4.469

Tzu, S. (1899). Sun Tzu's Art of  [online] Retrieved from: [Accessed: 1 Dec 2013].







Incident Management Resources:


The Practice of Network Security Monitoring: Understanding Incident Detection and Response

by Richard Bejtlich




@packetalien || rporter at isc dot sans dot edu




173 Posts
ISC Handler
Dec 1st 2013
You don't need the stars, even the sun can give you pretty good coordinates. If you timepiece is more or less precise, and you map the sun around noon (like with a sundial), then remember that the sun is south at 12:00, but, it moves 15 degrees per hour or 4 minutes per degree. So you can determine east/west coordinates down to at least 1 degree or better E/W. As for North/south, you would need to know the date. The sun moves +/- 22.5 degrees from equator or around 45 degrees per 180 days or approx 4 days per degree. Basic geometry can be used here with a stick in the ground, then measure the stick and shadow length at high noon.

Al that being said, I also meet very few people with TCP/IP skills. The network guys are one group who never looks beyong IP headers. And most Windows/Unix people don't ever look at the network traffic. I am using it regularly to localize network problems, troubleshoot stuff where the RFCs lists a human readable protocol, and sometimes binary protos as well, have even used it a few times to prove to the vendors that their crappy software was buggy. It can be used for many other things than just looking at malware. But it takes a special person being willing to go deep, or use the resources need to get something out of this. And I see fewer and fewer people in IT with that skillset, or ability to focus and drill down. The old guys retire, and the young ones are not interested in details. Just like the shift from developers to programmers to copy/paste-kings.
Povl H.

79 Posts
Many network appliances are Linux based and they have tcpdump built-in. With BPF and some Hex converting skills you can understand and solve many of root issues.
Thank you for this diary

60 Posts
ISC Handler

Thank you for the article, but what are "Blue Defenders"?
28 Posts

Sign Up for Free or Log In to start participating in the conversation!