Studying Network Activity Using the Chaosreader Tool

by Don Parker [Published on 1 Dec. 2005 / Last Updated on 1 Dec. 2005]

I have written quite a bit about investigating network activity at the packet level. This practice can yield some key information about your network. Another tool that can help you discern network activity is a program called Chaosreader. Read on to find out more about this outstanding tool, and its ability to help you.

Data investigation tool

I have written about the use of packet analysis, and data mining over the course of several articles. What those techniques give you is the ability to interpret data, in its absolute format; the packet. This is nothing new to those of us who often have to investigate alarms and alerts as they are generated by various security devices. One thing that we do not see by looking at the packets themselves is the application layer data that it may be transporting. That would certainly be true of any binary transfer that may be taking place, whether it be a picture, or actual program being sent at the packet level. It would certainly be nice to be able to recreate the data stream that we are seeing.

In today’s corporate networks the employee working there pretty much takes Internet access for granted. I have never understood this mindset to be honest, as really we are at work to work, and not surf the Internet for hours. This dovetails nicely into the problems that many corporations are having in their workplace. That problem would be of an employee who spends far too much time wandering the Internet, vice actually doing what they are paid for. Once such an occurrence is noted by a manager a series of events fall into place. The HR (human resources) department is contacted by the manager and advice is sought on how to deal with the situation. This normally takes the form of giving the employee an official reprimand. What happens though if the employee denies the charges? After all you have simply seen what you think to be excessive Internet use. What you need is proof.

There is a tool for every job

It is far easier to deal with a problem like the one mentioned above if you have incontrovertible proof at your disposal. The thing is you can certainly say that the employee has generated X amount of packets during his work day. Problem with that approach is that it isn’t very visual. A visual representation of your data is a far more powerful approach, vice arbitrary numbers. Well this is where the tool Chaosreader comes into play. What this tool allows you to do is take a binary log, and play it through Chaosreader to get a nicely outputted series of HTML pages. Those nicely formatted pages will have a chronicle of pages accessed, and other interesting statistics. Having that kind of output is far more effective when confronting an employee. Rather difficult to deny what is in front of you!

Well seeing as most of us use and work in a Microsoft Windows environment it only makes sense to try and leverage tools that can function in just such an environment. You indeed would be correct in assuming that Chaosreader works in a win32 world. Assuming that you have surfed to the hyperlinked page you will note that it was written in PERL. This is the reason that it will work on not only a win32 platform, but also a Linux one. All you would need to install on either platform is a PERL interpreter. You can get just such an interpreter at ActiveState. Just follow the series of prompts and you will then be able to download an MSI for installation. Now is a good time to point out that, in case you have not noticed, Chaosreader is PERL 5.6 dependant. That means that you will have to download a PERL 5.6.x MSI for installation on your computer.

Let's install Chaosreader

Well we shall assume that you have installed a PERL 5.6.x interpreter on your computer successfully. It comes in an MSI package so all you have to do is click on it and follow the prompts. The second step is to download Chaosreader itself from the hyperlinks seen above, or if you are lazy simply click here. What you now need to do is drag and drop this program into the root of c:\. In other words install it at c:\. This makes it easier to navigate to as all these types of programs should be installed there, if they don’t already install there by default.

We are now ready to go ahead and use it, or at least invoke it to see what its options are. Open up a cmd.exe and navigate to c:\ and enter the following command;

C:\> chaosreader0.94

You will note that Windows will ask you with what you would like to open this program with. What happened you ask? Well Chaosreader was written in PERL so we need to rename it to something like the following;

c:>  copy chaosreader0.94 chaosreader.pl

Once you have renamed , or made a new copy of it you can go ahead and enter the below noted command;

c:\> chaosreader.pl –help

You should now have the below noted in your cmd.exe;

Version 0.94, 01-May-2004

USAGE: chaosreader [-aehikqrvxAHIRTUXY] [-D dir] 
                   [-b port[,...]] [-B port[,...]] 
                   [-j IPaddr[,...]] [-J IPaddr[,...]] 
                   [-l port[,...]] [-L port[,...]] [-m bytes[k]]
                   [-M bytes[k]] [-o "time"|"size"|"type"|"ip"]
                   [-p port[,...]] [-P port[,...]] 
                   infile [infile2 ...]

chaosreader -s [mins] | -S [mins[,count]]   
                       [-z] [-f 'filter']

chaosreader           # Create application session files, indexes

   -a, --application     # Create application session files (default)
   -e, --everything      # Create HTML 2-way & hex files for everything
   -h                    # Print a brief help
   --help                # Print verbose help (this) and version

Please note that this is an abbreviated output of the help file included with Chaosreader. So we now have Chaosreader up and running. What we now need to get is some binary input to feed into it. For that I would suggest you use windump. Once you have installed windump to the root of c drive we are ready to go. Please remember that you will also need winpcap so that windump will work. Now you will need to enter a string like the following or a variant of it;

c:> windump.exe –w traffic –s 0

This BPF filter will collect all packets that hit your NIC card and log it to a binary log file called “traffic”. It is this file called “traffic” that we will now use to feed into Chaosreader. Now please issue the following command to get some output from Chaosreader; (make a directory called “chaos_output2” like so: mkdir chaos_output2)

C:\>chaosreader.pl -e traffic -D chaos_output2
Chaosreader ver 0.94

Opening, traffic

Reading file contents,
 100% (2601433/2601433)
Reassembling packets,
 100% (916/3061)

Creating files...

Num  Session (host:port <=> host:port)              Service
0009  192.168.1.102:4500,63.240.93.142:80            web
0012  192.168.1.102:4506,67.18.103.137:80            web
0018  192.168.1.102:4516,67.18.103.137:80            web
0017  192.168.1.102:4514,213.86.172.147:80           web
0003  192.168.1.102:4494,68.142.228.154:80           web
0013  192.168.1.102:4508,67.18.103.137:80            web
0004  192.168.1.102:4484,72.14.207.104:80            web
0011  192.168.1.102:4504,216.109.126.26:80           web
0005  192.168.1.102:4496,206.190.44.47:80            web
0015  192.168.1.102:4512,64.233.167.104:80           web
0014  192.168.1.102:4510,67.18.103.137:80            web
0016  69.50.174.2:12345,192.168.1.102:3704           3704
0007  192.168.1.102:4498,63.240.93.147:80            web
0001  192.168.1.102:4250,216.196.97.142:119          119
0002  192.168.1.102:4249,216.196.97.142:119          119
0010  192.168.1.102:4502,216.109.118.41:80           web
0008  192.168.1.102:1025,24.153.23.66:53             dns
0006  192.168.1.102:1025,24.153.22.67:53             dns

index.html created.

C:\>

So as we can see from the above output generated by Chaosreader I have a whack of files sitting in the directory “chaos_output2” as seen below;

C:\chaos_output2>dir
 Volume in drive C has no label.
 Volume Serial Number is 806A-DE05

Directory of C:\chaos_output2

11/05/2005  12:52 PM    <DIR>          .
11/05/2005  12:52 PM    <DIR>          ..
11/05/2005  12:52 PM             9,430 getpost.html
11/05/2005  12:52 PM             4,381 httplog.text
11/05/2005  12:52 PM               516 image.html
11/05/2005  12:52 PM             9,344 index.html
11/05/2005  12:52 PM             6,254 index.text
11/05/2005  12:52 PM         2,129,400 session_0001.119.hex.html
11/05/2005  12:52 PM           972,286 session_0001.119.hex.text
11/05/2005  12:52 PM           279,154 session_0001.119.html
11/05/2005  12:52 PM         2,029,317 session_0002.119.hex.html
11/05/2005  12:52 PM           926,732 session_0002.119.hex.text
11/05/2005  12:52 PM           266,084 session_0002.119.html

All you need to do now is point your browser to c:\ and navigate to the directory that you dumped all the output from Chaosreader to. From there you would load the “index.html” file into your browser and navigate the links provided to you. This is very much the type of evidence that leaves the employee no room to squirm out of. You now have used a tool to effectively deal with a situation that needed definitive and visual proof. That is the beauty of the tool Chaosreader. It gives you a visual and informative output based on a binary log input. This tool is very useful, and I would definitely recommend it to anyone. I hope you enjoyed this article, and as always welcome your feedback. Till next time!

See Also


The Author — Don Parker

Don Parker specializes in matters of intrusion detection, and incident handling. He has also enjoyed a role as guest speaker at various network security conferences, and writing for various online and print media on matters of computer security.