Home :: Blogs :: famousjs's blog

Pcap Forensics Tool Update

Submitted by famousjs on Fri, 05/14/2010 - 19:33

New features have been added in to the Pcap Forensics Tool.

-Support for multiple files within a single stream
-Support for multiple HTTP Requests within a single stream
-HTTP GET correlation with returned data
-Improved Gzip decoding
-Source and Destination IP Filtering
-Pinpoint file extraction

The following is an example of the new switches it supports:

This is the new summary when given the "-s" switch:

Filtering destination IP addresses with HTTP Information:

And finally, the pinpoint file extraction. The switch "-E" is used in conjunction with a format "s2f1" (stream 2 file 1) to pinpoint which file the user wants to extract as seen below:

The tool can be downloaded at the same location:

Pcap Forensics Tool

This includes the updated gzip support which was created by the writer of JsUnpack.

Comments

Question

Submitted by Anonymous (not verified) on Wed, 06/30/2010 - 21:30.

Hey,

I am trying to use your setup to extract SMTP emails with attachments. Does your software have the ability to extract just smtp emails? I have installed the prerequisites, but am receiving an error when I try to analyze any pcap file. Here is the error:

bt pcap2 # python pcap.py -f Testpcap -s
Traceback (most recent call last):
File "/root/Desktop/pcap2/stream.py", line 132, in main
try: nids.run()
File "/root/Desktop/pcap2/stream.py", line 47, in handleTCP
self.processData(tcp, True)
File "/root/Desktop/pcap2/stream.py", line 108, in processData
self.scrapeData(data, s)
File "/root/Desktop/pcap2/stream.py", line 55, in scrapeData
d.main()
File "/root/Desktop/pcap2/stream.py", line 202, in main
self.getMagic()
File "/root/Desktop/pcap2/stream.py", line 157, in getMagic
ms = magic.open(magic.MAGIC_NONE)
AttributeError: 'module' object has no attribute 'open'
Packet Summary
Total Packets: 867
ARP: 2
UDP: 17
IP: 865
TCP: 848
Raw: 423
DNS: 14

Here are the versions of the software I am running:
Python 2.5.1 on backtrack 3
python-magic 0.3.1
scapy 2.1.0
pynids 0.6.1

Thanks!

Python-magic

Submitted by famousjs on Wed, 06/30/2010 - 21:54.

That version of python-magic is outdated and unsupported. Unfortunately the new supported python-magic (5.04) is supported by Debian and Red Hat based distros. You could use BT4 which is Debian based now rather than slack based (bt3).

If you want to use bt3 still, then you would have to change the API calls to the python-magic lib, which might break more code. I have considered making a web front end for this tool, so people wouldn't run in to these problems.