MyGit

Srinivas11789/PcapXray

Fork: 281 Star: 1698 (更新于 2024-11-30 04:21:39)

license: GPL-2.0

Language: Python .

:snowflake: PcapXray - A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction

最后发布版本: 3_0 ( 2019-08-22 12:10:41)

GitHub网址

PcapXray Build Status codecov defcon27

A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction

Alt text

PcapXray Design Specification

Wiki has more help too.

Goal:

Given a Pcap File, plot a network diagram displaying hosts in the network, network traffic, highlight important traffic and Tor traffic as well as potential malicious traffic including data involved in the communication.

Problem:

  • Investigation of a Pcap file takes a long time given initial glitch to start the investigation

  • Faced by every forensics investigator and anyone who is analyzing the network

  • Location: https://github.com/Srinivas11789/PcapXray

Solution: Speed up the investigation process

  • Make a network diagram with the following features from a Pcap file Tool Highlights:
  • Network Diagram – Summary Network Diagram of full network
  • Information:
    • Web Traffic with Server Details
    • Tor Traffic
    • Possible Malicious traffic
    • Data Obtained from Packet in Report – Device/Traffic/Payloads
    • Device Details

Tool Image:

Alt text

Alt text

Components:

  • Network Diagram
  • Device/Traffic Details and Analysis
  • Malicious Traffic Identification
  • Tor Traffic
  • GUI – a gui with options to upload pcap file and display the network diagram

Setup

  • Python 3
apt install python3-pip
apt install python3-tk
apt install graphviz
apt install python3-pil python3-pil.imagetk
pip3 install -r requirements.txt
python3 Source/main.py

( Make sure to escalate privilege to allow file creations - Run with sudo )

For MAC:

brew install graphviz
  • Python 2
apt install python-tk
apt install graphviz
pip install -r requirements.txt
python Source/main.py

( Make sure to escalate privilege to allow file creations - Run with sudo )

Python Libraries Used: - All these libraries are required for functionality

  • Tkinter and TTK – Install from pip or apt-get – Ensure Tkinter and graphviz is installed (Most Linux contain by default)
    • apt install python-tk
    • apt install graphviz
    • apt install python3-tk (for python3 support)
    • Sometimes ImageTk errors are thrown in python3 env --> use apt install python3-pil python3-pil.imagetk
  • All these are included in the requirements.txt file
    • Scapy – rdpcap to read the packets from the pcap file
    • Ipwhois – to obtain whois information from ip
    • Netaddr – to check ip information type
    • Pillow – image processing library
    • Stem – tor consensus data fetch library
    • pyGraphviz – plot graph
    • Networkx – plot graph
    • Matplotlib – plot graph (not used as of now)

Demo

Alt text

Getting started:

  • Clone the repository
  • pip install -r requirements.txt
  • python Source/main.py

Additional Information:

  • Tested on Linux
  • Options for Traffic include - Web (HTTP and HTTPS), Tor, Malicious, ICMP, DNS

Challenges:

  • Unstability of the TK GUI:
    • Decision on the GUI between Django and TK, settled upon tk for a simple local interface, but the unstability of the tk gui caused a number of problems
  • Graph Plotting:
    • Plotting a proper network graph which is readable from the data obtained was quite an effort, used different libraries to arrive at one.
  • Performance and Timing:
    • The performance and timing of the total application was a big challenge with different data gathering and output generation

Known Bugs:

  • Memory Hogging

    • Sometimes memory hogging occurs when lower RAM is present in the system as the data stored in the memory from the pcap file is huge
    • Should be Fixed by moving data into a database than the memory itself
  • Race Condition

    • Due to mainloop of the TK gui, other threads could undergo a race condition
    • Should be fixed by moving to a better structured TK implementation or Web GUI
  • Tk GUI Unstability:

    • Same reason as above
  • Code:

    • clumsy and unstructured code flow
  • Current Fix in rare occasions: If any of the above issue occurs the progress bar keeps running and no output is generated, a restart of the app would be required.

Docker Containers of PcapXray

  • Dockerfile present in the root folder was used to build images
  • Already built docker images are found at dockerhub
    • srinivas11789/pcapxray-1.0
    • srinivas11789/pcapxray-2.2
  • Performing the steps in run.sh file manually would work to launch the tool via docker (I can help with errors)
  • Running run.sh scripts is an attempt to automate (would not work 100 percent)
    • tested on mac and linux - will be better soon!...

Immediate Future Tasks: (Target: 3.0)

  • Clean up code (beautify code base from being a prototype)
  • Report generation on unique folders for all assets of a packet capture
  • Suspicious activity detection
  • Support more pcap reader engine
  • Traffic support: ICMP, DNS
  • Known file type detection and Extract
  • Python2 and Python3
  • Interactive map

Future:

  • Structured and clean code flow
  • Change the database from JSON to sqlite or prominent database, due to memory hogging
  • Change fronend to web based such as Django
  • Make the application more stable
  • More protocol support
  • Clean up code

Credits:

  • Thanks for making it better,
    • Professor Marc Budofsky
    • Kevin Gallagher
  • Thanks for all the dependent libraries used
  • Logo created with logomakr.com and www.inkscape.org

Analytics

Just for Security Fun!

最近版本更新:(数据更新于 1970-01-01 00:00:00)

2019-08-22 12:10:41 3_0

2019-08-13 03:11:10 v2_9

2019-08-07 10:37:36 2_8_1

2019-08-07 04:52:34 2_8

2019-08-04 02:03:23 v2_7

2019-07-02 22:59:03 v2_6

2019-07-01 13:22:58 v2_6_beta

2019-05-15 09:08:21 2.5

2019-05-04 14:17:50 v2.4

2019-05-02 15:29:08 v2.3-beta

主题(topics):

computer-forensics, cybersecurity, forensic-analysis, forensics, network, network-diagram, packets, pcap, python, security, tor, tor-traffic, traffic

Srinivas11789/PcapXray同语言 Python最近更新仓库

2024-12-22 18:18:34 LeslieLeung/heimdallr

2024-12-22 09:03:32 ultralytics/ultralytics

2024-12-21 13:26:40 notepad-plus-plus/nppPluginList

2024-12-21 11:42:53 XiaoMi/ha_xiaomi_home

2024-12-21 04:33:22 comfyanonymous/ComfyUI

2024-12-20 18:47:56 home-assistant/core