Srinivas11789/PcapXray
Fork: 281 Star: 1698 (更新于 2024-11-30 04:21:39)
license: GPL-2.0
Language: Python .
:snowflake: PcapXray - A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction
最后发布版本: 3_0 ( 2019-08-22 12:10:41)
PcapXray
A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction
PcapXray Design Specification
Wiki has more help too.
Goal:
Given a Pcap File, plot a network diagram displaying hosts in the network, network traffic, highlight important traffic and Tor traffic as well as potential malicious traffic including data involved in the communication.
Problem:
-
Investigation of a Pcap file takes a long time given initial glitch to start the investigation
-
Faced by every forensics investigator and anyone who is analyzing the network
Solution: Speed up the investigation process
- Make a network diagram with the following features from a Pcap file Tool Highlights:
- Network Diagram – Summary Network Diagram of full network
- Information:
- Web Traffic with Server Details
- Tor Traffic
- Possible Malicious traffic
- Data Obtained from Packet in Report – Device/Traffic/Payloads
- Device Details
Tool Image:
Components:
- Network Diagram
- Device/Traffic Details and Analysis
- Malicious Traffic Identification
- Tor Traffic
- GUI – a gui with options to upload pcap file and display the network diagram
Setup
- Python 3
apt install python3-pip
apt install python3-tk
apt install graphviz
apt install python3-pil python3-pil.imagetk
pip3 install -r requirements.txt
python3 Source/main.py
( Make sure to escalate privilege to allow file creations - Run with sudo
)
For MAC:
brew install graphviz
- Python 2
apt install python-tk
apt install graphviz
pip install -r requirements.txt
python Source/main.py
( Make sure to escalate privilege to allow file creations - Run with sudo
)
Python Libraries Used: - All these libraries are required for functionality
- Tkinter and TTK – Install from pip or apt-get – Ensure Tkinter and graphviz is installed (Most Linux contain by default)
- apt install python-tk
- apt install graphviz
- apt install python3-tk (for python3 support)
- Sometimes ImageTk errors are thrown in python3 env --> use apt install python3-pil python3-pil.imagetk
- All these are included in the requirements.txt file
- Scapy – rdpcap to read the packets from the pcap file
- Ipwhois – to obtain whois information from ip
- Netaddr – to check ip information type
- Pillow – image processing library
- Stem – tor consensus data fetch library
- pyGraphviz – plot graph
- Networkx – plot graph
- Matplotlib – plot graph (not used as of now)
Demo
Getting started:
- Clone the repository
- pip install -r requirements.txt
- python Source/main.py
Additional Information:
- Tested on Linux
- Options for Traffic include - Web (HTTP and HTTPS), Tor, Malicious, ICMP, DNS
Challenges:
- Unstability of the TK GUI:
- Decision on the GUI between Django and TK, settled upon tk for a simple local interface, but the unstability of the tk gui caused a number of problems
- Graph Plotting:
- Plotting a proper network graph which is readable from the data obtained was quite an effort, used different libraries to arrive at one.
- Performance and Timing:
- The performance and timing of the total application was a big challenge with different data gathering and output generation
Known Bugs:
-
Memory Hogging
- Sometimes memory hogging occurs when lower RAM is present in the system as the data stored in the memory from the pcap file is huge
- Should be Fixed by moving data into a database than the memory itself
-
Race Condition
- Due to mainloop of the TK gui, other threads could undergo a race condition
- Should be fixed by moving to a better structured TK implementation or Web GUI
-
Tk GUI Unstability:
- Same reason as above
-
Code:
- clumsy and unstructured code flow
-
Current Fix in rare occasions: If any of the above issue occurs the progress bar keeps running and no output is generated, a restart of the app would be required.
Docker Containers of PcapXray
- Dockerfile present in the root folder was used to build images
- Already built docker images are found at dockerhub
- srinivas11789/pcapxray-1.0
- srinivas11789/pcapxray-2.2
- Performing the steps in
run.sh
file manually would work to launch the tool via docker (I can help with errors) - Running
run.sh
scripts is an attempt to automate (would not work 100 percent)- tested on mac and linux - will be better soon!...
Immediate Future Tasks: (Target: 3.0)
- Clean up code (beautify code base from being a prototype)
- Report generation on unique folders for all assets of a packet capture
- Suspicious activity detection
- Support more pcap reader engine
- Traffic support: ICMP, DNS
- Known file type detection and Extract
- Python2 and Python3
- Interactive map
Future:
- Structured and clean code flow
- Change the database from JSON to sqlite or prominent database, due to memory hogging
- Change fronend to web based such as Django
- Make the application more stable
- More protocol support
- Clean up code
Credits:
- Thanks for making it better,
- Professor Marc Budofsky
- Kevin Gallagher
- Thanks for all the dependent libraries used
- Logo created with logomakr.com and www.inkscape.org
Just for Security Fun!
最近版本更新:(数据更新于 1970-01-01 00:00:00)
2019-08-22 12:10:41 3_0
2019-08-13 03:11:10 v2_9
2019-08-07 10:37:36 2_8_1
2019-08-07 04:52:34 2_8
2019-08-04 02:03:23 v2_7
2019-07-02 22:59:03 v2_6
2019-07-01 13:22:58 v2_6_beta
2019-05-15 09:08:21 2.5
2019-05-04 14:17:50 v2.4
2019-05-02 15:29:08 v2.3-beta
主题(topics):
computer-forensics, cybersecurity, forensic-analysis, forensics, network, network-diagram, packets, pcap, python, security, tor, tor-traffic, traffic
Srinivas11789/PcapXray同语言 Python最近更新仓库
2024-12-22 18:18:34 LeslieLeung/heimdallr
2024-12-22 09:03:32 ultralytics/ultralytics
2024-12-21 13:26:40 notepad-plus-plus/nppPluginList
2024-12-21 11:42:53 XiaoMi/ha_xiaomi_home
2024-12-21 04:33:22 comfyanonymous/ComfyUI
2024-12-20 18:47:56 home-assistant/core