Pcap Forensics Tool
According to Google Reader stats, I have 135 people following this blog (I assume that is only people using Google reader), so I will most likely make posts more frequently. This post is showcasing a new Pcap Forensics Tool which is written in python using both Scapy and Pynids. This tool as of now, hosts the following features:
-Packet Summary
-DNS Summary
-Stream Summary
-List files within stream (magic bytes)
-List files within archives in streams(ZIP and TAR)
-Extract files based on magic type
-Look within ZIP and TAR archives for file type to extract
-GZIP Decompression for files and archives
-Extraction Summary
The following is an example of running the script to see the command line options that can be used:
Scanning a single packet capture and displaying the summary will look something like this:
Once you know which files are located within a stream, you can determine the files that are to be extracted:
I am currently looking to extend this tool to include multiple archive types that are supported by python. Any suggestions to improve the tool would be appreciated. The two python scripts that are required to use this tool are located here:
This tool requires Scapy, Pynids and python-magic.
*Please use the updated pynids at the link above, as the original site of pynids has a much older version of pynids.