DeKrych/Dshell-plugins

This plugins repository is an unofficial library of decoders for Dshell, the U.S. Army Research Lab's network forensic analysis framework <https://github.com/USArmyResearchLab/Dshell>

Dshell-plugins

The Bitcoin and NBNS decoders are now included in the U.S. Army Research Lab's Dshell repository.

This plugins repository is an unofficial library of decoders for Dshell, the U.S. Army Research Lab's network forensic analysis framework.

For general questions regarding Dshell, please see their README.md

Prerequisites

• Dshell, U.S. ARL's Dshell
• Dshell's Prerequisites
  • Linux (developed on Ubuntu 12.04)
  • Python 2.7
  • pygeoip, GNU Lesser GPL
    • MaxMind GeoIP Legacy datasets
  • PyCrypto, custom license
  • dpkt, New BSD License
  • IPy, BSD 2-Clause License
  • pypcap, New BSD License

Setup

After installing Dshell, these additional decoders can be downloaded and moved to <install-location>/decoders/misc/

• To ensure that these decoders are now available for use within Dshell:
  • ./dshell which runs Dshell (You should see the Dshell> prompt)
  • decode -l lists the available decoders

Basic Usage

• decode -d <decoder>
  • Displays information about the decoder, including command-line flags
• decode -d <decoder> <pcap>
  • Runs the desired decoder on the pcap or list of pcaps