madpowah/ForensicPCAP

ForensicPCAP

ABOUT

ForensicPCAP is a Python Network Forensic tool to analyze a PCAP file.

DEPENDENCIES

ForensicPCAP uses Scapy and Cmd2. So first you have to install them typing :

apt-get install python-scapy
pip install cmd2

HOW TO USE IT

ForensicPCAP uses Cmd2 so you can juste type "help" or "help <command>" to get informations. > can be used to write to a file. "shell" permits to exec shell commands.

Launch

python forensicPCAP file.pcap

Help

ForPCAP >>> help

Documented commands (type help <topic>):
========================================
_load           dstports  history  list   py    search     show   
_relative_load  ed        ipsrc    load   r     set        stat   
cmdenvironment  edit      l        mail   run   shell      version
dns             hi        li       pause  save  shortcuts  web    

Undocumented commands:
======================
EOF  eof  exit  help  q  quit

Stats

Prints stats about PCAP

ForPCAP >>> stat
## Calculating statistics about the PCAP ... OK.
## Statistics :
TCP : 142 packet(s)
UDP : 81 packet(s)
ICMP : 0 packet(s)
Other : 24 packet(s)
Total : 247 packet(s)
## End of statistics

Show

Prints information about packet or last command result.
Usage :

• show : print result of the last command
• show <packet id> : show information about a specific packet
• show raw : show the raw data if last command was followtcpstream
• show pcap : show all a summary of all packets

Dns

Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.

ForPCAP >>> dns
## Listing all DNS requests ...OK.
## Result : 34 DNS request(s)
ForPCAP >>> show
1 | www.url.com
2 | www.url2.com

Dstports

Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.

ForPCAP >>> dstports
## Listing all destination port in the PCAP ... OK.
Result : 20 ports##
ForPCAP >>> show
43 | 443
44 | 80

Ipsrc

Prints the number of ip source and store them.

ForPCAP >>> ipsrc
## Searching IP source ... .OK.
Result : 1 ips##
ForPCAP >>> show
10.0.0.1

Web

Prints the number of web's requests and store them

ForPCAP >>> web
## Searching web's request ... .................OK.

Web's request : 17
ForPCAP >>> show
GET / HTTP/1.1
Cache-Control: max-age = 1800
Connection: Keep-Alive
Accept: */*
User-Agent: 
Host: www.url.com

Mail

Prints the number of mail's requests and store them

ForPCAP >>> mail
## Searching mail's request ... OK.
Mail's request : 4
ForPCAP >>> show
+OK Dovecot ready.
CAPA
+OK
....

FollowTCPStream

Permits to follow a TCP sequence Usage :

• followtcptream

Search

Permits to search specific packets
Usage :

- search <options>
        -p | --protocol <port number> (TCP by default) : this option must be the first option if changed
        --ip <ip>
        --dport | --destination-port <port number>
        --sport | --source_port <port number>
        --ipsrc | --ip-source <ip>
        --ipdst | --ip-destination <ip>
        -s | --string <string> : will search the string in all packets
        ```
 Example :
```sh
ForPCAP >>> search --dport 80
## Searching request ... ..............................................................................................................
Search's result : 1
ForPCAP >>> show
1 | Ether / IP / TCP 10.0.0.1:49173 > 192.168.0.1:http S

Contact

You can contact me at cloud(at)madpowah(dot)org