/NetPlier

NetPlier: Probabilistic Network Protocol Reverse Engineering from Message Traces

Primary LanguagePythonGNU General Public License v3.0GPL-3.0

NetPlier

NetPlier is a tool for binary protocol reverse engineering. It takes network traces as input and infer the keywork by multiple sequence alignment and probabilistic inference. Please find the details in our paper: NETPLIER: Probabilistic Network Protocol Reverse Engineering from Message Traces.

Installation

  • Install dependencies (python 3.6 or higher):
$ pip install -r requirements.txt

Usage

Run NetPlier with the following command:

$ python main.py -i INPUT_FILE_PATH -o OUTPUT_DIR -t PROTOCOL_TYPE [Other Options]

e.g.:

$ python netplier/main.py -i data/dhcp_100.pcap -o tmp/dhcp -t dhcp 

Arguments:

  • -i, --input: the filepath of input trace (required)
  • -o, --output_dir: the folder for output files (default: tmp/)
  • -t, --type: the type of the test protocol (for generating the ground truth)
    currently it supports dhcp, dnp3, icmp, modbus, ntp, smb, smb2, tftp, zeroaccess
  • -l, --layer: the layer of the protocol (default: 5)
    for the network layer protocol (e.g., icmp), it should be 3
  • -m, --mafft: the alignment mode of mafft, including ginsi(default), linsi, einsi
    refer to mafft for detailed features of each mode
  • -mt, --multithread: using multithreading for alignment (default: False)