Home

Awesome

Re2Pcap: Create PCAP file from raw HTTP request or response in seconds

<p align="middle"> <img src='https://img.shields.io/static/v1?label=Python3&message=Requests%20|%20Flask%20|%20Pexpect%20|%20Http.server%20|%20Http.client%20|%20Httpretty&color=blue' title='Shields'/> <img src='https://img.shields.io/static/v1?label=&message=Snort%20|%20Docker%20|%20Alpine%20Linux%20%20|%20PCAP%20|%20Tcpdump%20&color=success' title='Shields'/> </p> <img src='/Re2Pcap/static/img/re2pcap.png' title='Re2Pcap Logo'/>

Re2Pcap is abbreviation for Request2Pcap and Response2Pcap. Community users can quickly create PCAP file using Re2Pcap and test them against Snort rules.

Re2Pcap allow you to quickly create PCAP file for raw HTTP request shown below

POST /admin/tools/iplogging.cgi HTTP/1.1
Host: 192.168.13.31:80
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.13.31:80/admin/tools/iplogging.html
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 63
Cookie: token=1e9c07e135a15e40b3290c320245ca9a
Connection: close

tcpdumpParams=tcpdump -z reboot -G 2 -i eth0&stateRequest=start

Usage

git clone https://github.com/Cisco-Talos/Re2Pcap.git
cd Re2Pcap/
./re2pcap.sh

OR

docker run --rm --cap-add NET_ADMIN -p 5000:5000 --name re2pcap amitraut/re2pcap

Open localhost:5000 in your web browser to access Re2Pcap or use Re2Pcap-cmd script to interact with Re2Pcap container to get PCAP in current working directory

Requirements

Advantages

Dockerfile

FROM alpine

# Get required dependencies and setup for Re2Pcap
RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories
RUN apk update && apk add python3 tcpdump tcpreplay
RUN pip3 install --upgrade pip
RUN pip3 install pexpect flask requests httpretty requests-toolbelt

COPY Re2Pcap/ /Re2Pcap
RUN cd Re2Pcap && chmod +x Re2Pcap.py

WORKDIR /Re2Pcap
EXPOSE 5000/tcp

# Run application at start of new container
CMD ["/usr/bin/python3", "Re2Pcap.py"]

Walkthrough

<img src='/Re2Pcap/static/img/Re2Pcap_Demo.gif' title='Re2Pcap Demo' alt='Re2Pcap Demo Walkthrough' /> <img src='/Re2Pcap/static/img/Re2Pcap_Demo1.gif' title='Re2Pcap-cmd Demo' alt='Re2Pcap-cmd Demo'/>

Re2Pcap Workflow

<img src='/Re2Pcap/static/img/workflow.png' title='Re2Pcap Workflow' alt='Re2Pcap Workflow'/>

As shown in the above image Re2Pcap is Alpine Linux based Python3 application with Flask based web interface

Re2Pcap parses the input data as raw HTTP request or response and actually perfoms client/server interaction while capturing packets. After the interaction Re2Pcap presents the captured packets as PCAP file

Recommendations

Limitations


I hope you find Re2Pcap helpful. If you face issues with Re2Pcap please create an issue with your inputs. Thank you! :)

Enjoy 😊