Home

Awesome

ForensicPCAP

ABOUT

ForensicPCAP is a Python Network Forensic tool to analyze a PCAP file.

DEPENDENCIES

ForensicPCAP uses Scapy and Cmd2. So first you have to install them typing :

apt-get install python-scapy
pip install cmd2

HOW TO USE IT

ForensicPCAP uses Cmd2 so you can juste type "help" or "help <command>" to get informations. > can be used to write to a file. "shell" permits to exec shell commands.

Launch
python forensicPCAP file.pcap
Help
ForPCAP >>> help

Documented commands (type help <topic>):
========================================
_load           dstports  history  list   py    search     show   
_relative_load  ed        ipsrc    load   r     set        stat   
cmdenvironment  edit      l        mail   run   shell      version
dns             hi        li       pause  save  shortcuts  web    

Undocumented commands:
======================
EOF  eof  exit  help  q  quit
Stats

Prints stats about PCAP

ForPCAP >>> stat
## Calculating statistics about the PCAP ... OK.
## Statistics :
TCP : 142 packet(s)
UDP : 81 packet(s)
ICMP : 0 packet(s)
Other : 24 packet(s)
Total : 247 packet(s)
## End of statistics
Show

Prints information about packet or last command result.<br />Usage :

Dns

Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.

ForPCAP >>> dns
## Listing all DNS requests ...OK.
## Result : 34 DNS request(s)
ForPCAP >>> show
1 | www.url.com
2 | www.url2.com

Dstports

Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.

ForPCAP >>> dstports
## Listing all destination port in the PCAP ... OK.
Result : 20 ports##
ForPCAP >>> show
43 | 443
44 | 80
Ipsrc

Prints the number of ip source and store them.

ForPCAP >>> ipsrc
## Searching IP source ... .OK.
Result : 1 ips##
ForPCAP >>> show
10.0.0.1
Web

Prints the number of web's requests and store them

ForPCAP >>> web
## Searching web's request ... .................OK.

Web's request : 17
ForPCAP >>> show
GET / HTTP/1.1
Cache-Control: max-age = 1800
Connection: Keep-Alive
Accept: */*
User-Agent: 
Host: www.url.com
Mail

Prints the number of mail's requests and store them

ForPCAP >>> mail
## Searching mail's request ... OK.
Mail's request : 4
ForPCAP >>> show
+OK Dovecot ready.
CAPA
+OK
....
FollowTCPStream

Permits to follow a TCP sequence Usage :

Search

Permits to search specific packets<br /> Usage :

- search <options>
        -p | --protocol <port number> (TCP by default) : this option must be the first option if changed
        --ip <ip>
        --dport | --destination-port <port number>
        --sport | --source_port <port number>
        --ipsrc | --ip-source <ip>
        --ipdst | --ip-destination <ip>
        -s | --string <string> : will search the string in all packets
        ```
 Example :
```sh
ForPCAP >>> search --dport 80
## Searching request ... ..............................................................................................................
Search's result : 1
ForPCAP >>> show
1 | Ether / IP / TCP 10.0.0.1:49173 > 192.168.0.1:http S

Contact

You can contact me at cloud(at)madpowah(dot)org