Home

Awesome

Packet Communication Investigator

https://github.com/michoo/pci

Simply import network traffic into a graphtool to analyse packet interactions between machines and network on a graph approach to help investigate what's happening on your network. 3 modes are available:

It will find server name and geolocalize it based on ip (v4)

From neo4j browser available at localhost:7474 Alt text

From www/index.html (auto update every minutes for a 3d visualization) Alt text

nb* in the live ring capture you'll need to modify pyshark project in liveCapture.py line 68

#params += ['-r', '-']

Prerequesites

You'll need:

nb1: Docker

to help running docker I made some scripts for newbies:

nb2: Tshark / Wireshark

If you are getting a ‘Permission Denied’ error when running wireshark or tshark as local user, you can add the user account to wireshark to avoid running pci.py with sudo

// permit all user to analyse traffic (by being part of wireshark's group)
$ sudo dpkg-reconfigure wireshark-common 
// add your local user to analyse traffic
$ sudo usermod -a -G wireshark $USER
// logout and login to update your account
$ gnome-session-quit --logout --no-prompt

How to use it?

1.setup.sh

A script to download geoip database in the right spot

2.start neo4j server (docker)

in neo4j-docker ./build.sh and then ./start.sh

3.run pci.py script

then you can run ./pci.py (pipenv shell!)

./pci.py -i wlp3s0
./pci.py -i wlp3s0 -r
./pci.py -f db/pcap/pci_00001_20191029095803.pcapng

after you'll see nodes appearing into neo4j browser (http://localhost:7474)

clean.sh

Just a script to clean directories before commit

Faq:

Tested