Home Unlabelled Pcapxray V2.5 - A Network Forensics Tool To Visualize A Parcel Capture Offline Equally A Network Diagram

Pcapxray V2.5 - A Network Forensics Tool To Visualize A Parcel Capture Offline Equally A Network Diagram

By
Monday, September 09, 2019
Read
Add Comment

PcapXray is a Network Forensics Tool  To visualize a Packet Capture offline equally a Network Diagram including device identification, highlight of import communication too file extraction.

PcapXray Design Specification

Goal:
Given a Pcap File, plot a network diagram displaying hosts inwards the network, network traffic, highlight of import traffic too Tor traffic equally good equally potential malicious traffic including information involved inwards the communication.

Problem:
  • Investigation of a Pcap file takes a long fourth dimension given initial glitch to commencement the investigation
  • Faced past times every forensics investigator too anyone who is analyzing the network
  • Location: https://github.com/Srinivas11789/PcapXray

Solution: Speed upwards the investigation process
  • Make a network diagram amongst the next features from a Pcap file Tool Highlights:
  • Network Diagram – Summary Network Diagram of amount network
  • Information:
    • Web Traffic amongst Server Details
    • Tor Traffic
    • Possible Malicious traffic
    • Data Obtained from Packet inwards Report – Device/Traffic/Payloads
    • Device Details

Tool Image:




Components:
  • Network Diagram
  • Device/Traffic Details too Analysis
  • Malicious Traffic Identification
  • Tor Traffic
  • GUI – a gui amongst options to upload pcap file too display the network diagram

Python Libraries Used: - All these libraries are required for functionality
  • Tkinter too TTK – Install from pip or apt-get – Ensure Tkinter too graphviz is installed (Most Linux incorporate past times default)
    • apt install python-tk
    • apt install graphviz
    • apt install python3-tk (for python3 support)
    • Sometimes ImageTk errors are thrown inwards python3 env --> occupation apt install python3-pil python3-pil.imagetk
  • All these are included inwards the requirements.txt file
    • Scapy – rdpcap to read the packets from the pcap file
    • Ipwhois – to obtain whois information from ip
    • Netaddr – to cheque ip information type
    • Pillow – icon processing library
    • Stem – tor consensus information fetch library
    • pyGraphviz – plot graph
    • Networkx – plot graph
    • Matplotlib – plot graph (not used equally of now)

Demo


Getting started:
  • Clone the repository
  • pip install -r requirements.txt
  • python Source/main.py

Additional Information:
  • Tested on Linux
  • Options for Traffic include - Web (HTTP too HTTPS), Tor, Malicious, ICMP, DNS

Challenges:
  • Unstability of the TK GUI:
    • Decision on the GUI betwixt Django too TK, settled upon tk for a uncomplicated local interface, but the unstability of the tk gui caused a discover of problems
  • Graph Plotting:
    • Plotting a proper network graph which is readable from the information obtained was quite an effort, used dissimilar libraries to instruct inwards at one.
  • Performance too Timing:
    • The performance too timing of the amount application was a large challenge amongst dissimilar information gathering too output generation

Known Bugs:
  • Memory Hogging
    • Sometimes retention hogging occurs when lower RAM is acquaint inwards the organisation equally the information stored inwards the retention from the pcap file is huge
    • Should live on Fixed past times moving information into a database than the retention itself
  • Race Condition
    • Due to mainloop of the TK gui, other threads could undergo a race condition
    • Should live on fixed past times moving to a ameliorate structured TK implementation or Web GUI
  • Tk GUI Unstability:
    • Same argue equally above
  • Code:
    • clumsy too unstructured code flow
  • Current Fix inwards rare occasions: If whatever of the higher upwards upshot occurs the progress bar keeps running too no output is generated, a restart of the app would live on required.

Docker Containers of PcapXray
  • Dockerfile acquaint inwards the root folder was used to construct images
  • Already built docker images are flora at dockerhub
    • srinivas11789/pcapxray-1.0
    • srinivas11789/pcapxray-2.2
  • Performing the steps inwards run.sh file manually would piece of work to launch the tool via docker (I tin aid amongst errors)
  • Running run.sh scripts is an endeavor to automate (would non piece of work 100 percent)
    • tested on mac too linux - volition live on ameliorate soon!...

PcapXray 2.0
  • Includes zoom feature
  • Improves usability amongst a Browse files feature
  • Report directory fixes for graph images
  • Includes but about põrnikas fixes

Immediate Future Tasks: (Target: 3.0)
  • Clean upwards code (beautify code base of operations from beingness a prototype)
  • Report generation on unique folders for all assets of a parcel capture
  • Suspicious activity detection
  • Support to a greater extent than pcap reader engine
  • Traffic support: ICMP, DNS
  • Known file type detection too Extract
  • Python2 too Python3

Future:
  • Structured too produce clean code flow
  • Change the database from JSON to sqlite or prominent database, due to retention hogging
  • Change fronend to spider web based such equally Django
  • Make the application to a greater extent than stable
  • More protocol support
  • Clean upwards code

Just for Security Fun!


Tags :

Created By Nexus · Powered by Blogger
© All Rights Reserved

Terms Of Service · Privacy Policy · Disclaimer · Contact Us · About Us