Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
..
Failed to load latest commit information.
Linux/1.2
Windows/1.2
README.md

README.md

PCAP Tools Flattr this git repo

* Due to slight variations in the plugin engine, be sure to download the plugin for the right version of ProcDOT

Project source can be downloaded from

https://github.com/Beercow/ProcDOT-Plugins/tree/master/PCAP_tools

Author & Contributor List

Brian Maloney

Overview

PCAP_tools is a set of plugins to add functionality to ProcDOT. With this plugin, you will be able to dump files from the pcap and view flows in ProcDOT. TCPflow is used with the plugin to accomplish this.

Setup

Download files from the repository for your system. Move the pcap_tools(.py) and pdp fles into you ProcDOT plugins directory. These plugins depend on Python 2.7 and tcpflow 1.4.4 or later (http://www.digitalcorpora.org/downloads/tcpflow/). Place the tcpflow executable either in the plugin folder or from a system callable path. On Windows, make sure the pcap_tools.bat contains the rihgt path to for python.

2016-12-16_8-08-19

Fire up ProcDOT and there should an entry in the Plugin menu called Extract Files From PCAP, and a right click option on a server node labeled Follow TCP Stream and Extract File(s) From Flow.

Extract Files From PCAP

Extract Files From PCAP is controled by pcap_tools_files.pdp. With this config file in the ProcDOT plugins folder, there should now be an entry in the plugins menu.

Plugins Menu

This plugin will allow you to extract files that are contained in pcap file loaded in ProcDOT. Once selected, a new window will open asking you which hash algorithum you want to use(MD5, SHA1, SHA256). Once you are done picking a hash, it will ask for folder to save the files in.

pcap_tools_gui Save Folder

If there are files in the pcap, they should be hashed accordingly in the save folder. Hashed Files

Follow TCP Stream

Follow TCP Stream is controled by pcap_tools_stream.pdp. With this config file loaded in ProcDOT plugins folder, there should now be an entry in the right click menu when you are on a server node. Server Node Right Click Menu

The plugin will allow you to view complete flows natively in ProcDOT. They will look simular to viewing them in Wireshark.

Wireshark Stream View ProcDOT Stream View

Also, if a stream contains gzipped data, Follow TCP Stream should automagically ungzip the stream.

Wireshark gzip data ProcDOT gzip data

Extract File(s) From Flow

Extract File(s) From Flow is controled by pcap_tools_stream_file.pdp, With this config file loaded in ProcDOT plugins folder, there should now be an entry in the right click menu when you are on a server node.

The plugin will allow you to extract the files from the flow. Once selected, a new window will open asking you which hash algorithum you want to use(MD5, SHA1, SHA256). Once you are done picking a hash, it will ask for folder to save the files in.

If there are files in the flow, they should be hashed accordingly in the save folder.

Bugs