Skip to content
passive downloading
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
modules log handling, clarified licensing details Jul 26, 2011
LICENSE Create LICENSE Mar 26, 2015
README.rst cpu load is high Jul 4, 2011 log handling, clarified licensing details Jul 26, 2011


passdown analyzes current (or saved) TCP traffic and extracts transferred files in order to store them to disk. It currently supports HTTP downloads in IPv4 or IPv6, but can easily extended. Sniffing is done with scapy.


Currently no installation required. Just run either as root to search for files in your current traffic or give it a pcap-file as first argument to work with previous transfers.

passdown depends on scapy, which has to be installed and available. Try installing it with your preferred method (apt, pacman, yum, ...). Instead you can just put in the same directory and be fine.


You can hack your own protocol to get files from, by defining a class and giving it the properties name and regex. The name should be human-readable and the regex should match to the traffic returned from the server (i.e. the party that accepts the TCP connection). The constructor of your class should accept two parameters: The data streams sent by server and client (in that order). You can then put the classname in the PROTOCOLS array. Note that you will have to adjust the filter applied to the sniff call, unless your protocol runs on tcp port 80 as well ;)

Known Bugs / TODO

  • TCP packets are not reordered.
  • Retransmissions are not handled
  • FIN-Handling is a little wrong
  • CPU load is a little high
  • We sometimes get I/O Errors on our streams
  • RST packets are currently unknown to passdown
  • No real option/parameter handling, verbosity switches would be nice
You can’t perform that action at this time.