clipp is a command line tool to parse and explore PCAP files (and soon, PCAP-NG files). For the moment, this tool only parse IPv4, TCP and UDP protocols. I may add support for IPv6, DNS and HTTP in the future.
pip install -r requirements.txt
clipp is a shell, just start it like this:
$python clipp.py
________ ___ ___ ________ ________
|\ ____\|\ \ |\ \|\ __ \|\ __ \
\ \ \___|\ \ \ \ \ \ \ \|\ \ \ \|\ \
\ \ \ \ \ \ \ \ \ \ ____\ \ ____\
\ \ \____\ \ \____\ \ \ \ \___|\ \ \___|
\ \_______\ \_______\ \__\ \__\ \ \__\
\|_______|\|_______|\|__|\|__| \|__|
Command Line Interface Packet Parser.
Type "help" or "?" to list available commands.
Type "help <command>" to see the command's help.
clipp>>
Right now, the available commands are :
- help : list available commands.
- set option=value : change configuration (see Config above), value will be 1 or 0.
- load FILENAME : load and parse a pcap file.
- sessions [SESSION_ID] : list all the TCP/UDP sessions, or enter the SESSION_ID session.
- search [options] PATTERN : search for a hex or string pattern in all sessions.
- stream [options] : print the current session in the choosen format (help stream for more details).
- extract -p PKT_NUMBER : extract HTTP POST key values data.
- dump [options] FILENAME : dump TCP/UDP (packet or session, help dump for more details) to FILENAME.
Only two config variables are supported right now:
- mobile : 1 tells clipp that the PCAP file comes from a phone capture (dummy ethernet layer, 16 bytes), 0 for standard ethernet layer.
- ip-layer : 1 tells clipp that the first layer of the file is an IP layer, 0 means first layer is ethernet.
Default values are 0 for both options.
clipp>>set mobile=1
clipp>>set ip-layer=0