This AdvancePcapXray tool is a modified version of https://github.com/Srinivas11789/PcapXray
The modifications done here are:
- Automated analysis
- ISP details of an IP in the interactive graph report
- Colour coding of the malicious actors, data will be collected from abuseipdb API
- Fully command line based
- Live analysis of Zeek-generated Pcap file
- Initially clone the GitHub repository
git clone https://github.com/ramz-021002/AdvancePcapXray.git
- Install a few requirements
sudo apt install python3-pip
sudo apt install python3-tk
sudo apt install graphviz
sudo apt install python3-pil python3-pil.imagetk
- Install other requirements using pip from the requirements.txt
sudo pip3 install -r requirements.txt
- In the file plot_lan_network.py a. Add your API key of abuseipdb b. In the main definition add the path you have cloned the repository
- In user_interface.py add the path you have cloned the repository
- If Zeek is not present in the machine install Zeek
- Once Zeek is successfully installed set the directory using the following command
cd <your-path>/AdvancePcapXray/zeek
- Run capture.sh file (modify the command as per your machine)
./capture.sh
- You can observe a file will be created with the current date, with pcap and other log files.
- Now open a new terminal window and set the directory as follows
cd <your-path>/AdvancePcapXray
- Run main.sh with sudo access (modify the command as per machine)
sudo ./main.sh
- Once the analysis of an iteration is done you can see the report file generated in the Report file inside the Module file.
- You can view the interactive graph and look over the ISP details of every IP node present
- Update and Upgrade the ubuntu machine
sudo apt-get update
sudo apt-get upgrade
- Install the dependencies
sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python3-dev swig zlib1g-dev
- Go to zeek website and download source file of zeek.
- Change the directory to the downloaded folder, and run uncompress the file
tar -xzf zeek-<version>.tar.gz
- Change the directory to the Zeek folder and run
./configure
- Now run make and then sudo make install
make
sudo make install
- Once the above commands are done executing now edit to bashrc using
nano ~/.bashrc
- Add the path using
export PATH=/usr/local/zeek/bin:$PATH
- Run the source command and check the zeek path and zeek version
source ~/.bashrc
which zeek
zeek --version
- Change the directory to /usr/local/zeek/etc folder and check your interface name using ifconfig
cd /usr/local/zeek/etc
ifconfig
- Change the interface to the system assigned interface in the node.cfg
nano node.cfg
- Now change directory to bin file and check the zeekctl
cd ..
cd bin
sudo ./zeekctl check
- Once you get zeek scripts are ok as output deploy zeekctl
sudo ./zeekctl deploy
- To check the status of zeek
sudo ./zeekctl status