Skip to content
This repository was archived by the owner on May 18, 2021. It is now read-only.

rapid7/python-sortcap

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
Dockerfile
Dockerfile
 
 
LICENSE.md
LICENSE.md
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
pcaptools.py
pcaptools.py
 
 
searchcap
searchcap
 
 
sortcap
sortcap
 
 

Repository files navigation

python-sortcap

Or in short: sortcap

Problem Statement

Medium to large sized PCAPs are tricky to "access" in the sense that all tools will go over the whole file to show details about a certain connection / ip.

Sortcap

We just sort the pcap's packets, ordered by the "connection tuple" (src, sport, dst, dport, proto). This way you can remember the offset of the first packet for one of the tuples, and then efficiently extract all related packets. The connection information can then be indexed somehow so one can search for an ip / port to get the respective offsets.

Example

./sortcap -i <input_pcap> -o <output_pcap>

Or with the Docker image:

docker run --rm --net=none -v $PWD:/pcap r7labs/sortcap -i input.pcap -o output.pcap

If you have a pcapng or pcapng.gz etc, you need to preprocess with mergecap

docker run --rm --net=none -v $PWD:/pcap --entrypoint mergecap r7labs/sortcap -F pcap -w output.pcap input.pcapng.gz

Future work

  • Support pcapng / gzipped natively
  • Other indexing options (see --index)
  • Other protocol types?

About

Created by Derek Abdine via the GitHub Connector

Resources

Readme

License

View license
Activity
Custom properties

Stars

2 stars

Watchers

18 watching

Forks

5 forks
Report repository

Releases 4

1.3 Latest
Jan 26, 2017
+ 3 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages