PcapXray v2.5 - A Network Forensics Tool To Visualize A Packet Capture Offline As A Network Diagram


PcapXray is a Network Forensics Tool To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction.

PcapXray Design Specification

Goal:
Given a Pcap File, plot a network diagram displaying hosts in the network, network traffic, highlight important traffic and Tor traffic as well as potential malicious traffic including data involved in the communication.

Problem:
  • Investigation of a Pcap file takes a long time given initial glitch to start the investigation
  • Faced by every forensics investigator and anyone who is analyzing the network
  • Location: https://github.com/Srinivas11789/PcapXray

Solution: Speed up the investigation process
  • Make a network diagram with the following features from a Pcap file Tool Highlights:
  • Network Diagram – Summary Network Diagram of full network
  • Information:
    • Web Traffic with Server Details
    • Tor Traffic
    • Possible Malicious traffic
    • Data Obtained from Packet in Report – Device/Traffic/Payloads
    • Device Details

Tool Image:






Components:
  • Network Diagram
  • Device/Traffic Details and Analysis
  • Malicious Traffic Identification
  • Tor Traffic
  • GUI – a gui with options to upload pcap file and display the network diagram

Python Libraries Used: - All these libraries are required for functionality
  • Tkinter and TTK – Install from pip or apt-get – Ensure Tkinter and graphviz is installed (Most Linux contain by default)
    • apt install python-tk
    • apt install graphviz
    • apt install python3-tk (for python3 support)
    • Sometimes ImageTk errors are thrown in python3 env --> use apt install python3-pil python3-pil.imagetk
  • All these are included in the requirements.txt file
    • Scapy – rdpcap to read the packets from the pcap file
    • Ipwhois – to obtain whois information from ip
    • Netaddr – to check ip information type
    • Pillow – image processing library
    • Stem – tor consensus data fetch library
    • pyGraphviz – plot graph
    • Networkx – plot graph
    • Matplotlib – plot graph (not used as of now)

Demo


Getting started:
  • Clone the repository
  • pip install -r requirements.txt
  • python Source/main.py

Additional Information:
  • Tested on Linux
  • Options for Traffic include - Web (HTTP and HTTPS), Tor, Malicious, ICMP, DNS

Challenges:
  • Unstability of the TK GUI:
    • Decision on the GUI between Django and TK, settled upon tk for a simple local interface, but the unstability of the tk gui caused a number of problems
  • Graph Plotting:
    • Plotting a proper network graph which is readable from the data obtained was quite an effort, used different libraries to arrive at one.
  • Performance and Timing:
    • The performance and timing of the total application was a big challenge with different data gathering and output generation

Known Bugs:
  • Memory Hogging
    • Sometimes memory hogging occurs when lower RAM is present in the system as the data stored in the memory from the pcap file is huge
    • Should be Fixed by moving data into a database than the memory itself
  • Race Condition
    • Due to mainloop of the TK gui, other threads could undergo a race condition
    • Should be fixed by moving to a better structured TK implementation or Web GUI
  • Tk GUI Unstability:
    • Same reason as above
  • Code:
    • clumsy and unstructured code flow
  • Current Fix in rare occasions: If any of the above issue occurs the progress bar keeps running and no output is generated, a restart of the app would be required.

Docker Containers of PcapXray
  • Dockerfile present in the root folder was used to build images
  • Already built docker images are found at dockerhub
    • srinivas11789/pcapxray-1.0
    • srinivas11789/pcapxray-2.2
  • Performing the steps in run.sh file manually would work to launch the tool via docker (I can help with errors)
  • Running run.sh scripts is an attempt to automate (would not work 100 percent)
    • tested on mac and linux - will be better soon!...

PcapXray 2.0
  • Includes zoom feature
  • Improves usability with a Browse files feature
  • Report directory fixes for graph images
  • Includes some bug fixes

Immediate Future Tasks: (Target: 3.0)
  • Clean up code (beautify code base from being a prototype)
  • Report generation on unique folders for all assets of a packet capture
  • Suspicious activity detection
  • Support more pcap reader engine
  • Traffic support: ICMP, DNS
  • Known file type detection and Extract
  • Python2 and Python3

Future:
  • Structured and clean code flow
  • Change the database from JSON to sqlite or prominent database, due to memory hogging
  • Change fronend to web based such as Django
  • Make the application more stable
  • More protocol support
  • Clean up code

Just for Security Fun!


Disqus Comments