ForensicPCAP is a Python Network Forensic tool to analyze a PCAP file.
ForensicPCAP uses Scapy and Cmd2. So first you have to install them typing :
apt-get install python-scapy
easy_install cmd2
ForensicPCAP uses Cmd2 so you can juste type "help" or "help <command>" to get informations. > can be used to write to a file. "shell" permits to exec shell commands.
python forensicPCAP file.pcap
ForPCAP >>> help
Documented commands (type help <topic>):
========================================
_load dstports history list py search show
_relative_load ed ipsrc load r set stat
cmdenvironment edit l mail run shell version
dns hi li pause save shortcuts web
Undocumented commands:
======================
EOF eof exit help q quit
Prints stats about PCAP
ForPCAP >>> stat
## Calculating statistics about the PCAP ... OK.
## Statistics :
TCP : 142 packet(s)
UDP : 81 packet(s)
ICMP : 0 packet(s)
Other : 24 packet(s)
Total : 247 packet(s)
## End of statistics
Prints information about packet or last command result.
Usage :
- show : print result of the last command
- show <packet id> : show information about a specific packet
- show raw : show the raw data if last command was followtcpstream
- show pcap : show all a summary of all packets
Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
ForPCAP >>> dns
## Listing all DNS requests ...OK.
## Result : 34 DNS request(s)
ForPCAP >>> show
1 | www.url.com
2 | www.url2.com
Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
ForPCAP >>> dstports
## Listing all destination port in the PCAP ... OK.
Result : 20 ports##
ForPCAP >>> show
43 | 443
44 | 80
Prints the number of ip source and store them.
ForPCAP >>> ipsrc
## Searching IP source ... .OK.
Result : 1 ips##
ForPCAP >>> show
10.0.0.1
Prints the number of web's requests and store them
ForPCAP >>> web
## Searching web's request ... .................OK.
Web's request : 17
ForPCAP >>> show
GET / HTTP/1.1
Cache-Control: max-age = 1800
Connection: Keep-Alive
Accept: */*
User-Agent:
Host: www.url.com
Prints the number of mail's requests and store them
ForPCAP >>> mail
## Searching mail's request ... OK.
Mail's request : 4
ForPCAP >>> show
+OK Dovecot ready.
CAPA
+OK
....
Permits to follow a TCP sequence Usage :
- followtcptream
Permits to search specific packets
Usage :
- search <options>
-p | --protocol <port number> (TCP by default) : this option must be the first option if changed
--ip <ip>
--dport | --destination-port <port number>
--sport | --source_port <port number>
--ipsrc | --ip-source <ip>
--ipdst | --ip-destination <ip>
-s | --string <string> : will search the string in all packets
```
Example :
```sh
ForPCAP >>> search --dport 80
## Searching request ... ..............................................................................................................
Search's result : 1
ForPCAP >>> show
1 | Ether / IP / TCP 10.0.0.1:49173 > 192.168.0.1:http S
You can contact me at cloud(at)madpowah(dot)org