PcapXray

Share this…

A Network Forensics Tool: to visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction

PcapXray Design Specification

Objective:

The cyber security expert, with a Pcap File, plot a network diagram displaying hosts in the network, network traffic, highlight important traffic and Tor traffic as well as potential malicious traffic including data involved in the communication.

Problem:

Investigation of a Pcap file takes a long time given initial glitch to start the investigation, and this is faced by every forensics investigator and anyone who is analyzing the network

Location: https://github.com/Srinivas11789/PcapXray

Solution: Speed up the investigation process

Make a network diagram with the following features from a Pcap file Tool Highlights:

Network Diagram – Summary Network Diagram of full network

Information:

Traffic with Server Details, Tor Traffic, Possible Malicious traffic, Data Obtained from Packet in Report – Device/Traffic/Payloads and Device Details.

pcapxrayjpg

pcapxray 2 jpg

Components:

Network Diagram, Device/Traffic Details and Analysis, Malicious Traffic Identification and Tor Traffic.

GUI – a gui with options to upload pcap file and display the network diagram

Python Libraries Used: – All these libraries are required for functionality

  • Tkinter and TTK – Install from pip or apt-get – Ensure Tkinter and graphviz is installed, an information security professional said that the most Linux contain by default.

apt install python-tk

apt install graphviz

  • All these are included in the requirements.txt file

Scapy – rdpcap to read the packets from the pcap file

Ipwhois – to obtain whois information from ip

Netaddr – to check ip information type

Pillow – image processing library

Stem – tor consensus data fetch library

pyGraphviz – plot graph

Networkx – plot graph

Matplotlib – plot graph

Challenges:

Instability of the TK GUI:

Decision on the GUI between Django and TK, settled upon tk for a simple local interface, the instability of the tk gui caused a number of problems

Graph Plotting:

Plotting a proper network graph which is readable from the data obtained.

Known Bugs:

Memory Hogging

According to a cyber security specialist, sometimes memory hogging occurs when lower RAM is present in the system as the data stored in the memory from the pcap file is huge. The problem should be fixed by moving data into a database.

Race Condition

Due to main loop of the TK gui, other threads could undergo a race condition. The problem should be fixed by moving to a better structured TK implementation or Web GUI.

Tk GUI Instability: same reason above.

If any of the above issue occurs the progress bar keeps running and no output is generated, a restart of the app would be required.

Future:

Change the database from JSON to sqlite or prominent database, due to memory hogging. Change frontend to web based such as Django, make the application more stable, according to an information security expert.