A Network Forensics Tool: to visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction
PcapXray Design Specification
The cyber security expert, with a Pcap File, plot a network diagram displaying hosts in the network, network traffic, highlight important traffic and Tor traffic as well as potential malicious traffic including data involved in the communication.
Investigation of a Pcap file takes a long time given initial glitch to start the investigation, and this is faced by every forensics investigator and anyone who is analyzing the network
Solution: Speed up the investigation process
Make a network diagram with the following features from a Pcap file Tool Highlights:
Network Diagram – Summary Network Diagram of full network
Traffic with Server Details, Tor Traffic, Possible Malicious traffic, Data Obtained from Packet in Report – Device/Traffic/Payloads and Device Details.
Network Diagram, Device/Traffic Details and Analysis, Malicious Traffic Identification and Tor Traffic.
GUI – a gui with options to upload pcap file and display the network diagram
Python Libraries Used: – All these libraries are required for functionality
- Tkinter and TTK – Install from pip or apt-get – Ensure Tkinter and graphviz is installed, an information security professional said that the most Linux contain by default.
apt install python-tk
apt install graphviz
- All these are included in the requirements.txt file
Scapy – rdpcap to read the packets from the pcap file
Ipwhois – to obtain whois information from ip
Netaddr – to check ip information type
Pillow – image processing library
Stem – tor consensus data fetch library
pyGraphviz – plot graph
Networkx – plot graph
Matplotlib – plot graph
Instability of the TK GUI:
Decision on the GUI between Django and TK, settled upon tk for a simple local interface, the instability of the tk gui caused a number of problems
Plotting a proper network graph which is readable from the data obtained.
According to a cyber security specialist, sometimes memory hogging occurs when lower RAM is present in the system as the data stored in the memory from the pcap file is huge. The problem should be fixed by moving data into a database.
Due to main loop of the TK gui, other threads could undergo a race condition. The problem should be fixed by moving to a better structured TK implementation or Web GUI.
Tk GUI Instability: same reason above.
If any of the above issue occurs the progress bar keeps running and no output is generated, a restart of the app would be required.
Change the database from JSON to sqlite or prominent database, due to memory hogging. Change frontend to web based such as Django, make the application more stable, according to an information security expert.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.