packetsifterTool – A Tool To Aid Analysts In Sifting Through A Packet Capture (Pcap) To Find Noteworthy Traffic

0/5 No votes

Report this app

Description

packetsifterTool – A Tool To Aid Analysts In Sifting Through A Packet Capture (Pcap) To Find Noteworthy Traffic

PacketSifter is a instrument to carry out batch processing of PCAP information to uncover potential IOCs.
Merely initializePacketSifter together with your desired integrations (VirusTotal, AbuseIPDB) and move PacketSifter a pcap and the specified switches and PacketSifter will sift by the information and generate a number of output information.

Word Please run AbuseIPDBInitial.sh and VTInitial.sh previous to utilizing their corresponding switches or the integrations is not going to work

05/27/2021
PacketSifter has been revamped to permit a extra streamlined interplay with the person. Merely obtain the brand new up to date packetsifter.sh, run ./packetsifter -h and discover ways to correctly use the brand new PacketSifter!

Writer

Ross Burke (Twitter @packetsifter)

The way it works

Merely move PacketSifter your pcap to investigate alongside together with your desired flags and let PacketSifter do the be just right for you!

Instance:

[email protected]:~# ./packetsifter -i /tmp/testing.pcap -a -r -v

Command Line Choices

OPTIONS:

  • -a   allow abuseipdb lookups of IP addresses in DNS A information
  • -h   print assist
  • -i   enter file [Required]
  • -r   resolve hostnames in pcap [Can result in DNS queries to attacker infrastructure]
  • -v   allow VirusTotal lookup of exported SMB/HTTP objects

Necessities

tshark – https://tshark.dev/setup/install/

Output

Presently, PacketSifter generates the next pcaps:

  • http.pcap – All conversations containing port 80, 8080, or 8000
  • smb.pcap – All conversations categorized by tshark dissectors as NBSS, SMB, or SMB2
  • dns.pcap – All conversations categorized by tshark dissectors as DNS
  • ftp.pcap – All conversations categorized by tshark dissectors as FTP

Presently, PacketSifter generates the next textual content information:

  • IOstatistics.txt – Protocol Hierarchy and Enter/Output damaged up in 30 second intervals (helpful to search out potential beaconing)
  • IPstatistics.txt – General stats to/from endpoints over IP and particular person conversations over IP
  • TCPstatistics – General stats to/from endpoints over TCP and particular person TCP conversations damaged down. <> This file can include a considerable amount of data. It’s endorsed to make use of much less or grep for a dialog in query.
  • http_info.txt – Statistical information about HTTP conversations
  • hostnamesResolved.txt (non-compulsory) – Resolved hostnames noticed in pcap. <> This may end up in DNS queries for attacker infrastructure. Proceed with warning!!
  • SMBstatistics.txt – Stats on instructions ran utilizing smb or smb2
  • dnsARecords.txt – DNS A question/responses
  • dnsTXTRecords.txt – DNS TXT question/responses
  • errors.txt – trash file

VirusTotal Integration output textual content information (all non-compulsory):

  • httpHashToObject.txt – Textual content file containing md5 hash to object pairing for reference
  • httpVTResults.txt – Textual content file containing outcomes of md5 hash lookup of http objects through VirusTotal API
  • smbHashToObject.txt – Textual content file containing md5 hash to object pairing for reference
  • smbVTResults.txt – Textual content file containing outcomes of md5 hash lookup of smb objects through VirusTotal API

AbuseIPDB Integration output textual content information (non-compulsory):

  • IPLookupResults.txt – Textual content file containing IP Geo-location + IP status outcomes

Presently, PacketSifter generates the next tar.gz information:

  • httpObjects.tar.gz – HTTP objects noticed in pcap. <> There might be a variety of HTTP objects and you’ll probably extract malicious http objects relying on the pcap. Use with warning!!
  • smbObjects.tar.gz – SMB objects noticed in pcap. There might be a variety of SMB objects and you’ll probably extract malicious SMB objects relying on the pcap. Use with warning!!
📁 Download Mirror 1 📁 Download Mirror 2 📁 EXTERNAL MIRROR
📁 Download Mirror 1 📁 Download Mirror 2 📁 EXTERNAL MIRROR

Versions

Version Size Requirements Date

Comments closed.