PCAPs are extremely valuable when dealing with malware, but sometimes the amount of extra data within the file hides what the malicious code may be doing. There are plenty of tools and libraries to assist with the parsing of these files, but I haven’t seen anything that summarizes the content we as incident responders are most concerned with. Specifically the HTTP requests, DNS queries, WHOIS information and unique communications.
Today I am releasing a simple set of tools appropriately named pcap tools. There are two main files for processing:
- output_summary – takes in a single PCAP and shows the summary information to standard out
- pcap_summary – takes in a single PCAP or a directory and writes out several files containing the summarized information
- json_summary – demo the use of JSON output
Below is a snippet of example output from output_summary:
There are times when even the summarized information can be a bit verbose, but PCAP tools was designed so that you could extend the library and make use of what you find important. Both tools used utilitze this core libarary, so if you want to remove something from the output, just remove it from the tool or create your own. Finally, with the addition of the JSON output, you can easily send this data directly to another web service, tool or NoSQL database for later processing.