PcapXray : Tool To Visualize A Packet Capture Offline
PcapXray is a Network Forensics Tool to visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction.
PcapXray Design Specification
Goal:
Given a Pcap File, plot a network diagram displaying hosts in the
network, network traffic, highlight important traffic and Tor traffic as
well as potential malicious traffic including data involved in the
communication.
Problem:
Investigation of a Pcap file takes a long time given initial glitch to start the investigation
Faced by every forensics investigator and anyone who is analyzing the network
( Make sure to escalate privilege to allow file creations – Run with sudo )
Python Libraries Used: – All these libraries are required for functionality
Tkinter and TTK – Install from pip or apt-get – Ensure Tkinter and graphviz is installed (Most Linux contain by default)
apt install python-tk
apt install graphviz
apt install python3-tk (for python3 support)
Sometimes ImageTk errors are thrown in python3 env –> use apt install python3-pil python3-pil.imagetk
All these are included in the requirements.txt file
Scapy – rdpcap to read the packets from the pcap file
Ipwhois – to obtain whois information from ip
Netaddr – to check ip information type
Pillow – image processing library
Stem – tor consensus data fetch library
pyGraphviz – plot graph
Networkx – plot graph
Matplotlib – plot graph (not used as of now)
Getting Started
Clone the repository
pip install -r requirements.txt
python Source/main.py
Additional Information
Tested on Linux
Options for Traffic include – Web (HTTP and HTTPS), Tor, Malicious, ICMP, DNS
Challenges
Unstability of the TK GUI:
Decision on the GUI between Django and TK, settled upon tk for a simple local interface, but the unstability of the tk gui caused a number of problems
Graph Plotting:
Plotting a proper network graph which is readable from the data obtained was quite an effort, used different libraries to arrive at one.
Performance and Timing:
The performance and timing of the total application was a big challenge with different data gathering and output generation
Known Bugs
Memory Hogging
Sometimes memory hogging occurs when lower RAM is present in the system as the data stored in the memory from the pcap file is huge
Should be Fixed by moving data into a database than the memory itself
Race Condition
Due to mainloop of the TK gui, other threads could undergo a race condition
Should be fixed by moving to a better structured TK implementation or Web GUI
Tk GUI Unstability:
Same reason as above
Code:
clumsy and unstructured code flow
Current Fix in rare occasions: If any of the above issue occurs the progress bar keeps running and no output is generated, a restart of the app would be required.
Docker Containers of PcapXray
Dockerfile present in the root folder was used to build images
Already built docker images are found at dockerhub
srinivas11789/pcapxray-1.0
srinivas11789/pcapxray-2.2
Performing the steps in run.sh file manually would work to launch the tool via docker (I can help with errors)
Running run.sh scripts is an attempt to automate (would not work 100 percent)
tested on mac and linux – will be better soon!…
PcapXray 2.0
Includes zoom feature
Improves usability with a Browse files feature
Report directory fixes for graph images
Includes some bug fixes
Immediate Future Tasks: (Target: 3.0)
Clean up code (beautify code base from being a prototype)
Report generation on unique folders for all assets of a packet capture
Suspicious activity detection
Support more pcap reader engine
Traffic support: ICMP, DNS
Known file type detection and Extract
Python2 and Python3
Future
Structured and clean code flow
Change the database from JSON to sqlite or prominent database, due to memory hogging