Analyzer for PCAP files
Go to file
2019-12-09 12:14:01 +01:00
analyze Get rid of LinkType-style branching: different LinkTypes may use the same Protocol modules. 2019-12-09 12:14:01 +01:00
common Unify logging process 2019-12-03 23:51:03 +01:00
output Do not print empty blocks 2019-12-06 15:23:01 +01:00
protocol Get rid of LinkType-style branching: different LinkTypes may use the same Protocol modules. 2019-12-09 12:14:01 +01:00
.drone.yml indentation 2019-12-01 17:07:36 +01:00
.gitignore Add .gitignore 2019-11-28 16:37:53 +01:00
analyzer_test.go basic testcase for the analyzer 2019-12-01 17:01:04 +01:00
CONTRIBUTORS.md added myself (emile) to the users list 2019-12-01 16:12:29 +01:00
file.go Move code out of src/ folder to comply to Golang standards (although it looks dirty) 2019-11-28 13:43:22 +01:00
go.mod go mod init 2019-12-01 16:07:30 +01:00
go.sum go mod init 2019-12-01 16:07:30 +01:00
LICENSE Add License 2019-11-27 20:32:44 +01:00
main.go Get rid of LinkType-style branching: different LinkTypes may use the same Protocol modules. 2019-12-09 12:14:01 +01:00
README.md added a benchmark section to the readme 2019-12-01 00:19:21 +01:00

pancap

Idea

If you get access to a PCAP file, for example during a CTF or captured on your own, you usually have the problem of overlooking all the relevant information to get a basic idea of the capture file. This gets worse if the capture file includes lots of white noise or irrelevant traffic - often included in the capture file to cloak interesting packets in a bunch of packets to YouTube, Reddit, Twitter and others.

pancap addresses this problem. With multiple submodules, it analyzes the given PCAP file and extracts useful information out of it. In many cases, this saves you a lot of time and can point you into the right direction.

Usage

Simply run

go get git.darknebu.la/maride/pancap

This will also build pancap and place it into your GOBIN directory - means you can directly execute it!

In any use case, you need to specify the file you want to analyze, simply handed over to pancap with the -file flag.

Example usage:

pancap -file ~/Schreibtisch/mitschnitt.pcapng

This will give you a result similar to this:

asciicast

Benchmarks

Parsing an nGB big pcap takes y seconds:

nGB y seconds
2 30

Contributions

... yes please! There are still a lot of modules missing. If you are brave enough, you can even implement another Link Type. Pancap currently only supports Ethernet (which, to be honest, fits most cases well), but USB might be interesting, too. Especially sniffed keyboard and mouse packets are hard to analyze by hand...