I would like to introduce you to a plugin that I have been developing called PCAP_tools. Before I do that, I would like to personally thank Christian for his help and interest in the plugin. He has shown me the value of patience and letting this plugin develop into what it is before releasing it. Without further adieu, I give you PCAP_tools (compatible with ProcDOT 1.2 at the moment)!
PCAP_tools does a couple of things for ProcDOT:
- It allows you to extract files from the entire pcap
- It allows you to extract files from a specific TCP stream
- It gives ProcDOT the ability to follow TCP streams without having to use another tool like Wireshark.
Lets start out with the first one, extracting files from the pcap. This can be found in the Plugins main menu.
Once selected, you are presented with a gui interface. The interface allows you to select which hash type you want for the files and where you want to save them.
Once completed, you will find the carved files in the directory you specified.
Now, lets look at following a TCP stream and compare the plugins output to Wireshark.
From the image above we can see an option to follow TCP streams. This option is available when you right click on a server node.
If the server node does not contain flow information, one of two screens will pop up.
ProcDOT output |
Wireshark output |
Okey, but I still can't read it. Lets look at it in ProcDOT.
And one more example. What about if the stream is chunked?
As you can see, the plugin was still able to make the stream readable.
I hope I have demonstrated what is possible with ProcDOTs plugin engine. The PCAP_tools plugin, along with setup instructions, is available for download at https://github.com/Beercow/ProcDOT-Plugins/tree/master/PCAP_tools. Please submit any issues with the plugin on my GitHub page.