Friday, September 2, 2011


I've been tailoring most of my posts towards "if you're new to network security", and lately I've been seeing a good number of stuff on Twitter about how we need to increase mentoring in our industry and share info more effectively. That said, I'm going to use this blog primarily to try and share info with those who are new to security full time (realizing that doesn't mean new to the IT industry a lot of the time).
That said, here's another tool that might be helpful. It's old, but still very useful.


What it is: is a Perl script, written by Brendan Gregg, that takes a libpcap packet capture and indexes all of the connections and extracts a fair amount of the data and organizes it all into a nice web site. You take all the output and load it up in a Web browser (you could do that locally if you're running X on the box you ran it from, or share it via a web server, or tar it up and move to a web server you own.) I personally find it easy to just copy everything to /var/www or /var/www/html, depending on what you're running, since I don't serve web pages out of the default location anyway.

You have lots of options, but the basic ones you need to know tell chaosreader what kind of files to create:

chaosreader infile      # Create application session files, indexes
       chaosreader -v infile   # Verbose - Create ALL files
       chaosreader -i infile   # Create info files
       chaosreader -r infile   # Create raw files

Verbose will create all file types chaosreader knows about, -i, just the info files and -r, the raw files. Raw files are data files from TCP or UDP transfers, and info files are descriptor files listing the source, destination and such of the connection. chaosreader also generates a Get/POST report, an image report, and an HTTP proxy report.

Rather than me screenshot chaosreader, the author has created a live sampling here  or here that you can browse and get an idea of what the tool does.

How to use it: Download the latest version and put it in a separate directory (it creates a lot of files; you REALLY don't want to run it in the root of your home dir). You can run it live on an interface, or, as I do, run it against a pcap file. Use the switches show above to determine how verbose you want it to be.
For example, if you want to see it all, and had a pcap called web.pcap, you would run:
" perl -v web.pcap". With the latest version, you'll see a list of connections scroll as chaosreader reads in the packets and processes them. After it's done, you'll have an assortment of .html, .info, .raw, raw1 and raw2 files, as well as other like JPEG's and GIF's.

It's a very useful tool, but one caution. Very large captures can take a really long time to process, and if your box is running with minimal memory, it might run out before the process finishes. A strong processor and lots of RAM make a good chaosreader box.


gcla said...

Hi Jeff,

This is Graham here from the Dragon team. I've been enjoying reading your blog! Perhaps us Dragon folks will be able to start something technical with a Dragon leaning in the future. There is a blog at Enterasys that occasionally includes Dragon content, but it's not too detailed.

By the way, on the subject of your latest post, we have a *lot* of pcaps internally, as you might suppose, and I've been thinking of checking out xtractr when I get some time.

All the best,

JeffSoh said...

Hi, Graham! That'd be great! Looking forward to seeing that when you get it up..

Blog Archive