I was introduced to a nice network forensics tool today called Dshell, written by the U.S. Army Research Lab. Written in Python, it allows dissection of pcaps using decoders, which can be chained together to do multiple analyses of traffic. You can run decode -l to see the list of available decoders, which includes:
dns - extract and summarize DNS queries/responses (defaults: A,AAAA,CNAME,PTR records)
reservedips - identify DNS resolutions that fall into reserved ip space
large-flows - display netflows that have at least 1MB transferred
long-flows - display netflows that have a duration of at least 5 mins
rip-http - rip files from HTTP traffic
protocols - Identifies non-standard protocols (not tcp, udp or icmp)
and many others..
You can download the source and find what dependencies need installed as well as examples and syntax at:
https://github.com/USArmyResearchLab/Dshell
No comments:
Post a Comment