Dshell – Network Forensic Analysis Framework
https://www.ispeech.org/text.to.speech
An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures.
Key features:
- Robust stream reassembly
- IPv4 and IPv6 support
- Custom output handlers
- Chainable decoders
Prerequisites
- Linux (developed on Ubuntu 12.04)
- Python 2.7
-
pygeoip, GNU Lesser GPL
- PyCrypto, custom license
- dpkt, New BSD License
- IPy, BSD 2-Clause License
- pypcap, New BSD License
Installation
-
Install all of the necessary Python modules listed above. Many of them are available via pip and/or apt-get. Pygeoip is not yet available as a package and must be installed with pip or manually. All except dpkt are available with pip.
sudo apt-get install python-crypto python-dpkt python-ipy python-pypcap
sudo pip install pygeoip
- Configure pygeoip by moving the MaxMind data files (GeoIP.dat, GeoIPv6.dat, GeoIPASNum.dat, GeoIPASNumv6.dat) to /share/GeoIP/
- Run
make
. This will build Dshell. - Run
./dshell
. This is Dshell. If you get a Dshell> prompt, you're good to go!
[adsense size='1']
Basic usage
decode -l
- This will list all available decoders alongside basic information about them
decode -h
- Show generic command-line flags available to most decoders
decode -d <decoder>
- Display information about a decoder, including available command-line flags
decode -d <decoder> <pcap>
- Run the selected decoder on a pcap file
Gloss