{"id":17709393,"url":"https://github.com/0snap/visual-pcap-mixer","last_synced_at":"2026-01-20T03:33:36.636Z","repository":{"id":78799395,"uuid":"191310881","full_name":"0snap/visual-pcap-mixer","owner":"0snap","description":"Visually arrange PCAPs in browser and rewrite IPs / timestamps. Requires config with known groudtruth about attacks / benign traffic","archived":false,"fork":false,"pushed_at":"2020-09-22T08:47:26.000Z","size":609,"stargazers_count":2,"open_issues_count":5,"forks_count":2,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-02-13T12:24:35.665Z","etag":null,"topics":["apt","dangerous","experimental","go","ids","pcap","react"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0snap.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2019-06-11T06:48:24.000Z","updated_at":"2020-07-17T12:25:07.000Z","dependencies_parsed_at":null,"dependency_job_id":"d0c7b584-2528-46f4-acf9-814954ede8b5","html_url":"https://github.com/0snap/visual-pcap-mixer","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0snap%2Fvisual-pcap-mixer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0snap%2Fvisual-pcap-mixer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0snap%2Fvisual-pcap-mixer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0snap%2Fvisual-pcap-mixer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0snap","download_url":"https://codeload.github.com/0snap/visual-pcap-mixer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247623006,"owners_count":20968574,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apt","dangerous","experimental","go","ids","pcap","react"],"created_at":"2024-10-25T04:03:52.329Z","updated_at":"2026-01-20T03:33:36.610Z","avatar_url":"https://github.com/0snap.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"Visual PCAP Mixer\n=================\n\n## What this is\n\n- A highly experimental thing that I need for myself\n- Untested code, potentially dangerous\n\n*YOU SHOULD NOT USE THIS UNLESS YOU KNOW WHAT YOU DO*\n\nYou alone are responsible for using this tool, I do not take any responsibility for any kind of harm that it may cause.\n\n\n## Functions\n\n- A go cli wrapper around existing tools that can analyze and modify pcaps. The tools are directly invoked as `cmd`. They write stuff on your harddrive. Thats why you should not use this.\n- A react frontend for the browser to visualize what will happen with the pcaps.\n\n## Config\n\nThe backend needs a `config.json`. This thing differentiates attack samples and benign traffic. Example below.\n\nBtw, nice dataset for attack \u0026 benign traffic here: https://www.unb.ca/cic/datasets/ids-2018.html \n\n```\n{\n    \"groundtruth\": [\n        {\n            \"files\": [\n                \"/home/you/pcaps/unbca/attacks/28-02-2018/capEC2AMAZ-O4EL3NG-172.31.69.24-part1\",\n                \"/home/you/pcaps/unbca/attacks/28-02-2018/capEC2AMAZ-O4EL3NG-172.31.69.24-part2\"\n            ],\n            \"attacks\": [\n                {\n                    \"attackers\": [\n                        \"13.58.225.34\"\n                    ],\n                    \"victims\": [\n                        \"172.31.69.24\"\n                    ],\n                    \"name\": \"Infiltration\",\n                    \"start\": \"2018-02-28T10:50:00-04:00\",\n                    \"end\": \"2018-02-28T12:05:00-04:00\"\n                },\n                {\n                    \"attackers\": [\n                        \"13.58.225.34\"\n                    ],\n                    \"victims\": [\n                        \"172.31.69.24\"\n                    ],\n                    \"name\": \"Infiltration\",\n                    \"start\": \"2018-02-28T13:42:00-04:00\",\n                    \"end\": \"2018-02-28T14:40:00-04:00\"\n                }\n            ]\n        }\n    ],\n    \"unclassifiedTraffic\": [\n        \"/home/you/pcaps/unbca/benign/22-02-2018\",\n        \"/home/you/pcaps/unbca/benign/28-02-2018\"\n    ],\n    \"outPath\": \"/home/you/pcap/apt-scenarios\"\n}\n```\n\n\n## When you really really want to use this\n\nInstall dependencies:\n\n    $ go get github.com/spf13/cobra\n\nInstall packages for your linux distro. The go wrapper calls them.\n\n- `wireshark` (needed: `capinfos`)\n- `tcpdump`. in case you are on debian/ubuntu make sure that it can be used by your user. if you have app-armor in place and it blocks you, here is a guide https://gcplinux.com/tcpdump-permission-denied-running-as-root/\n- `tcpreplay` (needed `tcprewrite`)\n\nInit app\n\n- add the `backend` folder to your go path\n- build your own `config.json` file like above\n- check the help menu `go run main.go`\n\nYou *must* first run a deep analysis over the configured files. Export the analysis results to a state file:\n\n    $ go run main.go export -e your_state.json\n\nGrab a coffee in case you have several hundred gigs of traffic (as I do) ...\n\nNow take the analysed files and host a server\n\n    $ go run main.go server -s your_state.json\n\nNavigate to the `frontend` folder and fire it up. you need a moderately new version of `npm` / `yarn`:\n\n    $ npm install\n    $ npm start\n\nGo to your browser, `localhost:3000`. When you did the config right the browser content looks somewhat like this:\n\n![configured-contents](https://raw.githubusercontent.com/0ortmann/visual-pcap-mixer/master/screenshots/configured-contents.png)\n\n#### In browser use\n\n- create new days of an attack scenario by hitting the big `+`\n- move all the stuff per drag n drop (attacks, traffic samples, days in the timeline)\n- drag benign and attack traffic to your liking\n- hover stuff for more info\n- double click stuff to delete it\n- you can rewrite IP addresses with the form in the bottom left corner\n- name the scenario you created (form in lower right corner)\n\nWhen you create an attack scenario the following will happen *on your computer*:\n\n- first timestamp is taken from first traffic sample in day 1\n- all other pcaps get time-adjusted, that they apprear to have been recorded in order\n- IP replacements are applied\n- stuff is copied to a new folder in the `outPath` that is configured in the `config.json`\n\nDepending on your traffic samples that may fill your harddrive. again, be careful where you run this. better dont. NEVER HOST THIS ON A PUBLIC SERVER. it gives away cmd. \n\n![scenario-creation](https://raw.githubusercontent.com/0ortmann/visual-pcap-mixer/master/screenshots/scenario-creation.png)\n\n\n\n## TODO:\n\n- test this shit\n- clean up, take out garbage\n- I remember vaguely that I built in a silly assumption about filenames in the benign traffic folders. sigh. remove that.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0snap%2Fvisual-pcap-mixer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0snap%2Fvisual-pcap-mixer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0snap%2Fvisual-pcap-mixer/lists"}