{"id":13586369,"url":"https://github.com/Srinivas11789/PcapXray","last_synced_at":"2025-04-07T15:31:46.545Z","repository":{"id":39380903,"uuid":"105499052","full_name":"Srinivas11789/PcapXray","owner":"Srinivas11789","description":":snowflake: PcapXray - A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction","archived":false,"fork":false,"pushed_at":"2022-03-28T15:31:26.000Z","size":118520,"stargazers_count":1712,"open_issues_count":14,"forks_count":282,"subscribers_count":76,"default_branch":"master","last_synced_at":"2025-03-13T02:35:57.984Z","etag":null,"topics":["computer-forensics","cybersecurity","forensic-analysis","forensics","network","network-diagram","packets","pcap","python","security","tor","tor-traffic","traffic"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Srinivas11789.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-10-02T04:47:51.000Z","updated_at":"2025-03-10T22:12:27.000Z","dependencies_parsed_at":"2022-08-09T14:48:38.822Z","dependency_job_id":null,"html_url":"https://github.com/Srinivas11789/PcapXray","commit_stats":null,"previous_names":[],"tags_count":17,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Srinivas11789%2FPcapXray","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Srinivas11789%2FPcapXray/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Srinivas11789%2FPcapXray/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Srinivas11789%2FPcapXray/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Srinivas11789","download_url":"https://codeload.github.com/Srinivas11789/PcapXray/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247679508,"owners_count":20978062,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["computer-forensics","cybersecurity","forensic-analysis","forensics","network","network-diagram","packets","pcap","python","security","tor","tor-traffic","traffic"],"created_at":"2024-08-01T15:05:30.988Z","updated_at":"2025-04-07T15:31:41.535Z","avatar_url":"https://github.com/Srinivas11789.png","language":"Python","readme":"# PcapXray [![Build Status](https://travis-ci.org/Srinivas11789/PcapXray.svg?branch=master)](https://travis-ci.org/Srinivas11789/PcapXray) [![codecov](https://codecov.io/gh/Srinivas11789/PcapXray/branch/master/graph/badge.svg)](https://codecov.io/gh/Srinivas11789/PcapXray) [![defcon27](https://img.shields.io/badge/defcon27-demolabs-blue)](https://www.defcon.org/html/defcon-27/dc-27-demolabs.html#PcapXray)\n    A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction\n![Alt text](https://srinivas11789.github.io/PcapXray/logo.png?width=20px \"PcapXray\")\n## PcapXray Design Specification\nWiki has more help too.\n\n### Goal:\n  Given a Pcap File, plot a network diagram displaying hosts in the network, network traffic, highlight important traffic and Tor traffic as well as potential malicious traffic including data involved in the communication.\n\n### Problem:\n* Investigation of a Pcap file takes a long time given initial glitch to start the investigation\n*\tFaced by every forensics investigator and anyone who is analyzing the network\n\n* Location: https://github.com/Srinivas11789/PcapXray\n\n### Solution: Speed up the investigation process\n* Make a network diagram with the following features from a Pcap file\nTool Highlights:\n* Network Diagram – Summary Network Diagram of full network\n* Information: \n  * Web Traffic with Server Details\n  * Tor Traffic\n  * Possible Malicious traffic\n  * Data Obtained from Packet in Report – Device/Traffic/Payloads\n  * Device Details\n  \n### Tool Image:\n![Alt text](https://srinivas11789.github.io/PcapXray/Samples/screen2_6_1.png?raw=true)\n\n![Alt text](https://srinivas11789.github.io/PcapXray/Samples/screen2_6_2.png?raw=true)\n\n### Components:\n* Network Diagram \n* Device/Traffic Details and Analysis\n* Malicious Traffic Identification\n* Tor Traffic\n* GUI – a gui with options to upload pcap file and display the network diagram\n\n### Setup \n\n* Python 3\n\n```bash\napt install python3-pip\napt install python3-tk\napt install graphviz\napt install python3-pil python3-pil.imagetk\npip3 install -r requirements.txt\npython3 Source/main.py\n```\n( Make sure to escalate privilege to allow file creations - Run with `sudo` )\n\nFor MAC:\n```\nbrew install graphviz\n```\n\n* Python 2\n\n```bash\napt install python-tk\napt install graphviz\npip install -r requirements.txt\npython Source/main.py\n```\n( Make sure to escalate privilege to allow file creations - Run with `sudo` )\n\n### Python Libraries Used:  - All these libraries are required for functionality\n* Tkinter and TTK – Install from pip or apt-get – Ensure Tkinter and graphviz is installed (Most Linux contain by default) \n  * apt install python-tk\n  * apt install graphviz\n  * apt install python3-tk (for python3 support)\n  * Sometimes ImageTk errors are thrown in python3 env --\u003e use apt install python3-pil python3-pil.imagetk\n* All these are included in the requirements.txt file\n  * Scapy – rdpcap to read the packets from the pcap file \n  *\tIpwhois – to obtain whois information from ip\n  *\tNetaddr – to check ip information type\n  *\tPillow – image processing library\n  *\tStem – tor consensus data fetch library\n  *\tpyGraphviz – plot graph\n  *\tNetworkx – plot graph\n  *\tMatplotlib – plot graph (not used as of now)\n  \n### Demo\n![Alt text](https://srinivas11789.github.io/PcapXray/Samples/demo2_6.gif?raw=true)\n\n### Getting started:\n* Clone the repository\n* pip install -r requirements.txt\n* python Source/main.py\n\n### Additional Information:\n* Tested on Linux\n* Options for Traffic include - Web (HTTP and HTTPS), Tor, Malicious, ICMP, DNS\n \n### Challenges:\n  * Unstability of the TK GUI:\n    * Decision on the GUI between Django and TK, settled upon tk for a simple local interface, but the unstability of the tk gui caused a number of problems\n  * Graph Plotting:\n    * Plotting a proper network graph which is readable from the data obtained was quite an effort, used different libraries to arrive at one.\n  * Performance and Timing:\n    * The performance and timing of the total application was a big challenge with different data gathering and output generation\n\n### Known Bugs:\n* Memory Hogging\n  * Sometimes memory hogging occurs when lower RAM is present in the system as the data stored in the memory from the pcap file is huge\n  * Should be Fixed by moving data into a database than the memory itself\n* Race Condition\n  * Due to mainloop of the TK gui, other threads could undergo a race condition\n  * Should be fixed by moving to a better structured TK implementation or Web GUI\n* Tk GUI Unstability:\n  * Same reason as above\n* Code:\n  * clumsy and unstructured code flow\n\n*\tCurrent Fix in rare occasions: If any of the above issue occurs the progress bar keeps running and no output is generated, a restart of the app would be required.\n\n### Docker Containers of PcapXray\n* Dockerfile present in the root folder was used to build images\n* Already built docker images are found at dockerhub\n  - srinivas11789/pcapxray-1.0\n  - srinivas11789/pcapxray-2.2\n* Performing the steps in `run.sh` file manually would work to launch the tool via docker (I can help with errors)\n* Running `run.sh` scripts is an attempt to automate (would not work 100 percent)\n  - tested on mac and linux - will be better soon!...\n\n### Immediate Future Tasks: (Target: 3.0)\n\n- Clean up code (beautify code base from being a prototype)\n- Report generation on unique folders for all assets of a packet capture\n- Suspicious activity detection\n- Support more pcap reader engine\n- Traffic support: ICMP, DNS\n- Known file type detection and Extract\n- Python2 and Python3\n- Interactive map\n\n### Future:\n* Structured and clean code flow\n*\tChange the database from JSON to sqlite or prominent database, due to memory hogging\n*\tChange fronend to web based such as Django\n*\tMake the application more stable\n* More protocol support\n* Clean up code\n\n### Credits:\n* Thanks for making it better,\n  - Professor Marc Budofsky\n  - Kevin Gallagher\n* Thanks for all the dependent libraries used\n* Logo created with logomakr.com and www.inkscape.org\n\n[![Analytics](https://ga-beacon.appspot.com/UA-114681129-1/PcapXray/readme)](https://github.com/igrigorik/ga-beacon)\n\n## ***Just for Security Fun!***\n","funding_links":[],"categories":["Python","Tools","Python (1887)","cybersecurity","Forensics"],"sub_categories":["Analysis / Gathering tool (Know your ennemies)","Steganography"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSrinivas11789%2FPcapXray","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FSrinivas11789%2FPcapXray","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSrinivas11789%2FPcapXray/lists"}