https://github.com/stratosphereips/hexa_payload_decoder
A tool to automatically decode and translate any TCP hexa payload data form any language to english.
https://github.com/stratosphereips/hexa_payload_decoder
cybersecurity iot iot-malware malware-analysis security-tools traffic-analysis
Last synced: 5 months ago
JSON representation
A tool to automatically decode and translate any TCP hexa payload data form any language to english.
- Host: GitHub
- URL: https://github.com/stratosphereips/hexa_payload_decoder
- Owner: stratosphereips
- Created: 2019-09-09T13:56:16.000Z (almost 7 years ago)
- Default Branch: master
- Last Pushed: 2022-04-23T09:23:35.000Z (about 4 years ago)
- Last Synced: 2025-09-05T01:34:21.314Z (10 months ago)
- Topics: cybersecurity, iot, iot-malware, malware-analysis, security-tools, traffic-analysis
- Language: Python
- Homepage:
- Size: 378 KB
- Stars: 17
- Watchers: 7
- Forks: 7
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Citation: CITATION.cff
Awesome Lists containing this project
README
# Hexa Payload Decoder
[](https://github.com/stratosphereips/Hexa_Payload_Decoder/actions/workflows/docker-image.yml)
## Problem Statement
When analyzing malware traffic on the network sometimes we find ourselves spending several minutes decoding the data from the hexadecimal streams. In the best case scenario we can use some tools (like Wireshark) to see these streams already decoded, but sometimes the decoded characters are not supported by most of the networking analyzers.
## The Solution
The idea is to develop a tool aimed to extract the TCP hexadecimal data from netwrok captures filtering by a specific port provided by the user, decode it from hexadecimal and translate it from any language to english.
The workflow of the tool is the following:
- User runs the bash script with two parameters, the pcap file to analyze and some port.
- The bash script extracts the hexadecimal data from the TCP flows filtering by the user provided port using Tshark command.
- The extracted hexadecimal data are decoded as UTF-8 using the Python standard library.
- The decoded data is finally passed to Libre Translate Python library which automatically detects the language and translates it to English.
- The decoded and translated data is written to an output file to see the results.
- This flow repeats for every TCP flow found in the pcap.
## Hexadecimal decoder and translator for network analysis
The hexadecimal decoder and translator for network analysis runs using Python 3, and currently supports the following options:
```
usage: python3 hexa_payload_decoder.py [-h] [-d DECODE | -c] [-r READ] [-p PORT] [-l LENGTH]
optional arguments:
-h, --help show this help message and exit
-d DECODE, --decode DECODE
Decode and translate the given string.
-c, --clean Clean the contents of the log file.
Analysis:
-r READ, --read READ Name of the pcap file that is analyzed.
-p PORT, --port PORT Analyze traffic for a specific port only.
-l LENGTH, --length LENGTH
Analyze data streams longer than the given length.
```
---
Here is the tool working with a packet capture from Mirai IoT malware:
---
## Requirements
- Libre Translate Python Library https://github.com/argosopentech/LibreTranslate-py
- Tshark https://www.wireshark.org/docs/man-pages/tshark.html
## Docker Image
The Hexa Payload Decoder currently has a public docker image:
```
docker run --rm -it stratosphereips/hexapayloaddecoder:latest /bin/bash
```