Extracting Data from Network Captures (pcap) with Perl
A big part of malware analysis involves capturing network activity using Wireshark or Microsoft Network Monitor. Many online sandboxes, such as Anubis and CW Sandbox will actually provide you with a network capture in the standard pcap format.
With the pcap in hand, it is as easy as opening it within Wireshark. I often find that for a networking novice (like me), parsing through these pcap’s can be daunting and time consuming. This is where a project called chaosreader comes in to make our lives easier.
When I am analyzing network activity generated by malware, I am most interested in HTTP get/posts, the addresses the malware is communicating with, and the data that was actually sent or received.
Chaosreader is a Perl script that takes a pcap file as its argument and will create communication summaries in a report format. It will also pull data from the tcp streams (within the pcap) and re-assemble the actual files.
Here is an example of the primary report that chaosreader generates. With malware analysis, I find that the most useful report is the getpost.html file that is generated. It provides only a listing of the HTTP post/get activity in a very easy to read report.
Chaosreader works anywhere that Perl does, although I’ve only personally used it with ActivePerl 5.10 on Windows XP and Perl 5.10 on a Linux distribution.
Generating a standard report (with re-assembled files) from a pcap file called “malware_activity.pcap” is as simple as running the following from a cmd prompt or bash shell:
perl chaosreader.pl malware_activity.pcap