Home > Disassembly, Network, Perl, Tech > Extracting Data from Network Captures (pcap) with Perl

Extracting Data from Network Captures (pcap) with Perl

A big part of malware analysis involves capturing network activity using Wireshark or Microsoft Network Monitor. Many online sandboxes, such as Anubis and CW Sandbox will actually provide you with a network capture in the standard pcap format.

With the pcap in hand, it is as easy as opening it within Wireshark. I often find that for a networking novice (like me), parsing through these pcap’s can be daunting and time consuming. This is where a project called chaosreader comes in to make our lives easier.

When I am analyzing network activity generated by malware, I am most interested in HTTP get/posts, the addresses the malware is communicating with, and the data that was actually sent or received.

Example GET/POST report

Example GET/POST report

Chaosreader is a Perl script that takes a pcap file as its argument and will create communication summaries in a report format. It will also pull data from the tcp streams (within the pcap) and re-assemble the actual files.

Here is an example of the primary report that chaosreader generates. With malware analysis, I find that the most useful report is the getpost.html file that is generated. It provides only a listing of the HTTP post/get activity in a very easy to read report.

Chaosreader works anywhere that Perl does, although I’ve only personally used it with ActivePerl 5.10 on Windows XP and Perl 5.10 on a Linux distribution.

Generating a standard report (with re-assembled files) from a pcap file called “malware_activity.pcap” is as simple as running the following from a cmd prompt or bash shell:

perl chaosreader.pl malware_activity.pcap

Here’s another guide to using chaosreader

Advertisements
Categories: Disassembly, Network, Perl, Tech
  1. Lexi
    May 13, 2015 at 2:52 AM

    This was an awesome find for me. Thanks!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s