packetsifter: perform batch processing of PCAP data to uncover potential IOCs

What is PacketSifter?

PacketSifter is a tool to perform batch processing of PCAP data to uncover potential IOCs.
Simply initialize PacketSifter with your desired integrations (VirusTotal, AbuseIPDB) and pass PacketSifter a pcap and the desired switches, and PacketSifter will sift through the data and generate several output files.

Note Please run AbuseIPDBInitial.sh and VTInitial.sh prior to using their corresponding switches or the integrations will not work

How it works

Simply pass PacketSifter your pcap to analyze along with your desired flags and let PacketSifter do the work for you!

Output

Currently, PacketSifter generates the following pcaps:

• http.pcap – All conversations containing port 80, 8080, or 8000
• smb.pcap – All conversations categorized by tshark dissectors as NBSS, SMB, or SMB2
• dns.pcap – All conversations categorized by tshark dissectors as DNS
• ftp.pcap – All conversations categorized by tshark dissectors as FTP

Currently, PacketSifter generates the following text files:

• IOstatistics.txt – Protocol Hierarchy and Input/Output broken up in 30-second intervals (useful to find potential beaconing)
• IPstatistics.txt – Overall stats to/from endpoints over IP and individual conversations over IP
• TCPstatistics – Overall stats to/from endpoints over TCP and individual TCP conversations broken down. <> This file can contain a large amount of information. It is recommended to use less or grep for a conversation in question.
• http_info.txt – Statistical data about HTTP conversations
• hostnamesResolved.txt (optional) – Resolved hostnames observed in pcap. <> This can result in DNS queries for attacker infrastructure. Proceed with caution!!
• SMBstatistics.txt – Stats on commands ran using smb or smb2
• dnsARecords.txt – DNS A query/responses
• dnsTXTRecords.txt – DNS TXT query/responses
• errors.txt – trash file

VirusTotal Integration output text files (all optional):

• httpHashToObject.txt – Text file containing md5 hash to object pairing for reference
• httpVTResults.txt – Text file containing results of md5 hash lookup of http objects via VirusTotal API
• smbHashToObject.txt – Text file containing md5 hash to object pairing for reference
• smbVTResults.txt – Text file containing results of md5 hash lookup of smb objects via VirusTotal API

AbuseIPDB Integration output text files (optional):

• IPLookupResults.txt – Text file containing IP Geo-location + IP reputation results

Currently, PacketSifter generates the following tar.gz files:

• httpObjects.tar.gz – HTTP objects observed in pcap. <> There could be a lot of HTTP objects and you can potentially extract malicious http objects depending on the pcap. Use with caution!!
• smbObjects.tar.gz – SMB objects observed in pcap. There could be a lot of SMB objects and you can potentially extract malicious SMB objects depending on the pcap. Use with caution!!

Download & Use

Copyright (c) 2021 Ross Burke