pcapinator: tool for processing a lot of pcaps using tshark

by do son · January 17, 2020

pcapinator

An application to deal with lots of pcaps by running lots of tsharks

Features

Recursively process multiple PCAP files including those in subdirectories.
Wrapper around editcap (Wireshark Tool) that will let the user break PCAP files into smaller pieces.
Automatically grab all handshakes save as a pcap and also hashcat file for processing.
Wrapper around tshark that will let the user filter pcap files for handshakes and output as pcap.
Gathers standard wireless info and puts it into a CSV

Install

git clone https://github.com/mspicer/pcapinator.git
pip3 install python-dateutil pandas

Use

Run PCAPFix on the dataset to repair damaged or cutshort PCAPs.

./pcapinator.py –in [directory or file] –pcapfix –pcapfix_dir [directory for original pcaps before fix] –debug

Gather all of the typical wireless information from a pcap and output a single CSV. This will split the PCAP files and process them based on the number of CPU cores you have.

./pcapinator.py –in [directory or file] –wifi_csv –split –debug

Run a custom tshark query and output the fields you specify. In this case, it is searching for anything email related and outputting related interesting fields.

./pcapinator.py –in [directory or file] –query “tcp.port == 143 || tcp.port == 110 || tcp.port == 25 || tcp.port == 26 || pop || imap || smtp” –fields “-e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e text -e tcp.payload” –split –debug

A custom query to get HTTP data.

./pcapinator.py –in [directory or file] –query “http” –fields “-e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e text -e tcp.payload” –split –debug

Get a CSV file with DNS info.