Friday, January 02, 2004

Chaosreader Rocks

For a while I've been looking for a program to extract application layer data from pcap files. We all know how to rebuild sessions using Ethereal and some of us know about tcpflow. Today I found Chaosreader. It's a Perl script which parses pcap or snoop files and extracts email, images, HTML, telnet sessions, and other application data. I think this part of the Perl script defines its capabilities:

# These ports have been selected to be saved as coloured 2-way HTML files
#
@Save_As_HTML_TCP_Ports = (21,23,25,79,80,109,110,119,143,513,514,1080,
3128,4110,5000,5555,6660,6665,6666,6667,6668,7000,8000,8080,9000);
@Save_As_HTML_UDP_Ports = (53);

#
# These ports have been selected to be saved as realtime playback scripts
# (telnet, login, and numerous IRC ports)
#
@Save_As_TCP_Playback_Ports = (23,513,4110,5000,5555,6660,6666,6667,
6668,7000,8000,9000);
@Save_As_UDP_Playback_Ports = (7);

Chaosreader presents the information in .html files for easy browsing. When it rebuilds a session, say for telnet, it creates a Perl script that you can run to watch the keystrokes replay in real time. I'm looking forward to seeing the author implement X11 replay. The Review package is supposed to have this capability but I've never tried it.

No comments: