Dshell is a network forensic analysis framework.

Related tags

NetworkingDshell
Overview

Dshell

An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures.

Key features:

  • Deep packet analysis using specialized plugins
  • Robust stream reassembly
  • IPv4 and IPv6 support
  • Custom output handlers
  • Chainable plugins

Requirements

Optional

  • oui.txt
    • used by some plugins that handle MAC addresses
    • place in /data/
  • elasticsearch
    • used in the elasticout output module
    • only necessary if planning to use elasticsearch to store output
  • pyJA3
    • used in the tls plugin

Major Changes Since Previous Release

  • This is a major framework update to Dshell. Plugins written for the previous version are not compatible with this version, and vice versa.
  • Uses Python 3
    • Rewritten in Python 3 from the ground up. Python 2 language deprecated on 1 JAN 2020
    • By extension, dpkt and pypcap have been replaced with Python3-friendly pypacker and pcapy (respectively).
  • Is a Python package
    • Converted into a single package, removing the need for the shell to set several environment variables.
    • Allows easier use of Dshell plugins in other Python scripts
  • Changed "decoders" to "plugins"
    • Primarily a word-swap, to clarify that "decoders" can do more than simply decode traffic, and to put Dshell more in line with the terminology of other frameworks.
  • Significant reduction in camelCase functions, replaced with more Pythonic snake_case functions.
    • Notable examples include blobHandler->blob_handler, rawHandler->raw_handler, connectionInitHandler->connection_init_handler, etc.
  • All plugins are now chainable
    • To accommodate this, handler functions in plugins must now use return statements indicating whether a packet, connection, or similar will continue to the next plugin. The type of object(s) to return depends on the type of handler, but will generally match the types of the handler's input. Dshell will display a warning if it's not the right type.
  • Plugins can now use all output modules* available to the command line switch, -O
    • That does not mean every output module will be useful to every plugin (e.g. using netflow output for a plugin that looks at individual packets), but they are available.
    • alert(), write(), and dump() are now the same function: write()
    • Output modules can be listed with a new flag in decode.py, --list-output or --lo
    • Arguments for output modules are now passed with the --oargs command-line argument
    • * pcapout is (currently) the exception to this rule. A method has yet to arise that allows it to work with connection-based plugins
  • No more dObj declaration
    • decode.py just looks for the class named DshellPlugin and creates an instance of that
  • Improved error handling
    • Dshell handles more of the most common exceptions during everyday use
  • Enables development of external plugin packs, allowing the sharing and installation of new, externally-developed plugins without overlapping the core Dshell libraries.

Installation

  1. Install Dshell with pip
  • sudo python3 -m pip install Dshell/ OR sudo python3 -m pip install
  1. Configure geoip2 by moving the MaxMind data files (GeoLite2-ASN.mmdb, GeoLite2-City.mmdb, GeoLite2-Country.mmdb) to /data/GeoIP/
  2. Run dshell. This should drop you into a Dshell> prompt.

Basic Usage

  • decode -l
    • This will list all available plugins, alongside basic information about them
  • decode -h
    • Show generic command-line flags available to most plugins
  • decode -p
    • Display information about a plugin, including available command line flags
  • decode -p
    • Run the selected plugin on a pcap file
  • decode -p +
    • Chain two (or more) plugins together and run them on a pcap file
  • decode -p -i
    • Run the selected plugin live on an interface (may require superuser privileges)

Usage Examples

Showing DNS lookups in sample traffic

Dshell> decode -p dns ~/pcap/dns.cap |sort
[DNS] 2005-03-30 03:47:46    192.168.170.8:32795 --   192.168.170.20:53    ** ID: 4146, TXT? google.com., TXT: b'\x0fv=spf1 ptr ?all' **
[DNS] 2005-03-30 03:47:50    192.168.170.8:32795 --   192.168.170.20:53    ** ID: 63343, MX? google.com., MX: b'\x00(\x05smtp4\xc0\x0c', MX: b'\x00\n\x05smtp5\xc0\x0c', MX: b'\x00\n\x05smtp6\xc0\x0c', MX: b'\x00\n\x05smtp1\xc0\x0c', MX: b'\x00\n\x05smtp2\xc0\x0c', MX: b'\x00(\x05smtp3\xc0\x0c' **
[DNS] 2005-03-30 03:47:59    192.168.170.8:32795 --   192.168.170.20:53    ** ID: 18849, LOC? google.com. **
[DNS] 2005-03-30 03:48:07    192.168.170.8:32795 --   192.168.170.20:53    ** ID: 39867, PTR? 104.9.192.66.in-addr.arpa., PTR: 66-192-9-104.gen.twtelecom.net. **
[DNS] 2005-03-30 03:49:18    192.168.170.8:32795 --   192.168.170.20:53    ** ID: 30144, A? www.netbsd.org., A: 204.152.190.12 (ttl 82159s) **
[DNS] 2005-03-30 03:49:35    192.168.170.8:32795 --   192.168.170.20:53    ** ID: 61652, AAAA? www.netbsd.org., AAAA: 2001:4f8:4:7:2e0:81ff:fe52:9a6b (ttl 86400s) **
[DNS] 2005-03-30 03:50:35    192.168.170.8:32795 --   192.168.170.20:53    ** ID: 32569, AAAA? www.netbsd.org., AAAA: 2001:4f8:4:7:2e0:81ff:fe52:9a6b (ttl 86340s) **
[DNS] 2005-03-30 03:50:44    192.168.170.8:32795 --   192.168.170.20:53    ** ID: 36275, AAAA? www.google.com., CNAME: 'www.l.google.com.' **
[DNS] 2005-03-30 03:50:54    192.168.170.8:32795 --   192.168.170.20:53    ** ID: 56482, AAAA? www.l.google.com. **
[DNS] 2005-03-30 03:51:35    192.168.170.8:32795 --   192.168.170.20:53    ** ID: 48159, AAAA? www.example.com. **
[DNS] 2005-03-30 03:51:46    192.168.170.8:32795 --   192.168.170.20:53    ** ID: 9837, AAAA? www.example.notginh., NXDOMAIN **
[DNS] 2005-03-30 03:52:17    192.168.170.8:32795 --   192.168.170.20:53    ** ID: 65251, AAAA: 2001:4f8:0:2::d (ttl 600s), A: 204.152.184.88 (ttl 600s) **
[DNS] 2005-03-30 03:52:17    192.168.170.8:32796 --   192.168.170.20:53    ** ID: 23123, PTR? 1.0.0.127.in-addr.arpa., PTR: localhost. **
[DNS] 2005-03-30 03:52:17    192.168.170.8:32797 --   192.168.170.20:53    ** ID: 8330, NS: b'\x06ns-ext\x04nrt1\xc0\x0c', NS: b'\x06ns-ext\x04sth1\xc0\x0c', NS: b'\x06ns-ext\xc0\x0c', NS: b'\x06ns-ext\x04lga1\xc0\x0c' **
[DNS] 2005-03-30 03:52:17   192.168.170.56:1707  --      217.13.4.24:53    ** ID: 12910, SRV? _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.utelsystems.local., NXDOMAIN **
[DNS] 2005-03-30 03:52:17   192.168.170.56:1708  --      217.13.4.24:53    ** ID: 61793, SRV? _ldap._tcp.dc._msdcs.utelsystems.local., NXDOMAIN **
[DNS] 2005-03-30 03:52:17   192.168.170.56:1709  --      217.13.4.24:53    ** ID: 33633, SRV? _ldap._tcp.05b5292b-34b8-4fb7-85a3-8beef5fd2069.domains._msdcs.utelsystems.local., NXDOMAIN **
[DNS] 2005-03-30 03:52:17   192.168.170.56:1710  --      217.13.4.24:53    ** ID: 53344, A? GRIMM.utelsystems.local., NXDOMAIN **
[DNS] 2005-03-30 03:52:25   192.168.170.56:1711  --      217.13.4.24:53    ** ID: 30307, A? GRIMM.utelsystems.local., NXDOMAIN **

Following and reassembling a stream in sample traffic

Index of /

Index of /

Icon  Name                    Last modified      Size  Description
  
[DIR] 202-vorbereitung/ 06-Jul-2007 14:31 - [   ] Efficient_Video_on_d..> 19-Dec-2006 03:17 291K [   ] Welcome Stranger!!! 28-Dec-2006 03:46 0 [TXT] barschel.htm 31-Jul-2007 02:21 44K [DIR] bnd/ 30-Dec-2006 08:59 - [DIR] cia/ 28-Jun-2007 00:04 - [   ] cisco_ccna_640-801_c..> 28-Dec-2006 03:48 236K [DIR] doc/ 19-Sep-2006 01:43 - [DIR] freenetproto/ 06-Dec-2006 09:00 - [DIR] korrupt/ 03-Jul-2007 11:57 - [DIR] mp3_technosets/ 04-Jul-2007 08:56 - [TXT] neues_von_rainald_go..> 21-Mar-2007 23:27 31K [TXT] neues_von_rainald_go..> 21-Mar-2007 23:29 36K [   ] pruef.pdf 28-Dec-2006 07:48 88K
">
Dshell> decode -p followstream ~/pcap/v6-http.cap 
Connection 1 (TCP)
Start: 2007-08-05 15:16:44.189851
End:   2007-08-05 15:16:44.219460
2001:6f8:102d:0:2d0:9ff:fee3:e8de: 59201 -> 2001:6f8:900:7c0::2:    80 (300 bytes)
2001:6f8:900:7c0::2:    80 -> 2001:6f8:102d:0:2d0:9ff:fee3:e8de: 59201 (2379 bytes)

GET / HTTP/1.0
Host: cl-1985.ham-01.de.sixxs.net
Accept: text/html, text/plain, text/css, text/sgml, */*;q=0.01
Accept-Encoding: gzip, bzip2
Accept-Language: en
User-Agent: Lynx/2.8.6rel.2 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.8b



HTTP/1.1 200 OK
Date: Sun, 05 Aug 2007 19:16:44 GMT
Server: Apache
Content-Length: 2121
Connection: close
Content-Type: text/html



 
  Index of /
 
 

Index of /

Icon  Name                    Last modified      Size  Description
    
[DIR] 202-vorbereitung/ 06-Jul-2007 14:31 - [   ] Efficient_Video_on_d..> 19-Dec-2006 03:17 291K [   ] Welcome Stranger!!! 28-Dec-2006 03:46 0 [TXT] barschel.htm 31-Jul-2007 02:21 44K [DIR] bnd/ 30-Dec-2006 08:59 - [DIR] cia/ 28-Jun-2007 00:04 - [   ] cisco_ccna_640-801_c..> 28-Dec-2006 03:48 236K [DIR] doc/ 19-Sep-2006 01:43 - [DIR] freenetproto/ 06-Dec-2006 09:00 - [DIR] korrupt/ 03-Jul-2007 11:57 - [DIR] mp3_technosets/ 04-Jul-2007 08:56 - [TXT] neues_von_rainald_go..> 21-Mar-2007 23:27 31K [TXT] neues_von_rainald_go..> 21-Mar-2007 23:29 36K [   ] pruef.pdf 28-Dec-2006 07:48 88K

Chaining plugins to view flow data for a specific country code in sample traffic (note: TCP handshakes are not included in the packet count)

Dshell> decode -p country+netflow --country_code=JP ~/pcap/SkypeIRC.cap
2006-08-25 15:32:20.766761       192.168.1.2 ->  202.232.205.123  (-- -> JP)   UDP   60583   33438     1      0       64        0  0.0000s
2006-08-25 15:32:20.634046       192.168.1.2 ->  202.232.205.123  (-- -> JP)   UDP   60583   33435     1      0       64        0  0.0000s
2006-08-25 15:32:20.747503       192.168.1.2 ->  202.232.205.123  (-- -> JP)   UDP   60583   33437     1      0       64        0  0.0000s
2006-08-25 15:32:20.651501       192.168.1.2 ->  202.232.205.123  (-- -> JP)   UDP   60583   33436     1      0       64        0  0.0000s

Collecting DNS traffic from several files and storing it in a new pcap file.

Dshell> decode -p dns+pcapwriter --pcapwriter_outfile=test.pcap ~/pcap/*.cap >/dev/null
Dshell> tcpdump -nnr test.pcap |head
reading from file test.pcap, link-type EN10MB (Ethernet)
15:36:08.670569 IP 192.168.1.2.2131 > 192.168.1.1.53: 40209+ A? ui.skype.com. (30)
15:36:08.670687 IP 192.168.1.2.2131 > 192.168.1.1.53: 40210+ AAAA? ui.skype.com. (30)
15:36:08.674022 IP 192.168.1.1.53 > 192.168.1.2.2131: 40209- 1/0/0 A 212.72.49.131 (46)
15:36:09.011208 IP 192.168.1.1.53 > 192.168.1.2.2131: 40210 0/1/0 (94)
15:36:10.171350 IP 192.168.1.2.2131 > 192.168.1.1.53: 40210+ AAAA? ui.skype.com. (30)
15:36:10.961350 IP 192.168.1.1.53 > 192.168.1.2.2131: 40210* 0/1/0 (85)
15:36:10.961608 IP 192.168.1.2.2131 > 192.168.1.1.53: 40211+ AAAA? ui.skype.com. (30)
15:36:11.294333 IP 192.168.1.1.53 > 192.168.1.2.2131: 40211 0/1/0 (94)
15:32:21.664798 IP 192.168.1.2.2130 > 192.168.1.1.53: 39862+ A? ui.skype.com. (30)
15:32:21.664913 IP 192.168.1.2.2130 > 192.168.1.1.53: 39863+ AAAA? ui.skype.com. (30)

Collecting TFTP data and converting alerts to JSON format using sample traffic

Dshell> decode -p tftp -O jsonout ~/pcap/tftp_*.pcap
{"dport": 3445, "dip": "192.168.0.10", "data": "read  rfc1350.txt (24599 bytes) ", "sport": 50618, "readwrite": "read", "sip": "192.168.0.253", "plugin": "tftp", "ts": 1367411051.972852, "filename": "rfc1350.txt"}
{"dport": 2087, "dip": "192.168.0.13", "data": "write rfc1350.txt (24599 bytes) ", "sport": 57509, "readwrite": "write", "sip": "192.168.0.1", "plugin": "tftp", "ts": 1367053679.45274, "filename": "rfc1350.txt"}

Running a plugin within a separate Python script using sample traffic

# Import required Dshell libraries
import dshell.decode as decode
import dshell.plugins.tftp.tftp as tftp

# Instantiate plugin
plugin = tftp.DshellPlugin()
# Define plugin-specific arguments, if needed
dargs = {plugin: {"outdir": "/tmp/"}}
# Add plugin(s) to plugin chain
decode.plugin_chain = [plugin]
# Run decode main function with all other arguments
decode.main(
    debug=True,
    files=["/home/user/pcap/tftp_rrq.pcap", "/home/user/pcap/tftp_wrq.pcap"],
    plugin_args=dargs
)
Comments
  • Captureing network traffic and MaxMind GeoLite databases

    Captureing network traffic and MaxMind GeoLite databases

    Hello,

    I need your help on two points:

    1. I want to record a PCAP file using the decoder.

    I try the following command:

    decode -d writer -i INTERFACE -o pcap FILE NAME

    He gives me the following error message:

    WARNING:writer:rawHandler() got an unexpected keyword argument 'smac'

    Do you know what it is?

    1. The Dshell guide says that you should copy the following databases into the GeoIP folder:

    GeoIP.dat, GeoIPv6.dat, GeoIPASNum.dat, GeoIPASNumv6.dat

    The linked URL "https://dev.maxmind.com/geoip/geoip2/geolite2/" only has the GeoLite2 databases left:

    GeoLite2 City, ... Country, ... ASN

    These contain databases, but no longer the files mentioned above.

    Does this still work?

    opened by ghost 12
  • No results running live capture's plugins on interfaces

    No results running live capture's plugins on interfaces

    Hey! I hope this message finds you well.

    So, I'm trying to run some plugins to live capture on a well configured interface and I got no results.

    The Dshell prompt is presented again after I execute the decode command.

    Dshell> decode -i ens5f0 -d search --search_expression UPDATE Dshell>

    Any help?

    Best regards.

    opened by paulofdantas 7
  • Override line-break delimiter for followstream module

    Override line-break delimiter for followstream module

    This may just be personal preference, but the line-break added to the end of each blob in followstream output makes typical flows more difficult to read (for me). Without the line-break, the output more closely approximates that of Wireshark's follow stream output.

    opened by amm3 7
  • Documentation  README.md unclear regarding /share/GeoIP/

    Documentation README.md unclear regarding /share/GeoIP/

    README.md states:

    1. Configure pygeoip by moving the MaxMind data files (GeoIP.dat, GeoIPv6.dat, GeoIPASNum.dat, GeoIPASNumv6.dat) to /share/GeoIP/"

    Should that be /home/[username]/share/GeoIP

    or

    sudo mkdir /usr/local/share/GeoIP/ ?

    It is a bit unclear in README.md.

    opened by pauljamesharper 6
  • Error with created Connection for chained decoders

    Error with created Connection for chained decoders

    Pull #99 created a case where, if a decoder (such as xor) internally creates a Connection (e.g. for use with downstream chained decoders), the new object's nextoffset member references NoneType values instead of integers. And within the context of normal chained decoder operation, there is no condition wherein IPHandler would be called with a SYN flag to establish the natural starting offsets.

    Prior to #99, the default values were 0, so the internal object would function, albeit with artificial sequence numbers.

    My proposed solution is to manually (in the decoder) set the starting values of nextoffset to match the values of the "parent" Connection.

    Note: This condition doesn't impact other chainable decoders (such as country filters or grep) because those decoders don't create a new Connection object. They simply select which connections to pass downstream vs not.

    For reference, the following error was observed running xor+followstream, leading to the identification of this bug:

    ARNING:xor:unsupported operand type(s) for +: 'NoneType' and 'int'
    WARNING:xor:unsupported operand type(s) for +: 'NoneType' and 'int'
    WARNING:xor:unsupported operand type(s) for +: 'NoneType' and 'int'
    
    opened by amm3 5
  • Create ALT-Makefile

    Create ALT-Makefile

    make file for Linux System packaging , at least friendlier DESTDIR=/opt/Dshell

    may be some to-do's per say ,

    but with SRPM spec from others or debian control spec , and or my ebuild
    MV Makefile Makefile.orginal mv ALT-Makefile Makefile Emake ALL

    also can add on third party Plugins /decoders via packaging and call a script to build or rebuild decoders allowing $USER/.dshell/logs etc to be made might be an improvement if not running as sudo/su.

    Make Dshell use avalible to more users.

    opened by necrose99 5
  • strip layers for pppoe and other layer

    strip layers for pppoe and other layer

    Hi

    I can't seem to get dshell working with pcaps saved to disk or traffic from an interface. In wireshark the traffic has the pppoe layer above the ethernet layer, and another layer above the pppoe one, which wireshark calls 'Point-to-point Protocol' and is 2 bytes in length.

    I've started dshell with --strip= all numbers from 1 to 6, with nothing happening, the pcap definitely has dns traffic in it. --strip requires an int, so what should I give it?

    Many thanks

    opened by biatwc 5
  • is it possible to include the sample pcap in the project?

    is it possible to include the sample pcap in the project?

    I haven't do the network data capture and analysis for quite a while. mainly because being lazy. is it possible to include those pcap files mentioned in the README file ?

    opened by zinking 5
  • setup.py, Python Distutils

    setup.py, Python Distutils

    DestDir isnt cleanly defined in makefile so thus its a royal pest to package DSHELL on many distros....

    gentoo uses sandbox /var/portage/$Packagename/$package-version/build , D$ would fake the root based on DestDir's else i have to force {$ROOT} to force make a root-fs tree in sandbox (and it works about as well as a cluster-F####) {9999 is customary for Live-git version } once built then it gets copied over to actual install tree and temp paths removed. unfortunately .dshellrc dshell-decode dshell gets real paths and has to get fixed. basically it jumps out of security sandbox so it doesn't package well as is.
    however python most of all DISTUTILS packages goes up without a hitch. some require nominal patching to behave...

    A: distro or system Agnostic is the power of distutils https://docs.python.org/2/distutils/setupscript.html ie python setup.py /Dshell/share/GeoIP copy if exsits /usr/share/GeoIP file symlinks etc.
    B: makes for Easier Agnostic Packaging by Linux distros , adds consistent directories for 3rd parity add on modules. C: Can define USER or SYSTEM mode installs default-sysntem .dshell > /etc/skel/ so thus it is copied over to many users on login (usr /home/$username/Dshell-path/....... Symlink /opt/bin/Dshell or /usr/bin/Dshell/ dshell-decode dshell @/usr/bin Dshell/docs to /usr/share/doc/Dshell as many of the docs are dynamically generated. d: RPM/DEB /MSI ETC are a nice added bonus feature of python distutils , In theory Dshell could be just as easily patched for windows Boxes with a good and proper Python setup. and or even MACOS etc natives. as add-on modules that do added packaging, RPM or Deb , etc could be added on to the main modules , and then system packages generated for users conveniences latter. E: find any missing docs or apply updates. new modules etc.

    https://pythonhosted.org/setuptools/python3.html https://github.com/pypa/sampleproject https://docs.python.org/2.0/dist/creating-rpms.html https://ghantoos.org/2008/10/19/creating-a-deb-package-from-a-python-setuppy/ http://cyrille.rossant.net/create-a-standalone-windows-installer-for-your-python-application/

    [install] prefix=/usr/bin/Dshell install_lib=//usr/bin/Dshell/lib install_scripts=/usr/bin/Dshell/bin etc.

    [bdist_wininst] prefix=/c:/Dshell install_lib=/some/lib/path install_scripts=/some/bin/path

    opened by necrose99 4
  • ElasticSearch Output module

    ElasticSearch Output module

    This is a new output module for elasticsearch. It works standalone with --output elasticout,host=ES_HOST,index=INDEXNAME, but I find it also useful to extend the class. This allows for more centralized control over the cluster and dynamic/deterministic index names and doc IDs.

    opened by amm3 4
  • pcapslice

    pcapslice

    This is a utility to split pcap files by ip src/dst pair or tcp/udp stream using Dshell's PCAPWriter() to write the output files. This is sometimes useful when trying to process pcap in dshell that contains numerous and interleaved really large streams.

    opened by amm3 4
  • module 'distutils.sysconfig' has no attribute '_init_posix'

    module 'distutils.sysconfig' has no attribute '_init_posix'

    There seems to be an issue with installing pcapy: https://github.com/helpsystems/pcapy/issues/73 which is preventing installation of DShell.

    Collecting pcapy
      Downloading pcapy-0.11.4.tar.gz (37 kB)
      Preparing metadata (setup.py) ... error
      error: subprocess-exited-with-error
      
      × python setup.py egg_info did not run successfully.
      │ exit code: 1
      ╰─> [6 lines of output]
          Traceback (most recent call last):
            File "<string>", line 2, in <module>
            File "<pip-setuptools-caller>", line 34, in <module>
            File "/tmp/pip-install-nqz_zlei/pcapy_e1a8e2d5b3794862af12f48d4e4fdfdc/setup.py", line 49, in <module>
              save_init_posix = sysconfig._init_posix
          AttributeError: module 'distutils.sysconfig' has no attribute '_init_posix'
          [end of output]
    

    It appears unlikely that pcapy will release a fix for the issue since the latest commit was back in 2019. A possible work around is to use pcapy-ng (https://github.com/stamparm/pcapy-ng/) instead pcapy. Update the pcapy to pcapy-ng in setup.py

        install_requires=[
            "geoip2",
            "pcapy-ng",
            "pypacker",
        ],
    
    opened by eddocode 0
  • Blob handling

    Blob handling

    It appears that the blob_handler() function isn't getting called at certain critical junctures. My understanding was that the core code would call this function (if defined in a plugin) as it processed packets, every time the stream changed direction. It actually looks like the blob_handlers aren't called until the connection closes and the blobs are formed/iterated.

    opened by amm3 3
  • Updates to TLS module

    Updates to TLS module

    • Moves parsing of TLS extensions to a common function, invoked in parsing both the ClientHello and ServerHello.
    • Includes SSL/TLS version string in primary output and kw values
    opened by amm3 0
  • VLAN Wrapper Not Applied to Pcapy Reader

    VLAN Wrapper Not Applied to Pcapy Reader

    The only invocation of setfilter() on the capture device (pcapy.Reader class) is based on the initial_bpf from the first plugin on the chain.

    Because of this, any efforts to expand the filter are moot. Narrowing of the filter seems effective through manipulating compiled bpf filters on the plugin objects, but only the packets pulled from the wire or file (governed by the pcapy.Reader filter) are ever passed to the feed_plugin_chain function.

    It seems we may need a mechanism to update the Reader filter when bpf filters are changed in the plugin chain. But this is not trivial, because recompiling bpf happens in the plugin object and the instantiated Reader appears only in decode.py.

    I initially noticed this because the automatic vlan wrapper wasn't working with any plugin on vlan tagged PCAP files, but it has potential effects also in chained plugins and plugins that dynamically alter their bpf filters.

    opened by amm3 2
Releases(v3.1.3)
  • v3.1.3(Sep 22, 2020)

    Major version update/rewrite to Dshell, now using Python 3. See README for more details.

    Highlights:

    • This is a major framework update to Dshell. Plugins written for the previous version are not compatible with this version, and vice versa.
    • Uses Python 3
      • Rewritten in Python 3 from the ground up. Python 2 language deprecated on 1 JAN 2020
      • By extension, dpkt and pypcap have been replaced with Python 3-friendly pypacker and pcapy (respectively).
    • Is a Python package
    • All plugins are chainable
    • Plugins can use all output modules
    • Improved error handling
    • Enables development of external plugin packs, allowing the sharing and installation of new, externally-developed plugins without overlapping the core Dshell libraries.
    Source code(tar.gz)
    Source code(zip)
  • v2.4.10(Sep 1, 2020)

    Tagging the current version of Dshell 2 in preparation for our upcoming release of Dshell 3, the new version of Dshell for Python 3. See the README 'News' section for more information.

    Source code(tar.gz)
    Source code(zip)
Owner
DEVCOM Army Research Laboratory
Discover, innovate, and transition science and technology to ensure dominant strategic land power.
DEVCOM Army Research Laboratory
A TCP Chatroom built with python and TCP/IP sockets, consisting of a server and multiple clients which can connect with the server and chat with each other.

A TCP Chatroom built with python and TCP/IP sockets, consisting of a server and multiple clients which can connect with the server and chat with each other. It also provides an Admin role with featur

3 May 22, 2022
Wifi-Jamming is a simple, yet highly effective method of causing a DoS on a wireless implemented using python pyqt5.

pyqt5-linux-wifi-jamming-tool Linux-Wifi-Jamming is a simple GUI tool, yet highly effective method of causing a DoS on a wireless implemented using py

lafesa 8 Dec 05, 2022
Simple app that redirect fixed URL to changing URL, configurable via POST requests

This is a basic URL redirection service. It stores associations between apps and redirection URLs, for apps with changing URLs. You can then use GET r

Maxime Weyl 2 Jan 28, 2022
Minimal, self-hosted, 0-config alternative to ngrok. Caddy+OpenSSH+50 lines of Python.

If you have a webserver running on one computer (say your development laptop), and you want to expose it securely (ie HTTPS) via a public URL, SirTunnel allows you to easily do that.

Anders Pitman 423 Jan 02, 2023
Timeouts for popular Python packages

Python Timeouts An unresponsive service can be worse than a down one. It can tie up your entire system if not handled properly. All network requests s

Andrew Kane 11 Nov 22, 2022
A simple multi-threaded time server and client in python.

time-server-client A simple multi-threaded time server and client in Python. This uses the latest match/case command found in Python 3.10 so requires

Zeeshan Mulk 1 Jan 29, 2022
Network Dynaimcs Simulation

A Final Year Project in CUHK, Autumn 2021 Network Dynaimcs Simulation Files param.h edit all the variables & settings here simulate.c the main program

Likchun 0 Mar 28, 2022
Simple python script for automated network scans with random name generator(useful for CTF boxes).

📄 Automated NMAP script Description Simple python script for automated network scans with random name generator(useful for CTF boxes). Requirements 1

Dhmos Funk 2 Oct 29, 2021
NSX-T infrastructure as code - SDDC deployment

Deploy NSX-T Infrastructure - Simple Topology by Nicolas MICHEL @vpackets / LinkedIn Introduction The purpose of this entire repository is to automate

21 Nov 28, 2022
Utility for converting IP Fabric webhooks into a Teams format.

IP Fabric Webhook Integration for Microsoft Teams and/or Slack Setup IP Fabric Setup Go to Settings Webhooks Add webhook Provide a name URL will b

Community Fabric 1 Jan 26, 2022
Mini SCADA. Poll modbus devices by TCP/IP network.

Plans Add saving and loading devices and channels with files or db or someone else. Multitasking system for poll all devices Automatic optimization po

Efi_fi 1 Oct 25, 2021
Easy-to-use sync library for handy proxy parse

Proxy Parser About Synchronous library, for convenient and fast parsing of proxies from different sources. Uses Scrapy as a parser. At the moment the

Michael Mironov 2 Nov 22, 2022
Get Your Localhost Online - Ngrok Alternative

Get Your Localhost Online - Ngrok Alternative

Azimjon Pulatov 442 Jan 04, 2023
Build custom OSINT tools and APIs (Ping, Traceroute, Scans, Archives, DNS, Scrape, Whois, Metadata & built-in database for more info) with this python package

Build custom OSINT tools and APIs with this python package - It includes different OSINT modules (Ping, Traceroute, Scans, Archives, DNS, Scrape, Whoi

QeeqBox 52 Jan 06, 2023
This tool is for finding more detailed information of an IP Address.

This tool is for finding more detailed information of an IP Address.

3 Oct 08, 2021
A repository to spoof ARP table of any devices and successfully establish Man in the Middle(MITM) attack using Python3 in Linux

arp_spoofer A repository to spoof ARP table of any devices and successfully establish Man in the Middle(MITM) attack using Python3 in Linux Usage: git

Surya Das N 1 Oct 30, 2021
Ipscanner - A simple threaded IP-Scanner written in python3 that can monitor local IP's in your network

IPScanner 🔬 A simple threaded IP-Scanner written in python3 that can monitor lo

4 Dec 12, 2022
wg-exporter is a simple yet effective Prometheus exporter for Wireguard

wg-exporter wg-exporter is a simple yet effective Prometheus exporter for Wireguard. What are the collected metrics ? General: wg_connected_peers: num

men1n2 3 May 20, 2022
ProxyBroker is an open source tool that asynchronously finds public proxies from multiple sources and concurrently checks them

ProxyBroker is an open source tool that asynchronously finds public proxies from multiple sources and concurrently checks them. Features F

Denis 3.2k Jan 04, 2023
pyngrok is a Python wrapper for ngrok

pyngrok is a Python wrapper for ngrok that manages its own binary, making ngrok available via a convenient Python API.

Alex Laird 329 Dec 31, 2022