pcaprunner Wiki

Analizes PCAP files and gives statistics about IP packets.

PCAPRUNNER

Authors:

PCAPRUNNER

PCAPRUNNER is a command line tool that runs through PCAP files and statistically analyzes IP packets. Other packets are ignored. Adresses, ports, oldest timestamp, youngest timestamp (first seen / last seen), the quantity of packets and the sum of the packet volumes (as given in the PCAP file as orig_len) are listed.

PCAPRUNNER uses only the C standard library, no LIBPCAP..

Compile:

gcc -o pcaprunner pcaprunner_vX.Y.c or use make.

The programm is written on a Linux / x86_64 based system. It had also been ported to Windows using mingw-w64-gcc, so you can use pcaprunner.exe or the GUI pcaprunner_gui.exe.

Usage:

pcaprunner [--help] [-h] [-r] [-s] [-l] [-b] [-p] [-v] [-a DELIMITER ] [-d DELIMITER] [-w PCNF-FILE] [-j JSON-FILE] INFILE1 [INFILE2 ...]

Input file format ist PCAP or PCNF.

Options:

--help, -h
-r Print timestamps and traffic volumes in human readable format. The time stamps are taken from the PCAP files without any validation or adjustment.
-s Print statistics about single addresses (default if not -w or -j). The list starts with the address of largest traffic volume. In most scenarios this should be the observed address.
-l Print statistics about links (traffic from source to destination address).
-b Print statistics about bidirectional links (traffic inbetween addresses, both directions).
-p Print statistics about ports per address (one address, one port).
-v Verbose print netflow data. This will give the traffic inbetween same addresses and ports (logical "and" = "&&" - this is the most differentiated statistic).
-c Print a head line with the meaning of the columns as first line before the data sets.
-a DELIMITER Sets the delimiter character inbetween IP address and port number. Default is ':'.
-d DELIMITER Sets the delimiter character inbetween other data. Default is tab stop.
-w PCNF-FILE Write output to file. The file format is PCNF. You should name it 'FILENAME.pcnf'. PCNF is the native binary file format. It is effective for large PCAP files to do this first.
-j JSON-FILE Write output to file. The file format is JSON. You should name it 'FILENAME.json'. You might use Python ore some other laguage to use the data.

Only one statistic / output at a time. Best choice for big data is to use -w on the first run. Example: pcaprunner -w neflow.pcnf dump1.pcap dump2.pcap

Example:

pcaprunner -s -r -c -w outfile.pcnf dump1.pcap dump2.pcap = writes statistic data to file and gives infos about single IP addresses on stdout

Development and License:

The use, development, distribution, etc. of the script is subject to the restrictions of GPL Version 3. The tools are in beta state. The developer is not responsible for the use of the tools. Accuracy is not garanteed. You are welcome to participate or donate to the development. Feel free to report bugs or give suggestions by email to:

markus.thilo@gmail.com

Project page:

https://github.com/markusthilo/netflower