CyberChef icon indicating copy to clipboard operation
CyberChef copied to clipboard

Published 20 hours ago verified publisher icon gchq

Operation request: PCAP parser

Open n1474335 opened this issue 6 years ago • 3 comments

Summary

Now that CyberChef can handle large files, it would be useful to create an operation that can parse PCAPs. This operation would not include full stack protocol parsing, just the ability to separate out individual packets and perhaps specify which packets to display. Ideally it would support both .pcap and .pcap-ng formats.

n1474335 avatar Mar 23 '18 18:03 n1474335

Could use libwireshark and compile with emscripten? Might be faster than a full JS implementation.

mattnotmitt avatar Jan 11 '19 19:01 mattnotmitt

Yes, this might work. There is a lot we could do with PCAP support. A fully working port of libwireshark would enable a lot of that.

n1474335 avatar Jan 18 '19 14:01 n1474335

I've tried implementing PCAP parsing without a libwireshark port (branch) but I'm not sure about whether the packet-viewing and overall analysis functionality should be split into seperate operations or could the packet-viewing remain part of the general 'Parse PCAP' operation?

michaellrowley avatar Mar 25 '22 21:03 michaellrowley