Stream Extractor

The Stream Extractor is a small utility that can read in a PCAP file, search through it for TCP and UDP streams, and write out each stream to a separate new PCAP file.

Usage

Usage: stream-extractor <COMMAND>

Commands:
  extract  Extract TCP and UDP streams from a PCAP
  scan     Scan the PCAP and search for an IP or Port
  list     List all of the PCAP communication info
  help     Print this message or the help of the given subcommand(s)

Options:
  -h, --help     Print help
  -V, --version  Print version

Extract

Usage: stream-extractor extract [OPTIONS] --input <INPUT>

Options:
  -i, --input <INPUT>    Input pcap file to extract TCP and UDP streams from
  -o, --output <OUTPUT>  Output name template [default: output_]
  -p, --port <PORT>      Filter output files to ones that contain the specified port number
      --ip <IP>          Filter output files to ones that contain the specified IP address
  -v, --verbose          Enable verbose mode to print stream info for each output PCAP file
  -h, --help             Print help

Scan

Usage: stream-extractor scan [OPTIONS] --input <INPUT>

Options:
  -i, --input <INPUT>  Input pcap file to scan
  -p, --port <PORT>    Search PCAP to see if this port number is present
      --ip <IP>        Search PCAP to see if this IP address is present
  -m, --mac <MAC>      Search PCAP to see if this MAC address is present
  -c, --count          Count how many times the search terms are present
  -v, --verbose        Enable to print verbose connection info
  -h, --help           Print help

List

Usage: stream-extractor list [OPTIONS] --input <INPUT>

Options:
  -i, --input <INPUT>  Input pcap file to list
  -c, --count          Count how many communications are present
  -p, --ports          List the port numbers present
      --ip             List the IP addresses present
  -m, --mac            List the MAC addresses present
  -v, --verbose        Print all connection statistics
  -h, --help           Print help

Filter Options

The filter options --port, --ip, and --mac are available to allow you to only write out the detected streams that match the filter values. This can help simplify the research step of identifying exactly which streams you may be interested in.

Example:

stream-extractor extract --ip 192.168.110.10 -p 80 -i sample/test.pcap
Packets processed: 21933, Streams detected: 662
Filtering streams by communications including port: 80
 + Found 3 matching streams
Filtering streams by communications including IP address: 192.168.110.10
 + Found 1 matching streams
Number of streams that matched filters: 1
Writing output file: 1

Build

To build stream-extractor, execute:

cargo build

Install from cargo

To build and install from cargo, execute:

cargo install stream-extractor

An example PCAP is located in sample/.

pommaq / stream-extractor Goto Github PK