A freeware tool to trace TCP/UDP sessions and fetch application data from snoop or tcpdump logs. This is a type of “any-snarf” program, as it will fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG), SMTP emails and so on from the captured data inside network traffic logs.
Similar to tcpflow which we mentioned recently.
A html index file is created that links to all the session details, including realtime replay programs for telnet, rlogin, IRC, X11 and VNC sessions; and reports such as image reports and HTTP GET/POST content reports. Chaosreader can also run in standalone mode – where it invokes tcpdump or snoop (if they are available) to create the log files and then processes them.
The cool thing about Chaosreader is that it outputs a nicely formatted HTML file to enable you to look at the extracted sessions a lot easier.
In this example, a snoop file was created while a website was loaded, telnet was used to login and ftp to transfer files. Chaosreader has managed to extract the HTTP sections, follow the telnet session, grab the FTP files, and create an Image Report from the snoop log. It has also created a replay program to playback the telnet session. You can see the example here.
You can find some more screenshots here.
You can download Chaosreader here:
You can read more here.
Recent in Forensics:
- Mobius Forensic Toolkit 0.5.10 – Forensics Framework To Manage Cases & Case Items
- Rec Studio 4 – Reverse Engineering Compiler & Decompiler
- CAINE (Computer Aided INvestigative Environment) – Digital Forensics LiveCD
- Windows Credentials Editor v1.0 – List, Add & Edit Logon Sessions
- Pass-The-Hash Toolkit v1.1 Available for Download
- tcpflow – TCP Flow Recorder for Protocol Analysis and Debugging
Most Read in Forensics:
- NetworkMiner – Passive Sniffer & Packet Analysis Tool for Windows - 65,225 views
- sslsniff v0.6 Released – SSL MITM Tool - 26,706 views
- raw2vmdk – Mount Raw Hard Disk (dd) Images As VMDK Virtual Disks - 26,316 views