Honeysnap is designed to be a command-line tool for parsing single or multiple pcap data files and producing a ‘first-cut’ analysis report that identifies significant events within the processed data. This presents security analysts with a pre-prepared menu of high value network activity, aimed at focusing manual forensic analysis and saving significant incident investigation time. Once you have identified data that interests you, you can then employ other tools for more in depth analysis, such as the Walleye user interface to the Honeywall. Honeysnap is also suitable for manual operation or automation via cron.

Example Functions

• Packet and connection overview.
• Flow extraction of ASCII based communications.
• Protocol decode of the more common Internet communication protocols.
• Binary file transfer extraction.
• Flow summary of inbound and outbound connections.
• Keystroke extraction of ver2 and ver 3 Sebek data.
• Identification and analysis of IRC traffic, including keyword matching.

Version 1.0.6 now decodes the following protocols.

• DNS
• FTP
• HTTP
• IRC
• Socks
• Sebek

In addtion, the new 1.0.6 version includes

• Socks proxy traffic stats
• User definable filters for the counts
• Improved DNS output
• Fixed bug in file extraction
• A big speed increase in gzip decoding
• Print querying IP for DNS decodes
• Auto-spotting of IRC traffic on any port
• SOCKS decoding
• Fix to the truncation of extracted files
• Includes magicpy in the distribution to solve the problems caused by the original website going away.

You can download Honeysnap here:

honeysnap-1.0.6.14.tar.gz

Or read more here.

Pcapy is a Python extension module that interfaces with the libpcap packet capture library. Pcapy enables python scripts to capture packets on the network. Pcapy is highly effective when used in conjunction with a packet-handling package such as Impacket, which is a collection of Python classes for constructing and dissecting network packets.

Advantages of Pcapy

• Works with Python threads.
• Functions in both UNIX with libpcap and Windows with WinPcap.
• Provides a simpler Object Oriented API.

Requirements

• A Python interpreter. Versions 2.1.3 and higher.
• A C++ compiler. GCC G++ 2.95, as well as Microsoft Visual Studio 6.0 or MSVC 2003 depending on the Python version.
• A Libpcap 0.9.3 or newer. Windows users should have installed WinPcap 4.0 or newer.

Download Pcapy here:

Source code

Latest stable release (0.10.5) – gzip’d tarball or zip file

Win32 binaries – Pick the appropriate Python or WinPcap version.

Latest release (0.10.5) – Windows installer – Python 2.5 and WinPcap 4.0.
0.10.4 – Windows installer – Python 2.4 and WinPcap 3.1.

Or read more here and the documentation is here.