Chaosreader
Chaosreader traces TCP/UDP/other network sessions from snoop or tcpdump logs and exports them to HTML format. It extracts application data like telnet, FTP, HTTP transfers, and SMTP emails, creating an HTML index with session details and realtime replay programs.
Description
Chaosreader is a network traffic analysis tool that processes libpcap-compatible capture files from tcpdump or snoop to reconstruct and visualize application-layer sessions. It functions as an 'any-snarf' program, pulling out telnet sessions, FTP file transfers, HTTP content (HTML, GIF, JPEG), and SMTP emails from captured network traffic. The tool generates an HTML index file linking to detailed session views, including specialized replay programs for protocols like telnet, rlogin, IRC, X11, and VNC.
Key features include image reports and HTTP GET/POST content summaries, as well as realtime playback of sessions at various speeds. It supports standalone mode by invoking tcpdump or snoop directly to capture and process traffic. This makes Chaosreader particularly valuable for forensics investigations and detailed network traffic analysis.
The package is lightweight at 230 KB and depends on libnet-dns-perl and perl.
How It Works
Chaosreader reads pcap files from tcpdump, snoop, or similar libpcap tools, identifying TCP/UDP/other sessions and extracting application data. It reconstructs sessions into HTML files with hex dumps, 2-way views, and protocol-specific replays for telnet, rlogin, IRC, X11, VNC. DNS resolution can prioritize names over IPs, and it filters by ports, IPs, or sizes. Standalone mode spawns tcpdump/snoop for live capture before processing into indexed HTML reports.
Installation
sudo apt install chaosreaderFlags
Examples
chaosreader output1chaosreader -ve output1chaosreader -p 20,21,23 output1snoop -o output1; chaosreader output1chaosreader -S 2,5chaosreader