Forensicsnetworktrafficanalysisforensicstcpdumpsnoopsessionsreplay

Chaosreader

Chaosreader traces TCP/UDP/other network sessions from snoop or tcpdump logs and exports them to HTML format. It extracts application data like telnet, FTP, HTTP transfers, and SMTP emails, creating an HTML index with session details and realtime replay programs.

Description

Chaosreader is a network traffic analysis tool that processes libpcap-compatible capture files from tcpdump or snoop to reconstruct and visualize application-layer sessions. It functions as an 'any-snarf' program, pulling out telnet sessions, FTP file transfers, HTTP content (HTML, GIF, JPEG), and SMTP emails from captured network traffic. The tool generates an HTML index file linking to detailed session views, including specialized replay programs for protocols like telnet, rlogin, IRC, X11, and VNC.

Key features include image reports and HTTP GET/POST content summaries, as well as realtime playback of sessions at various speeds. It supports standalone mode by invoking tcpdump or snoop directly to capture and process traffic. This makes Chaosreader particularly valuable for forensics investigations and detailed network traffic analysis.

The package is lightweight at 230 KB and depends on libnet-dns-perl and perl.

How It Works

Chaosreader reads pcap files from tcpdump, snoop, or similar libpcap tools, identifying TCP/UDP/other sessions and extracting application data. It reconstructs sessions into HTML files with hex dumps, 2-way views, and protocol-specific replays for telnet, rlogin, IRC, X11, VNC. DNS resolution can prioritize names over IPs, and it filters by ports, IPs, or sizes. Standalone mode spawns tcpdump/snoop for live capture before processing into indexed HTML reports.

Installation

bash
sudo apt install chaosreader

Flags

-a, --applicationCreate application session files (default)
-d, --preferdnsShow DNS names instead of IP addresses
-e, --everythingCreate HTML 2-way & hex files for everything
-hPrint a brief help
--helpPrint verbose help (this) and version
--help2Print massive help
-i, --infoCreate info file
-q, --quietQuiet, no output to screen

Examples

Extract recognised sessions from tcpdump capture file
chaosreader output1
Extract everything from tcpdump capture file with verbose HTML 2-way and hex files
chaosreader -ve output1
Extract only FTP (20,21) and telnet (23) sessions from tcpdump capture file
chaosreader -p 20,21,23 output1
Create snoop capture file and extract recognised sessions
snoop -o output1; chaosreader output1
Standalone mode: sniff network 5 times for 2 minutes each, view index.html for progress
chaosreader -S 2,5
Create application session files and indexes from input files
chaosreader
Updated 2026-04-16kali.org ↗