# Dshell **Repository Path**: tuyu/Dshell ## Basic Information - **Project Name**: Dshell - **Description**: Dshell is a network forensic analysis framework. - **Primary Language**: Unknown - **License**: Not specified - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 0 - **Created**: 2015-02-06 - **Last Updated**: 2024-11-22 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README # Dshell An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures. Key features: * Robust stream reassembly * IPv4 and IPv6 support * Custom output handlers * Chainable decoders ## Prerequisites * Linux (developed on Ubuntu 12.04) * Python 2.7 * [pygeoip](https://github.com/appliedsec/pygeoip), GNU Lesser GPL * [MaxMind GeoIP Legacy datasets](http://dev.maxmind.com/geoip/legacy/geolite/) * [PyCrypto](https://pypi.python.org/pypi/pycrypto), custom license * [dpkt](https://code.google.com/p/dpkt/), New BSD License * [IPy](https://github.com/haypo/python-ipy), BSD 2-Clause License * [pypcap](https://code.google.com/p/pypcap/), New BSD License ## Installation 1. Install all of the necessary Python modules listed above. Many of them are available via pip and/or apt-get. Pygeoip is not yet available as a package and must be installed with pip or manually. All except dpkt are available with pip. 1. `sudo apt-get install python-crypto python-dpkt python-ipy python-pypcap` 2. `sudo pip install pygeoip` 2. Configure pygeoip by moving the MaxMind data files (GeoIP.dat, GeoIPv6.dat, GeoIPASNum.dat, GeoIPASNumv6.dat) to /share/GeoIP/ 2. Run `make`. This will build Dshell. 3. Run `./dshell`. This is Dshell. If you get a Dshell> prompt, you're good to go! ## Basic usage * `decode -l` * This will list all available decoders alongside basic information about them * `decode -h` * Show generic command-line flags available to most decoders * `decode -d ` * Display information about a decoder, including available command-line flags * `decode -d ` * Run the selected decoder on a pcap file ## Usage Examples Showing DNS lookups in [sample traffic](http://wiki.wireshark.org/SampleCaptures#General_.2F_Unsorted) ``` Dshell> decode -d dns ~/pcap/dns.cap dns 2005-03-30 03:47:46 192.168.170.8:32795 -> 192.168.170.20:53 ** 39867 PTR? 66.192.9.104 / PTR: 66-192-9-104.gen.twtelecom.net ** dns 2005-03-30 03:47:46 192.168.170.8:32795 -> 192.168.170.20:53 ** 30144 A? www.netbsd.org / A: 204.152.190.12 (ttl 82159s) ** dns 2005-03-30 03:47:46 192.168.170.8:32795 -> 192.168.170.20:53 ** 61652 AAAA? www.netbsd.org / AAAA: 2001:4f8:4:7:2e0:81ff:fe52:9a6b (ttl 86400s) ** dns 2005-03-30 03:47:46 192.168.170.8:32795 -> 192.168.170.20:53 ** 32569 AAAA? www.netbsd.org / AAAA: 2001:4f8:4:7:2e0:81ff:fe52:9a6b (ttl 86340s) ** dns 2005-03-30 03:47:46 192.168.170.8:32795 -> 192.168.170.20:53 ** 36275 AAAA? www.google.com / CNAME: www.l.google.com ** dns 2005-03-30 03:47:46 192.168.170.8:32795 -> 192.168.170.20:53 ** 9837 AAAA? www.example.notginh / NXDOMAIN ** dns 2005-03-30 03:52:17 192.168.170.8:32796 <- 192.168.170.20:53 ** 23123 PTR? 127.0.0.1 / PTR: localhost ** dns 2005-03-30 03:52:25 192.168.170.56:1711 <- 217.13.4.24:53 ** 30307 A? GRIMM.utelsystems.local / NXDOMAIN ** dns 2005-03-30 03:52:17 192.168.170.56:1710 <- 217.13.4.24:53 ** 53344 A? GRIMM.utelsystems.local / NXDOMAIN ** ``` Following and reassembling a stream in [sample traffic](http://wiki.wireshark.org/SampleCaptures#General_.2F_Unsorted) ``` Dshell> decode -d followstream ~/pcap/v6-http.cap Connection 1 (TCP) Start: 2007-08-05 19:16:44.189852 UTC End: 2007-08-05 19:16:44.204687 UTC 2001:6f8:102d:0:2d0:9ff:fee3:e8de:59201 -> 2001:6f8:900:7c0::2:80 (240 bytes) 2001:6f8:900:7c0::2:80 -> 2001:6f8:102d:0:2d0:9ff:fee3:e8de:59201 (2259 bytes) GET / HTTP/1.0 Host: cl-1985.ham-01.de.sixxs.net Accept: text/html, text/plain, text/css, text/sgml, */*;q=0.01 Accept-Encoding: gzip, bzip2 Accept-Language: en User-Agent: Lynx/2.8.6rel.2 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.8b HTTP/1.1 200 OK Date: Sun, 05 Aug 2007 19:16:44 GMT Server: Apache Content-Length: 2121 Connection: close Content-Type: text/html Index of /

Index of /

Icon  Name                    Last modified      Size  Description
[DIR] 202-vorbereitung/       06-Jul-2007 14:31    -   
[   ] Efficient_Video_on_d..> 19-Dec-2006 03:17  291K  
[   ] Welcome Stranger!!!     28-Dec-2006 03:46    0   
[TXT] barschel.htm            31-Jul-2007 02:21   44K  
[DIR] bnd/                    30-Dec-2006 08:59    -   
[DIR] cia/                    28-Jun-2007 00:04    -   
[   ] cisco_ccna_640-801_c..> 28-Dec-2006 03:48  236K  
[DIR] doc/                    19-Sep-2006 01:43    -   
[DIR] freenetproto/           06-Dec-2006 09:00    -   
[DIR] korrupt/                03-Jul-2007 11:57    -   
[DIR] mp3_technosets/         04-Jul-2007 08:56    -   
[TXT] neues_von_rainald_go..> 21-Mar-2007 23:27   31K  
[TXT] neues_von_rainald_go..> 21-Mar-2007 23:29   36K  
[   ] pruef.pdf               28-Dec-2006 07:48   88K
``` Chaining decoders to view flow data for a specific country code in [sample traffic](http://wiki.wireshark.org/SampleCaptures#General_.2F_Unsorted) (note: TCP handshakes are not included in the packet count) ``` Dshell> decode -d country+netflow --country_code=JP ~/pcap/SkypeIRC.cap 2006-08-25 19:32:20.651502 192.168.1.2 -> 202.232.205.123 (-- -> JP) UDP 60583 33436 1 0 36 0 0.0000s 2006-08-25 19:32:20.766761 192.168.1.2 -> 202.232.205.123 (-- -> JP) UDP 60583 33438 1 0 36 0 0.0000s 2006-08-25 19:32:20.634046 192.168.1.2 -> 202.232.205.123 (-- -> JP) UDP 60583 33435 1 0 36 0 0.0000s 2006-08-25 19:32:20.747503 192.168.1.2 -> 202.232.205.123 (-- -> JP) UDP 60583 33437 1 0 36 0 0.0000s ``` Collecting netflow data for [sample traffic](http://wiki.wireshark.org/SampleCaptures#General_.2F_Unsorted) with vlan headers, then tracking the connection to a specific IP address ``` Dshell> decode -d netflow ~/pcap/vlan.cap 1999-11-05 18:20:43.170500 131.151.20.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s 1999-11-05 18:20:42.063074 131.151.32.71 -> 131.151.32.255 (US -> US) UDP 138 138 1 0 201 0 0.0000s 1999-11-05 18:20:43.096540 131.151.1.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s 1999-11-05 18:20:43.079765 131.151.5.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s 1999-11-05 18:20:41.521798 131.151.104.96 -> 131.151.107.255 (US -> US) UDP 137 137 3 0 150 0 1.5020s 1999-11-05 18:20:43.087010 131.151.6.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s 1999-11-05 18:20:43.368210 131.151.111.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s 1999-11-05 18:20:43.250410 131.151.32.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s 1999-11-05 18:20:43.115330 131.151.10.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s 1999-11-05 18:20:43.375145 131.151.115.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s 1999-11-05 18:20:43.363348 131.151.107.254 -> 255.255.255.255 (US -> --) UDP 520 520 1 0 24 0 0.0000s 1999-11-05 18:20:40.112031 131.151.5.55 -> 131.151.5.255 (US -> US) UDP 138 138 1 0 201 0 0.0000s 1999-11-05 18:20:43.183825 131.151.32.79 -> 131.151.32.255 (US -> US) UDP 138 138 1 0 201 0 0.0000s ```