Kraken HTTP Decoder
Kraken HTTP Decoder decodes HTTP 1.0/1.1 traffic. It can also decode gzip stream.
Author
Examples
File Extraction
I will show you example for simple http analysis. If you want to see complete project, svn export http://krakenapps.org/svn/examples/httpdump/
package org.krakenapps.pcap.tutorial;
import java.io.File;
import java.io.IOException;
import org.krakenapps.pcap.decoder.http.HttpDecoder;
import org.krakenapps.pcap.decoder.http.HttpProcessor;
import org.krakenapps.pcap.decoder.http.HttpRequest;
import org.krakenapps.pcap.decoder.http.HttpResponse;
import org.krakenapps.pcap.util.PcapFileRunner;
public class Test {
public static void main(String[] args) throws IOException {
PcapFileRunner runner = new PcapFileRunner(new File("evidence03.pcap"));
HttpDecoder http = new HttpDecoder();
http.register(new HttpProcessor() {
public void onRequest(HttpRequest req) {
}
public void onResponse(HttpRequest req, HttpResponse resp) {
System.out.println(req.getURL());
}});
runner.registerTcpProcessor(80, http);
runner.run();
}
}
You can extract all HTTP URLs from PCAP dump file with just few lines of code. As you see, all kraken pcap decoder provides event callback for post-decoding job. Everything you want can be coded and registered as callback. Do you want to extract all specific file types? FileExtractor is ready for that use case. Modify onResponse callback slightly like this:
public void onResponse(HttpRequest req, HttpResponse resp) {
try {
String[] tokens = req.getURL().toString().split("/");
String fileName = tokens[tokens.length - 1];
// extract all .jpg files from http stream!
if (fileName.endsWith(".jpg")) {
InputStream is = resp.getMimeMessage().getInputStream();
FileExtractor.extract(new File(fileName), is);
}
} catch (IOException e) {
} catch (MessagingException e) {
}
}
Then you will see following .jpg files are extracted. I attached evidence03.pcap file, so you can test it right now:
mzi.hnmcsmdp.170x170-75.jpg dj.nofulnci.170x170-75.jpg mzl.hhpbkslu.170x170-75.jpg dj.orlnvciu.170x170-75.jpg dj.dzbaqgpw.170x170-75.jpg mzi.xtsujktt.170x170-75.jpg mzi.kvyqgmsa.170x170-75.jpg mzi.dutwwfyg.170x170-75.jpg mzi.pizbdeal.170x170-75.jpg mzi.aydemkgw.170x170-75.jpg mzi.ruejwber.170x170-75.jpg mzi.hivlicje.170x170-75.jpg dj.ontidfxk.170x170-75.jpg mzi.piscvson.170x170-75.jpg mzi.hbqfvwwx.170x170-75.jpg mzi.izxeiuxj.170x170-75.jpg mzi.coawydzo.170x170-75.jpg dj.gcuctkqs.170x170-75.jpg mzl.xjaduzqu.170x170-75.jpg mzl.xjaduzqu.170x170-75.jpg mzi.zhncmjvv.170x170-75.jpg mzi.yiaigqdc.170x170-75.jpg mzl.qvjqoatm.170x170-75.jpg dj.jdlaiovn.170x170-75.jpg dj.hfbbuzty.170x170-75.jpg
Suspicious file transmission can be fully extracted and you can inspect them with anti-virus scanner and/or office document exploit scanner. All possibility is up to you. Your imagination is the limit.
Dependency configuration will be done with some dependency tags to maven POM file. Of course, you can download and use library without maven if you want. Download it from maven repository: kraken-pcap and kraken-http-decoder. Following is typical dependency maven configuration.
<project> ... <repositories> <repository> <id>krakenapps</id> <url>http://krakenapps.org/mvn/</url> </repository> </repositories> <dependencies> <dependency> <groupId>org.krakenapps</groupId> <artifactId>kraken-pcap</artifactId> <version>1.3.0</version> </dependency> <dependency> <groupId>org.krakenapps</groupId> <artifactId>kraken-http-decoder</artifactId> <version>1.1.0</version> </dependency> </dependencies> ... </project>
But this example is only for post-mortem analysis. How about live capture? Kraken PCAP also provides JNI based Kraken PCAP Live. It's platform dependent binary, so you should download proper one for your platform.
Live Sniffing
Release
- 1.1.0 (Unstable): 1.2.0 coming soon
