Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2017-05-26 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

File2pcap - A new tool for your toolkit!

Published: 2017-05-26
Last Updated: 2017-05-26 18:42:20 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)

One of our readers, Gebhard, submitted a pointer to a tool today, released by Talos, that I wasn't familiar with.  However, when I realized it could generate packets, I had to try it out.  Its called File2pcap.  The concept of the tool is that instead of having to download a file and capture the traffic in order to write detection content, the tool would simulate the download and generate the traffic that you would see.  You get a nice pcap in the end.  I took a relatively benign phishing pdf (it had a link in it) and used it for my test.  The tool doesn't have any documentation until you compile it and run it.  Here are your options:


I ran a few test scenarios with it.  One for HTTP and one for SMTP.  For the HTTP, I used the following command line and specified a file name:

./file2pcap -mh -p 45678:8443 Wire_transfer_Notification.pdf -o httpout.pcap
It shows you if its working verses just returning a command prompt:
"Writing to httpout.pcap"
You can see by the packets, it matches the ports I told it to use:
Here is what it looks like when you follow the TCP stream:
For the SMTP I ran the following command:
./file2pcap -ms Wire_transfer_Notification.pdf -o smptout.pcap
Here is the data from following the TCP stream:

I played with several of the options.  You can also run more than one protocol in a single command line (you can't specify a file name running multiple modes, it will generate them for you):
./file2pcap -msh Wire_transfer_Notification.pdf
Writing to Wire_transfer_Notification.pdf-smtp.pcap
Writing to Wire_transfer_Notification.pdf-http-get.pcap
This is a very handy tool to have when you need to generate packets quickly to write content for file transfer detection.  Its definately one I'll add to my toolkit!


Keywords: file2pcap pcap tool
0 comment(s)
Diary Archives