Performing network forensics with Dshell. Part 1: Basic usage

Published: 2016-05-09
Last Updated: 2016-05-09 23:49:03 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
1 comment(s)

I found out recently there is a very interesting tool that enables some interesting capabilities to perform network forensics from a PCAP capture file. It's named Dshell and it was released in December 2014 by the United States Army Research Labs (ARL). Its purpose is to easy develop plugins to support the dissection of network packet captures and decode possible unknown malicious protocols.

This is the first part of a three-diary-set. I will show the following in each part:

  • Part 1: Basic usage
  • Part 2: Decoder development process
  • Part 3: Practical cases

You can download it from and easily follow the installation instructions. You can launch the framework by typing dshell in the command prompt. There is a major keyword that launches the decoding framework and it's called decode. Let's see the available options:

Dshell decode options

As you can see, usage is pretty simple. The following decoders are available to use in the decoder options command section:

  • DNS: Decoder that extracts and summarize DNS queries:

Dshell dns decoder

  • httpdump: Decoder that shows the direction of the traffic being sent in http protocol, the verb used, industry of the server IP address and additional information where available:

Dshell http dump usage

  • Netflow: Decoder that is able to tell the direction of the traffic being sent in the network.

  • followstream: Decoder that performs similar function as the follow stream feature in wireshark, showing all the data being transferred in a network connection.

Dshell followstream

  • grep: Decoder that is able to perform expression search inside the packet capture, similar to ngrep:

Dshell grep

I'm sure you will find useful the options I just showed. Stay tuned for the next two parts ;)

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
e-mail: msantand at isc dot sans dot org

1 comment(s)


This could be really useful. I deal with PCAPs regularly that contain web traffic from a downstream web proxy. The true client IP is contained in a vendor proprietary HTTP header (why they don't just use X-FORWARDED-FOR I don't know). I suppose this could probably be leveraged so I can filter/display that header using a custom decoder or extending the existing http decoder.

Diary Archives