Advanced-Network-PCAP-Analyizer.sh

1. #!/bin/bash
2. # Advanced Network Forensics PCAP Analyzer
3. # Configuration
4. PCAP_FILE=$1
5. OUTPUT_DIR=$2
6. THREAT_INTEL_DB=$3
7. ENTROPY_THRESHOLD=5.0
8. DATE_TAG=$(date +%Y%m%d_%H%M%S)
9.  
10.  
11. if [ $# -lt 2 ]; then
12.  
13. echo "Usage: $0 [threat_intel_db]"/>/>/>/>
14.  
15. echo "Example: $0 suspicious.pcap /root/forensics_output
16. [/path/to/threat_intel.json]"
17.  
18. exit 1
19.  
20. fi
21.  
22.  
23. if [ ! -f "$PCAP_FILE" ]; then
24.  
25. echo "[-] Error: PCAP file not found!"
26.  
27. exit 1
28.  
29. fi
30.  
31.  
32. # Set up output directory
33. mkdir -p "$OUTPUT_DIR"
34. mkdir -p "$OUTPUT_DIR/artifacts"
35. mkdir -p "$OUTPUT_DIR/reports"
36. mkdir -p "$OUTPUT_DIR/extracted_files"
37. mkdir -p "$OUTPUT_DIR/sessions"
38. mkdir -p "$OUTPUT_DIR/logs"
39.  
40. # Log function with timestamps
41.  
42. log() {
43.  
44. echo "[$(date +%H:%M:%S)] $1" | tee -a "$OUTPUT_DIR/logs/forensics.log"
45.  
46. }
47.  
48. # Function to collect basic information about the PCAP
49.  
50. analyze_pcap_metadata() {
51.  
52. log "[+] Analyzing PCAP metadata..."
53.  
54.  
55.  
56. # Extract basic PCAP information
57.  
58. capinfos "$PCAP_FILE" > "$OUTPUT_DIR/reports/pcap_info.txt"
59.  
60.  
61.  
62. # Extract capture duration
63.  
64. START_TIME=$(capinfos "$PCAP_FILE" | grep "First packet time:" | cut -d: -f2- |
65. xargs)
66.  
67. END_TIME=$(capinfos "$PCAP_FILE" | grep "Last packet time:" | cut -d: -f2- |
68. xargs)
69.  
70. PACKETS=$(capinfos "$PCAP_FILE" | grep "Number of packets:" | cut -d: -f2 |
71. xargs)
72.  
73.  
74.  
75. log "[+] PCAP Info: $PACKETS packets from $START_TIME to $END_TIME"
76.  
77.  
78.  
79. # Create protocol hierarchy statistics
80.  
81. tshark -r "$PCAP_FILE" -q -z io,phs >
82. "$OUTPUT_DIR/reports/protocol_hierarchy.txt"
83.  
84.  
85.  
86. # Identify top talkers and conversations
87.  
88. tshark -r "$PCAP_FILE" -q -z endpoints,ip >
89. "$OUTPUT_DIR/reports/ip_endpoints.txt"
90.  
91. tshark -r "$PCAP_FILE" -q -z conv,ip >
92. "$OUTPUT_DIR/reports/ip_conversations.txt"
93.  
94. tshark -r "$PCAP_FILE" -q -z conv,tcp >
95. "$OUTPUT_DIR/reports/tcp_conversations.txt"
96.  
97. tshark -r "$PCAP_FILE" -q -z conv,udp >
98. "$OUTPUT_DIR/reports/udp_conversations.txt"
99.  
100.  
101.  
102. # Extract unique IP addresses and ports
103.  
104. tshark -r "$PCAP_FILE" -T fields -e ip.src | sort | uniq >
105. "$OUTPUT_DIR/artifacts/src_ips.txt"
106.  
107. tshark -r "$PCAP_FILE" -T fields -e ip.dst | sort | uniq >
108. "$OUTPUT_DIR/artifacts/dst_ips.txt"
109.  
110. tshark -r "$PCAP_FILE" -Y "tcp" -T fields -e tcp.dstport | sort | uniq -c | sort
111. -nr > "$OUTPUT_DIR/artifacts/tcp_ports.txt"
112.  
113. tshark -r "$PCAP_FILE" -Y "udp" -T fields -e udp.dstport | sort | uniq -c | sort
114. -nr > "$OUTPUT_DIR/artifacts/udp_ports.txt"
115.  
116.  
117.  
118. # Check geolocation of external IPs (requires geoiplookup)
119.  
120. if command -v geoiplookup &> /dev/null; then
121.  
122. log "[+] Performing geolocation analysis on external IPs..."
123.  
124.  
125.  
126. # Extract external IPs (non-RFC1918)
127.  
128. grep -v -E "^10\.|^172\.(1[6-9]|2[0-9]|3[0-1])\.|^192\.168\."
129. "$OUTPUT_DIR/artifacts/src_ips.txt" >
130. "$OUTPUT_DIR/artifacts/external_src_ips.txt"
131.  
132. grep -v -E "^10\.|^172\.(1[6-9]|2[0-9]|3[0-1])\.|^192\.168\."
133. "$OUTPUT_DIR/artifacts/dst_ips.txt" >
134. "$OUTPUT_DIR/artifacts/external_dst_ips.txt"
135.  
136.  
137.  
138. # Geolocate external IPs
139.  
140. touch "$OUTPUT_DIR/artifacts/ip_geolocations.txt"
141.  
142. for ip in $(cat "$OUTPUT_DIR/artifacts/external_src_ips.txt"
143. "$OUTPUT_DIR/artifacts/external_dst_ips.txt" | sort | uniq); do
144.  
145. geoiplookup "$ip" >> "$OUTPUT_DIR/artifacts/ip_geolocations.txt"
146.  
147. done
148.  
149. else
150.  
151. log "[-] geoiplookup not installed, skipping geolocation analysis"
152.  
153. fi
154.  
155.  
156.  
157. log "[+] PCAP metadata analysis complete"
158.  
159. }
160.  
161. # Function to detect protocol anomalies
162.  
163. detect_protocol_anomalies() {
164.  
165. log "[+] Detecting protocol anomalies..."
166.  
167.  
168.  
169. # HTTP on non-standard ports
170.  
171. tshark -r "$PCAP_FILE" -Y "http.request and tcp.port != 80 and tcp.port != 8080
172. and tcp.port != 443" -T fields -e ip.src -e ip.dst -e tcp.dstport -e
173. http.request.uri > "$OUTPUT_DIR/artifacts/http_nonstandard_ports.txt"
174.  
175.  
176.  
177. # DNS on non-standard ports
178.  
179. tshark -r "$PCAP_FILE" -Y "dns and tcp.port != 53 and udp.port != 53" -T fields
180. -e ip.src -e ip.dst -e udp.dstport -e tcp.dstport -e dns.qry.name >
181. "$OUTPUT_DIR/artifacts/dns_nonstandard_ports.txt"
182.  
183.  
184.  
185. # Detect HTTP traffic when it should be HTTPS
186.  
187. tshark -r "$PCAP_FILE" -Y "http.request.uri contains \"login\" or
188. http.request.uri contains \"auth\" or http.request.uri contains \"password\" and
189. not ssl" -T fields -e ip.src -e ip.dst -e tcp.dstport -e http.request.uri >
190. "$OUTPUT_DIR/artifacts/cleartext_auth_http.txt"
191.  
192.  
193.  
194. # TLS certificate anomalies
195.  
196. tshark -r "$PCAP_FILE" -Y "ssl.handshake.certificate" -T fields -e ip.src -e
197. ip.dst -e x509sat.uTF8String -e x509sat.printableString -e
198. "x509sat.universalString" -e x509sat.ia5String >
199. "$OUTPUT_DIR/artifacts/ssl_certificates.txt"
200.  
201.  
202.  
203. # Detect self-signed certificates
204.  
205. tshark -r "$PCAP_FILE" -Y "ssl.handshake.certificate and x509af.issuer ==
206. x509af.subject" -T fields -e ip.src -e ip.dst -e x509sat.uTF8String >
207. "$OUTPUT_DIR/artifacts/self_signed_certs.txt"
208.  
209.  
210.  
211. # SMB traffic outside local network
212.  
213. tshark -r "$PCAP_FILE" -Y "(smb or smb2) and not (ip.src == 192.168.0.0/16 and
214. ip.dst == 192.168.0.0/16) and not (ip.src == 10.0.0.0/8 and ip.dst ==
215. 10.0.0.0/8) and not (ip.src == 172.16.0.0/12 and ip.dst == 172.16.0.0/12)" -T
216. fields -e ip.src -e ip.dst > "$OUTPUT_DIR/artifacts/external_smb.txt"
217.  
218.  
219.  
220. # SSH traffic to unusual ports
221.  
222. tshark -r "$PCAP_FILE" -Y "ssh and tcp.dstport != 22" -T fields -e ip.src -e
223. ip.dst -e tcp.dstport > "$OUTPUT_DIR/artifacts/ssh_nonstandard_ports.txt"
224.  
225.  
226.  
227. # Check for suspicious TLS versions (less than TLS 1.2)
228.  
229. tshark -r "$PCAP_FILE" -Y "ssl.handshake.version < 0x0303" -T fields -e ip.src
230. -e ip.dst -e ssl.handshake.version >
231. "$OUTPUT_DIR/artifacts/old_tls_versions.txt"
232.  
233.  
234.  
235. # JA3 fingerprinting (finding uncommon TLS client fingerprints)
236.  
237. tshark -r "$PCAP_FILE" -Y "ssl.handshake.type == 1" -T fields -e ip.src -e
238. tcp.srcport -e ip.dst -e tcp.dstport -e ssl.handshake.ja3 >
239. "$OUTPUT_DIR/artifacts/ja3_hashes.txt"
240.  
241.  
242.  
243. # Generate port scanning detection
244.  
245. tshark -r "$PCAP_FILE" -Y "tcp.flags == 0x0002 or tcp.flags.syn == 1" -T fields
246. -e ip.src -e ip.dst -e tcp.dstport | sort | uniq -c | sort -nr >
247. "$OUTPUT_DIR/artifacts/possible_port_scans.txt"
248.  
249.  
250.  
251. # Check for non-compliant DNS responses
252.  
253. tshark -r "$PCAP_FILE" -Y "dns.flags.response == 1 and dns.qry.name contains
254. \".\" and not dns.resp.name contains \".\"" -T fields -e ip.src -e ip.dst -e
255. dns.qry.name -e dns.resp.name > "$OUTPUT_DIR/artifacts/dns_anomalies.txt"
256.  
257.  
258.  
259. # ICMP anomalies (oversized ICMP packets that could indicate tunneling)
260.  
261. tshark -r "$PCAP_FILE" -Y "icmp and data.len > 56" -T fields -e ip.src -e ip.dst
262. -e icmp.type -e data.len > "$OUTPUT_DIR/artifacts/oversized_icmp.txt"
263.  
264.  
265.  
266. # Check for DNS record types often used in DNS tunneling
267.  
268. tshark -r "$PCAP_FILE" -Y "dns.qry.type == 16 or dns.qry.type == 28 or
269. dns.qry.type == 33" -T fields -e ip.src -e ip.dst -e dns.qry.name -e
270. dns.qry.type > "$OUTPUT_DIR/artifacts/dns_unusual_types.txt"
271.  
272.  
273.  
274. # Look for unusually large DNS queries (potential exfiltration)
275.  
276. tshark -r "$PCAP_FILE" -Y "dns.qry.name" -T fields -e dns.qry.name | awk '{print
277. length($0), $0}' | sort -nr | head -50 >
278. "$OUTPUT_DIR/artifacts/long_dns_queries.txt"
279.  
280.  
281.  
282. # Entropy analysis of DNS queries (high entropy could indicate encoding)
283.  
284. tshark -r "$PCAP_FILE" -Y "dns.qry.name" -T fields -e dns.qry.name | python3 -c
285. '
286.  
287. import sys
288.  
289. import math
290.  
291. import collections
292.  
293. def entropy(data):
294.  
295. if not data:
296.  
297. return 0
298.  
299. entropy = 0
300.  
301. for x in range(256):
302.  
303. p_x = float(data.count(chr(x)))/len(data)
304.  
305. if p_x > 0:
306.  
307. entropy += - p_x * math.log2(p_x)
308.  
309. return entropy
310.  
311. for line in sys.stdin:
312.  
313. line = line.strip()
314.  
315. if len(line) > 15: # Only check domains of sufficient length
316.  
317. e = entropy(line.split(".")[0]) # Check entropy of domain part before TLD
318.  
319. if e > 4.0:
320.  
321. print(f"{e:.2f} - {line}")
322.  
323. ' > "$OUTPUT_DIR/artifacts/high_entropy_dns.txt"
324.  
325.  
326.  
327. log "[+] Protocol anomaly detection complete"
328.  
329. }
330.  
331. # Function to extract network artifacts
332.  
333. extract_network_artifacts() {
334.  
335. log "[+] Extracting network artifacts..."
336.  
337.  
338.  
339. # Extract files from various protocols
340.  
341. mkdir -p "$OUTPUT_DIR/extracted_files/http"
342.  
343. mkdir -p "$OUTPUT_DIR/extracted_files/ftp"
344.  
345. mkdir -p "$OUTPUT_DIR/extracted_files/smb"
346.  
347. mkdir -p "$OUTPUT_DIR/extracted_files/tftp"
348.  
349.  
350.  
351. # HTTP objects
352.  
353. log "[+] Extracting HTTP objects..."
354.  
355. tshark -r "$PCAP_FILE" --export-objects http,"$OUTPUT_DIR/extracted_files/http"
356. > /dev/null 2>&1
357.  
358.  
359.  
360. # FTP artifacts
361.  
362. log "[+] Extracting FTP artifacts..."
363.  
364. tshark -r "$PCAP_FILE" -Y "ftp" -T fields -e tcp.stream >
365. "$OUTPUT_DIR/artifacts/ftp_streams.txt"
366.  
367. if [ -s "$OUTPUT_DIR/artifacts/ftp_streams.txt" ]; then
368.  
369. for stream in $(cat "$OUTPUT_DIR/artifacts/ftp_streams.txt" | sort -u); do
370.  
371. tshark -r "$PCAP_FILE" -q -z "follow,tcp,ascii,$stream" >
372. "$OUTPUT_DIR/sessions/ftp_session_$stream.txt"
373.  
374. done
375.  
376. fi
377.  
378.  
379.  
380. # SMB file transfers
381.  
382. log "[+] Extracting SMB artifacts..."
383.  
384. tshark -r "$PCAP_FILE" --export-objects smb,"$OUTPUT_DIR/extracted_files/smb" >
385. /dev/null 2>&1
386.  
387.  
388.  
389. # TFTP file transfers
390.  
391. log "[+] Extracting TFTP artifacts..."
392.  
393. tshark -r "$PCAP_FILE" --export-objects tftp,"$OUTPUT_DIR/extracted_files/tftp"
394. > /dev/null 2>&1
395.  
396.  
397.  
398. # Extract email artifacts
399.  
400. mkdir -p "$OUTPUT_DIR/extracted_files/email"
401.  
402. log "[+] Extracting email artifacts..."
403.  
404. tshark -r "$PCAP_FILE" -Y "smtp or pop or imap" -T fields -e tcp.stream >
405. "$OUTPUT_DIR/artifacts/email_streams.txt"
406.  
407. if [ -s "$OUTPUT_DIR/artifacts/email_streams.txt" ]; then
408.  
409. for stream in $(cat "$OUTPUT_DIR/artifacts/email_streams.txt" | sort -u); do
410.  
411. tshark -r "$PCAP_FILE" -q -z "follow,tcp,ascii,$stream" >
412. "$OUTPUT_DIR/extracted_files/email/email_session_$stream.txt"
413.  
414. done
415.  
416. fi
417.  
418.  
419.  
420. # Extract all URLs from HTTP streams
421.  
422. log "[+] Extracting URLs..."
423.  
424. tshark -r "$PCAP_FILE" -Y "http" -T fields -e http.request.full_uri | sort |
425. uniq > "$OUTPUT_DIR/artifacts/http_urls.txt"
426.  
427.  
428.  
429. # Extract all domains from DNS queries
430.  
431. log "[+] Extracting DNS queries..."
432.  
433. tshark -r "$PCAP_FILE" -Y "dns" -T fields -e dns.qry.name | sort | uniq >
434. "$OUTPUT_DIR/artifacts/dns_queries.txt"
435.  
436.  
437.  
438. # Extract all email addresses
439.  
440. log "[+] Extracting email addresses..."
441.  
442. tshark -r "$PCAP_FILE" -Y "smtp or pop or imap" -T fields -e tcp.stream >
443. "$OUTPUT_DIR/artifacts/email_streams.txt"
444.  
445. if [ -s "$OUTPUT_DIR/artifacts/email_streams.txt" ]; then
446.  
447. for stream in $(cat "$OUTPUT_DIR/artifacts/email_streams.txt" | sort -u); do
448.  
449. tshark -r "$PCAP_FILE" -q -z "follow,tcp,ascii,$stream" | grep -Eo
450. "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}" | sort | uniq >>
451. "$OUTPUT_DIR/artifacts/email_addresses.txt"
452.  
453. done
454.  
455.  
456.  
457. if [ -f "$OUTPUT_DIR/artifacts/email_addresses.txt" ]; then
458.  
459. sort -u "$OUTPUT_DIR/artifacts/email_addresses.txt" -o
460. "$OUTPUT_DIR/artifacts/email_addresses.txt"
461.  
462. fi
463.  
464. fi
465.  
466.  
467.  
468. # Extract all user-agents
469.  
470. log "[+] Extracting HTTP User-Agents..."
471.  
472. tshark -r "$PCAP_FILE" -Y "http.user_agent" -T fields -e http.user_agent | sort
473. | uniq -c | sort -nr > "$OUTPUT_DIR/artifacts/http_user_agents.txt"
474.  
475.  
476.  
477. # Extract hostnames
478.  
479. log "[+] Extracting hostnames..."
480.  
481. tshark -r "$PCAP_FILE" -Y "http.host" -T fields -e http.host | sort | uniq >
482. "$OUTPUT_DIR/artifacts/http_hosts.txt"
483.  
484.  
485.  
486. # Extract POST data from HTTP sessions
487.  
488. log "[+] Extracting HTTP POST data..."
489.  
490. tshark -r "$PCAP_FILE" -Y "http.request.method == \"POST\"" -T fields -e
491. tcp.stream > "$OUTPUT_DIR/artifacts/http_post_streams.txt"
492.  
493. if [ -s "$OUTPUT_DIR/artifacts/http_post_streams.txt" ]; then
494.  
495. for stream in $(cat "$OUTPUT_DIR/artifacts/http_post_streams.txt" | sort -u); do
496.  
497. tshark -r "$PCAP_FILE" -q -z "follow,tcp,ascii,$stream" >
498. "$OUTPUT_DIR/sessions/http_post_$stream.txt"
499.  
500. done
501.  
502. fi
503.  
504.  
505.  
506. # Extract all IP addresses that communicated with domains/IPs on a watch list
507. (if provided)
508.  
509. if [ -n "$THREAT_INTEL_DB" ] && [ -f "$THREAT_INTEL_DB" ]; then
510.  
511. log "[+] Correlating with threat intelligence database..."
512.  
513.  
514.  
515. # Assuming the threat intel DB has one domain/IP per line
516.  
517. mkdir -p "$OUTPUT_DIR/artifacts/threat_matches"
518.  
519.  
520.  
521. # Check DNS queries against threat intel
522.  
523. for domain in $(cat "$OUTPUT_DIR/artifacts/dns_queries.txt"); do
524.  
525. if grep -q "$domain" "$THREAT_INTEL_DB"; then
526.  
527. log "[!] Found suspicious domain: $domain"
528.  
529. tshark -r "$PCAP_FILE" -Y "dns.qry.name == \"$domain\"" -T fields -e frame.time
530. -e ip.src -e ip.dst -e dns.qry.name >
531. "$OUTPUT_DIR/artifacts/threat_matches/domain_$domain.txt"
532.  
533. fi
534.  
535. done
536.  
537.  
538.  
539. # Check IP addresses against threat intel
540.  
541. for ip in $(cat "$OUTPUT_DIR/artifacts/src_ips.txt"
542. "$OUTPUT_DIR/artifacts/dst_ips.txt" | sort | uniq); do
543.  
544. if grep -q "$ip" "$THREAT_INTEL_DB"; then
545.  
546. log "[!] Found suspicious IP: $ip"
547.  
548. tshark -r "$PCAP_FILE" -Y "ip.addr == $ip" -T fields -e frame.time -e ip.src -e
549. ip.dst -e tcp.srcport -e tcp.dstport -e udp.srcport -e udp.dstport >
550. "$OUTPUT_DIR/artifacts/threat_matches/ip_$ip.txt"
551.  
552. fi
553.  
554. done
555.  
556. fi
557.  
558.  
559.  
560. log "[+] Network artifact extraction complete"
561.  
562. }
563.  
564. # Function to detect data exfiltration
565.  
566. detect_data_exfiltration() {
567.  
568. log "[+] Detecting potential data exfiltration..."
569.  
570.  
571.  
572. # Look for large file transfers
573.  
574. log "[+] Identifying large file transfers..."
575.  
576. tshark -r "$PCAP_FILE" -Y "tcp.len > 1000" -T fields -e ip.src -e ip.dst -e
577. tcp.len -e frame.protocols | \
578.  
579. awk '{sum[$1"->"$2] += $3} END {for (i in sum) print sum[i], i}' | sort -nr >
580. "$OUTPUT_DIR/artifacts/large_transfers.txt"
581.  
582.  
583.  
584. # DNS exfiltration - unusually long or high volume DNS queries
585.  
586. log "[+] Checking for DNS exfiltration patterns..."
587.  
588. tshark -r "$PCAP_FILE" -Y "dns.qry.name" -T fields -e ip.src -e dns.qry.name | \
589.  
590. awk '{len=length($2); sum[$1] += len; count[$1]++} END {for (i in sum) print
591. sum[i], count[i], sum[i]/count[i], i}' | sort -nr >
592. "$OUTPUT_DIR/artifacts/dns_volume_per_host.txt"
593.  
594.  
595.  
596. # Look for domain names containing base64-encoded strings
597.  
598. log "[+] Looking for encoded DNS queries..."
599.  
600. tshark -r "$PCAP_FILE" -Y "dns.qry.name" -T fields -e dns.qry.name | grep -E
601. '[A-Za-z0-9+/]{20,}={0,2}' > "$OUTPUT_DIR/artifacts/base64_dns.txt"
602.  
603.  
604.  
605. # Identify periodic beaconing (potential C2)
606.  
607. log "[+] Identifying potential beaconing patterns..."
608.  
609. tshark -r "$PCAP_FILE" -Y "tcp.flags == 0x0002" -T fields -e frame.time_epoch -e
610. ip.src -e ip.dst -e tcp.dstport | python3 -c '
611.  
612. import sys
613.  
614. import collections
615.  
616. import statistics
617.  
618. connections = collections.defaultdict(list)
619.  
620. for line in sys.stdin:
621.  
622. parts = line.strip().split()
623.  
624. if len(parts) >= 4:
625.  
626. time = float(parts[0])
627.  
628. src = parts[1]
629.  
630. dst = parts[2]
631.  
632. port = parts[3]
633.  
634. connections[(src, dst, port)].append(time)
635.  
636. print("Source,Destination,Port,Count,Mean Interval,StdDev,Regularity Score")
637.  
638. for (src, dst, port), times in connections.items():
639.  
640. if len(times) >= 3: # Need at least 3 points to detect a pattern
641.  
642. times.sort()
643.  
644. intervals = [times[i+1] - times[i] for i in range(len(times)-1)]
645.  
646.  
647.  
648. if intervals:
649.  
650. mean_interval = sum(intervals) / len(intervals)
651.  
652.  
653.  
654. if len(intervals) > 1:
655.  
656. stddev = statistics.stdev(intervals)
657.  
658. # Lower ratio indicates more regular timing (potential beaconing)
659.  
660. regularity = stddev / mean_interval if mean_interval > 0 else 999
661.  
662. else:
663.  
664. stddev = 0
665.  
666. regularity = 999
667.  
668.  
669.  
670. # Only show results with decent regularity and multiple occurrences
671.  
672. if regularity < 0.3 and len(times) >= 3:
673.  
674. print(f"{src},{dst},{port},{len(times)},{mean_interval:.2f},{stddev:.2f},{regularity:.4f}")
675.  
676. ' > "$OUTPUT_DIR/artifacts/beaconing_patterns.csv"
677.  
678.  
679.  
680. # Look for unusual data in ICMP packets (potential tunneling)
681.  
682. log "[+] Checking for ICMP tunneling..."
683.  
684. tshark -r "$PCAP_FILE" -Y "icmp and data.len > 56" -w
685. "$OUTPUT_DIR/artifacts/icmp_with_data.pcap"
686.  
687.  
688.  
689. # Create summary of potential exfiltration methods found
690.  
691. {
692.  
693. echo "=== Potential Data Exfiltration Summary ==="
694.  
695. echo ""
696.  
697.  
698.  
699. echo "Top 10 Largest Data Transfers:"
700.  
701. head -10 "$OUTPUT_DIR/artifacts/large_transfers.txt"
702.  
703. echo ""
704.  
705.  
706.  
707. echo "Hosts with Highest DNS Query Volume:"
708.  
709. head -10 "$OUTPUT_DIR/artifacts/dns_volume_per_host.txt"
710.  
711. echo ""
712.  
713.  
714.  
715. if [ -s "$OUTPUT_DIR/artifacts/base64_dns.txt" ]; then
716.  
717. echo "Base64-encoded DNS Queries Detected:"
718.  
719. head -10 "$OUTPUT_DIR/artifacts/base64_dns.txt"
720.  
721. echo "Total Encoded Queries: $(wc -l < "$OUTPUT_DIR/artifacts/base64_dns.txt")"
722.  
723. echo ""
724.  
725. else
726.  
727. echo "No Base64-encoded DNS Queries Detected"
728.  
729. echo ""
730.  
731. fi
732.  
733.  
734.  
735. if [ -s "$OUTPUT_DIR/artifacts/beaconing_patterns.csv" ]; then
736.  
737. echo "Potential Beaconing Patterns (C2 Communication):"
738.  
739. cat "$OUTPUT_DIR/artifacts/beaconing_patterns.csv"
740.  
741. echo ""
742.  
743. else
744.  
745. echo "No Regular Beaconing Patterns Detected"
746.  
747. echo ""
748.  
749. fi
750.  
751.  
752.  
753. if [ -s "$OUTPUT_DIR/artifacts/oversized_icmp.txt" ]; then
754.  
755. echo "Oversized ICMP Packets (Potential Tunneling):"
756.  
757. cat "$OUTPUT_DIR/artifacts/oversized_icmp.txt"
758.  
759. echo ""
760.  
761. else
762.  
763. echo "No Oversized ICMP Packets Detected"
764.  
765. echo ""
766.  
767. fi
768.  
769. } > "$OUTPUT_DIR/reports/exfiltration_summary.txt"
770.  
771.  
772.  
773. log "[+] Data exfiltration detection complete"
774.  
775. }
776.  
777. # Function to detect tunneled protocols and covert channels
778.  
779. detect_tunneled_protocols() {
780.  
781. log "[+] Detecting tunneled protocols and covert channels..."
782.  
783.  
784.  
785. # HTTP(S) Tunneling Detection
786.  
787. log "[+] Checking for HTTP(S) tunneling..."
788.  
789. tshark -r "$PCAP_FILE" -Y "http.request.method == \"CONNECT\"" -T fields -e
790. ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e http.request.full_uri >
791. "$OUTPUT_DIR/artifacts/http_connect_tunnels.txt"
792.  
793.  
794.  
795. # ICMP Tunneling
796.  
797. log "[+] Checking for ICMP tunneling..."
798.  
799. tshark -r "$PCAP_FILE" -Y "icmp.type == 8 and data.len > 56" -T fields -e ip.src
800. -e ip.dst -e data.len | sort | uniq -c >
801. "$OUTPUT_DIR/artifacts/icmp_tunneling.txt"
802.  
803.  
804.  
805. # DNS Tunneling
806.  
807. log "[+] Checking for DNS tunneling..."
808.  
809. # Extract all DNS query names and analyze for entropy
810.  
811. tshark -r "$PCAP_FILE" -Y "dns.qry.name" -T fields -e ip.src -e dns.qry.name |
812. python3 -c '
813.  
814. import sys
815.  
816. import math
817.  
818. import collections
819.  
820. def entropy(data):
821.  
822. if not data:
823.  
824. return 0
825.  
826. entropy = 0
827.  
828. for x in range(256):
829.  
830. p_x = float(data.count(chr(x)))/len(data)
831.  
832. if p_x > 0:
833.  
834. entropy += - p_x * math.log2(p_x)
835.  
836. return entropy
837.  
838. # Count domains per source IP
839.  
840. ip_domains = collections.defaultdict(set)
841.  
842. ip_subdomains = collections.defaultdict(list)
843.  
844. all_queries = []
845.  
846. for line in sys.stdin:
847.  
848. parts = line.strip().split(None, 1)
849.  
850. if len(parts) == 2:
851.  
852. ip = parts[0]
853.  
854. domain = parts[1].lower()
855.  
856. all_queries.append((ip, domain))
857.  
858. ip_domains[ip].add(".".join(domain.split(".")[-2:])) # Track TLD+domain
859.  
860. subdomain = domain.split(".")[0]
861.  
862. if len(subdomain) > 10: # Only consider long subdomains
863.  
864. ip_subdomains[ip].append((domain, entropy(subdomain), len(subdomain)))
865.  
866. # Find IPs with many unique domains or high entropy subdomains
867.  
868. print("IP,Unique_Domains,Queries_with_High_Entropy,Avg_Entropy,Avg_Length")
869.  
870. for ip, domains in ip_domains.items():
871.  
872. if len(domains) > 5: # IP has queried more than 5 unique domains
873.  
874. high_entropy_queries = [q for q in ip_subdomains[ip] if q[1] > 4.0]
875.  
876. if high_entropy_queries:
877.  
878. avg_entropy = sum(q[1] for q in high_entropy_queries) /
879. len(high_entropy_queries)
880.  
881. avg_length = sum(q[2] for q in high_entropy_queries) / len(high_entropy_queries)
882.  
883. print(f"{ip},{len(domains)},{len(high_entropy_queries)},{avg_entropy:.2f},{avg_length:.2f}")
884.  
885. # Output samples of high entropy queries for inspection
886.  
887. print("\n=== Sample High Entropy Queries ===")
888.  
889. for ip, subdomains in ip_subdomains.items():
890.  
891. for domain, ent, length in subdomains:
892.  
893. if ent > 4.5 and length > 20: # Very high entropy and long
894.  
895. print(f"{ip} - {domain} (entropy: {ent:.2f}, length: {length})")
896.  
897. ' > "$OUTPUT_DIR/artifacts/dns_tunneling_analysis.txt"
898.  
899.  
900.  
901. # SSH Tunneling - checking for unusual SSH patterns
902.  
903. log "[+] Checking for SSH tunneling..."
904.  
905. tshark -r "$PCAP_FILE" -Y "ssh" -T fields -e ip.src -e ip.dst -e tcp.dstport |
906. sort | uniq -c > "$OUTPUT_DIR/artifacts/ssh_connections.txt"
907.  
908.  
909.  
910. # SSL/TLS on Non-Standard Ports
911.  
912. log "[+] Checking for SSL/TLS on non-standard ports..."
913.  
914. tshark -r "$PCAP_FILE" -Y "ssl and tcp.dstport != 443 and tcp.dstport != 8443"
915. -T fields -e ip.src -e ip.dst -e tcp.dstport | sort | uniq -c >
916. "$OUTPUT_DIR/artifacts/ssl_nonstandard_ports.txt"
917.  
918. # TCP timing-based covert channels - looking for patterns in TCP timestamps
919.  
920. log "[+] Checking for TCP timing-based covert channels..."
921.  
922. tshark -r "$PCAP_FILE" -Y "tcp.flags == 0x018" -T fields -e ip.src -e ip.dst -e
923. tcp.dstport -e tcp.time_delta -e tcp.stream | python3 -c '
924.  
925. import sys
926.  
927. import collections
928.  
929. import statistics
930.  
931. streams = collections.defaultdict(list)
932.  
933. for line in sys.stdin:
934.  
935. parts = line.strip().split()
936.  
937. if len(parts) >= 5:
938.  
939. try:
940.  
941. src = parts[0]
942.  
943. dst = parts[1]
944.  
945. port = parts[2]
946.  
947. delta = float(parts[3])
948.  
949. stream = parts[4]
950.  
951.  
952.  
953. # Only consider reasonable deltas
954.  
955. if 0.001 < delta < 2.0:
956.  
957. streams[(src, dst, port, stream)].append(delta)
958.  
959. except:
960.  
961. pass
962.  
963. # Analyze delta patterns in each stream
964.  
965. print("Source,Destination,Port,Stream,Packets,Pattern_Found,Description")
966.  
967. for (src, dst, port, stream), deltas in streams.items():
968.  
969. if len(deltas) >= 10: # Need enough packets to detect a pattern
970.  
971. # Look for binary patterns in timing
972.  
973. short_deltas = 0
974.  
975. long_deltas = 0
976.  
977.  
978.  
979. median = statistics.median(deltas)
980.  
981.  
982.  
983. # Classify deltas as short or long relative to median
984.  
985. binary_pattern = ""
986.  
987. for delta in deltas:
988.  
989. if delta < median * 0.8:
990.  
991. binary_pattern += "0"
992.  
993. short_deltas += 1
994.  
995. elif delta > median * 1.2:
996.  
997. binary_pattern += "1"
998.  
999. long_deltas += 1
1000.  
1001. else:
1002.  
1003. binary_pattern += "X" # Middle range
1004.  
1005.  
1006.  
1007. # Check if we have a reasonable binary distribution
1008.  
1009. if short_deltas >= 3 and long_deltas >= 3 and (short_deltas + long_deltas) /
1010. len(deltas) > 0.7:
1011.  
1012. print(f"{src},{dst},{port},{stream},{len(deltas)},YES,Potential timing channel:
1013. distinct timing pattern detected")
1014.  
1015. else:
1016.  
1017. print(f"{src},{dst},{port},{stream},{len(deltas)},NO,Normal timing
1018. distribution")
1019.  
1020. ' > "$OUTPUT_DIR/artifacts/tcp_timing_channels.txt"
1021.  
1022.  
1023.  
1024. # Create summary of covert channel findings
1025.  
1026. {
1027.  
1028. echo "=== Covert Channel and Protocol Tunneling Summary ==="
1029.  
1030. echo ""
1031.  
1032.  
1033.  
1034. echo "HTTP CONNECT Tunnels:"
1035.  
1036. if [ -s "$OUTPUT_DIR/artifacts/http_connect_tunnels.txt" ]; then
1037.  
1038. cat "$OUTPUT_DIR/artifacts/http_connect_tunnels.txt"
1039.  
1040. else
1041.  
1042. echo "None detected"
1043.  
1044. fi
1045.  
1046. echo ""
1047.  
1048.  
1049.  
1050. echo "ICMP Tunneling:"
1051.  
1052. if [ -s "$OUTPUT_DIR/artifacts/icmp_tunneling.txt" ]; then
1053.  
1054. cat "$OUTPUT_DIR/artifacts/icmp_tunneling.txt"
1055.  
1056. else
1057.  
1058. echo "None detected"
1059.  
1060. fi
1061.  
1062. echo ""
1063.  
1064.  
1065.  
1066. echo "DNS Tunneling Analysis:"
1067.  
1068. if [ -s "$OUTPUT_DIR/artifacts/dns_tunneling_analysis.txt" ]; then
1069.  
1070. cat "$OUTPUT_DIR/artifacts/dns_tunneling_analysis.txt"
1071.  
1072. else
1073.  
1074. echo "None detected"
1075.  
1076. fi
1077.  
1078. echo ""
1079.  
1080.  
1081.  
1082. echo "SSL/TLS on Non-Standard Ports:"
1083.  
1084. if [ -s "$OUTPUT_DIR/artifacts/ssl_nonstandard_ports.txt" ]; then
1085.  
1086. cat "$OUTPUT_DIR/artifacts/ssl_nonstandard_ports.txt"
1087.  
1088. else
1089.  
1090. echo "None detected"
1091.  
1092. fi
1093.  
1094. echo ""
1095.  
1096.  
1097.  
1098. echo "TCP Timing-Based Covert Channels:"
1099.  
1100. if [ -s "$OUTPUT_DIR/artifacts/tcp_timing_channels.txt" ]; then
1101.  
1102. grep "YES" "$OUTPUT_DIR/artifacts/tcp_timing_channels.txt"
1103.  
1104. echo "Total TCP streams analyzed: $(wc -l <
1105. "$OUTPUT_DIR/artifacts/tcp_timing_channels.txt")"
1106.  
1107. else
1108.  
1109. echo "None detected"
1110.  
1111. fi
1112.  
1113.  
1114.  
1115. } > "$OUTPUT_DIR/reports/covert_channels_summary.txt"
1116.  
1117.  
1118.  
1119. log "[+] Tunneled protocol detection complete"
1120.  
1121. }
1122.  
1123. # Function to analyze encrypted traffic patterns
1124.  
1125. analyze_encrypted_traffic() {
1126.  
1127. log "[+] Analyzing encrypted traffic patterns..."
1128.  
1129.  
1130.  
1131. # Extract all SSL/TLS sessions
1132.  
1133. mkdir -p "$OUTPUT_DIR/artifacts/tls_analysis"
1134.  
1135. tshark -r "$PCAP_FILE" -Y "ssl" -T fields -e tcp.stream | sort | uniq >
1136. "$OUTPUT_DIR/artifacts/tls_analysis/tls_streams.txt"
1137.  
1138.  
1139.  
1140. # JA3 fingerprinting for client identification
1141.  
1142. tshark -r "$PCAP_FILE" -Y "ssl.handshake.type == 1" -T fields -e ip.src -e
1143. tcp.srcport -e ip.dst -e tcp.dstport -e ssl.handshake.ja3 -e
1144. ssl.handshake.ja3_full >
1145. "$OUTPUT_DIR/artifacts/tls_analysis/ja3_fingerprints.txt"
1146.  
1147.  
1148.  
1149. # JA3S fingerprinting for server identification
1150.  
1151. tshark -r "$PCAP_FILE" -Y "ssl.handshake.type == 2" -T fields -e ip.src -e
1152. tcp.srcport -e ip.dst -e tcp.dstport -e ssl.handshake.ja3s -e
1153. ssl.handshake.ja3s_full >
1154. "$OUTPUT_DIR/artifacts/tls_analysis/ja3s_fingerprints.txt"
1155.  
1156.  
1157.  
1158. # Extract TLS SNI (Server Name Indication) values
1159.  
1160. tshark -r "$PCAP_FILE" -Y "ssl.handshake.extensions_server_name" -T fields -e
1161. ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e
1162. ssl.handshake.extensions_server_name >
1163. "$OUTPUT_DIR/artifacts/tls_analysis/tls_sni.txt"
1164.  
1165.  
1166.  
1167. # Extract certificate details
1168.  
1169. tshark -r "$PCAP_FILE" -Y "ssl.handshake.certificate" -T fields -e ip.src -e
1170. tcp.srcport -e ip.dst -e tcp.dstport -e x509sat.uTF8String -e
1171. x509sat.printableString > "$OUTPUT_DIR/artifacts/tls_analysis/certificates.txt"
1172.  
1173.  
1174.  
1175. # Look for mismatches between SNI and certificate CN
1176.  
1177. python3 -c '
1178.  
1179. import sys
1180.  
1181. import os
1182.  
1183. def read_file_to_dict(filename, key_cols, val_cols):
1184.  
1185. result = {}
1186.  
1187. if not os.path.exists(filename):
1188.  
1189. return result
1190.  
1191.  
1192.  
1193. with open(filename, "r") as f:
1194.  
1195. for line in f:
1196.  
1197. parts = line.strip().split("\t")
1198.  
1199. if len(parts) >= key_cols + val_cols:
1200.  
1201. key = tuple(parts[:key_cols])
1202.  
1203. val = tuple(parts[key_cols:key_cols+val_cols])
1204.  
1205. result[key] = val
1206.  
1207. return result
1208.  
1209. # Get SNI values
1210.  
1211. sni_file = sys.argv[1]
1212.  
1213. sni_data = read_file_to_dict(sni_file, 4, 1)
1214.  
1215. # Get certificate CN values
1216.  
1217. cert_file = sys.argv[2]
1218.  
1219. cert_data = read_file_to_dict(cert_file, 4, 2)
1220.  
1221. # Compare SNI with certificate CN
1222.  
1223. print("Client,Client_Port,Server,Server_Port,SNI,Certificate_CN,Mismatch")
1224.  
1225. for key, sni in sni_data.items():
1226.  
1227. if key in cert_data:
1228.  
1229. src, src_port, dst, dst_port = key
1230.  
1231. cert_cn = cert_data[key][0]
1232.  
1233.  
1234.  
1235. # Basic check for SNI vs CN mismatch - could be more sophisticated
1236.  
1237. if sni[0] and cert_cn and sni[0] not in cert_cn and not
1238. cert_cn.endswith(sni[0]):
1239.  
1240. print(f"{src},{src_port},{dst},{dst_port},{sni[0]},{cert_cn},YES")
1241.  
1242. else:
1243.  
1244. print(f"{src},{src_port},{dst},{dst_port},{sni[0]},{cert_cn},NO")
1245.  
1246. ' "$OUTPUT_DIR/artifacts/tls_analysis/tls_sni.txt"
1247. "$OUTPUT_DIR/artifacts/tls_analysis/certificates.txt" >
1248. "$OUTPUT_DIR/artifacts/tls_analysis/sni_cert_comparison.txt"
1249.  
1250.  
1251.  
1252. # Look for unusual JA3 fingerprints
1253.  
1254. log "[+] Analyzing client TLS fingerprints..."
1255.  
1256. {
1257.  
1258. echo "JA3 Fingerprint,Count,Source IPs,Destination IPs,Destination Ports"
1259.  
1260. awk -F '\t' '{print $5}'
1261. "$OUTPUT_DIR/artifacts/tls_analysis/ja3_fingerprints.txt" | sort | uniq -c |
1262. sort -nr | while read count ja3; do
1263.  
1264. if [ -n "$ja3" ]; then
1265.  
1266. # For each JA3, find the unique src IPs, dst IPs, and dst ports
1267.  
1268. src_ips=$(grep "$ja3" "$OUTPUT_DIR/artifacts/tls_analysis/ja3_fingerprints.txt"
1269. | cut -f 1 | sort | uniq | wc -l)
1270.  
1271. dst_ips=$(grep "$ja3" "$OUTPUT_DIR/artifacts/tls_analysis/ja3_fingerprints.txt"
1272. | cut -f 3 | sort | uniq | wc -l)
1273.  
1274. dst_ports=$(grep "$ja3"
1275. "$OUTPUT_DIR/artifacts/tls_analysis/ja3_fingerprints.txt" | cut -f 4 | sort |
1276. uniq | wc -l)
1277.  
1278. echo "$ja3,$count,$src_ips,$dst_ips,$dst_ports"
1279.  
1280. fi
1281.  
1282. done
1283.  
1284. } > "$OUTPUT_DIR/artifacts/tls_analysis/ja3_statistics.csv"
1285.  
1286.  
1287.  
1288. # Traffic size and timing analysis for encrypted sessions
1289.  
1290. log "[+] Analyzing encrypted traffic patterns..."
1291.  
1292. for stream in $(cat "$OUTPUT_DIR/artifacts/tls_analysis/tls_streams.txt"); do
1293.  
1294. tshark -r "$PCAP_FILE" -Y "tcp.stream == $stream" -T fields -e frame.time_epoch
1295. -e ip.src -e ip.dst -e tcp.len -e tcp.srcport -e tcp.dstport >
1296. "$OUTPUT_DIR/artifacts/tls_analysis/stream_${stream}_details.txt"
1297.  
1298. done
1299.  
1300.  
1301.  
1302. # Summarize encrypted traffic analysis
1303.  
1304. {
1305.  
1306. echo "=== Encrypted Traffic Analysis Summary ==="
1307.  
1308. echo ""
1309.  
1310.  
1311.  
1312. echo "TLS Sessions: $(wc -l <
1313. "$OUTPUT_DIR/artifacts/tls_analysis/tls_streams.txt")"
1314.  
1315. echo ""
1316.  
1317.  
1318.  
1319. echo "Top 10 JA3 Client Fingerprints:"
1320.  
1321. head -10 "$OUTPUT_DIR/artifacts/tls_analysis/ja3_statistics.csv"
1322.  
1323. echo ""
1324.  
1325.  
1326.  
1327. echo "SNI/Certificate Mismatches:"
1328.  
1329. grep "YES" "$OUTPUT_DIR/artifacts/tls_analysis/sni_cert_comparison.txt"
1330. 2>/dev/null || echo "None detected"
1331.  
1332. echo ""
1333.  
1334.  
1335.  
1336. echo "Self-Signed Certificates:"
1337.  
1338. if [ -s "$OUTPUT_DIR/artifacts/self_signed_certs.txt" ]; then
1339.  
1340. cat "$OUTPUT_DIR/artifacts/self_signed_certs.txt"
1341.  
1342. else
1343.  
1344. echo "None detected"
1345.  
1346. fi
1347.  
1348. echo ""
1349.  
1350.  
1351.  
1352. echo "Unusual SSL/TLS Ports:"
1353.  
1354. if [ -s "$OUTPUT_DIR/artifacts/ssl_nonstandard_ports.txt" ]; then
1355.  
1356. cat "$OUTPUT_DIR/artifacts/ssl_nonstandard_ports.txt"
1357.  
1358. else
1359.  
1360. echo "None detected"
1361.  
1362. fi
1363.  
1364. } > "$OUTPUT_DIR/reports/encrypted_traffic_summary.txt"
1365.  
1366.  
1367.  
1368. log "[+] Encrypted traffic analysis complete"
1369.  
1370. }
1371.  
1372. # Function to generate a final report
1373.  
1374. generate_final_report() {
1375.  
1376. log "[+] Generating final report..."
1377.  
1378.  
1379.  
1380. # Create an executive summary
1381.  
1382. REPORT_FILE="$OUTPUT_DIR/Network_Forensics_Report_${DATE_TAG}.md"
1383.  
1384.  
1385.  
1386. cat > "$REPORT_FILE" << EOF
1387.  
1388. # Network Forensics Analysis Report
1389.  
1390. ## Executive Summary
1391.  
1392. **PCAP File:** $(basename "$PCAP_FILE")
1393.  
1394. **Analysis Date:** $(date)
1395.  
1396. **Analysis Duration:** $(cat "$OUTPUT_DIR/reports/pcap_info.txt" | grep "Capture
1397. duration:" | cut -d: -f2- | xargs || echo "Unknown")
1398.  
1399. ### Overview
1400.  
1401. This report presents the findings of a network forensics analysis conducted on
1402. the provided PCAP file. The analysis focused on identifying malicious or
1403. suspicious network activities, including potential lateral movement, data
1404. exfiltration, command and control communications, and protocol anomalies.
1405.  
1406. ### Key Findings
1407.  
1408. #### Traffic Statistics
1409.  
1410. - Total Packets: $(cat "$OUTPUT_DIR/reports/pcap_info.txt" | grep "Number of
1411. packets:" | cut -d: -f2 | xargs || echo "Unknown")
1412.  
1413. - Capture Size: $(cat "$OUTPUT_DIR/reports/pcap_info.txt" | grep "File size:" |
1414. cut -d: -f2 | xargs || echo "Unknown")
1415.  
1416. - Unique IP Addresses: $(cat "$OUTPUT_DIR/artifacts/src_ips.txt"
1417. "$OUTPUT_DIR/artifacts/dst_ips.txt" | sort | uniq | wc -l)
1418.  
1419. - Unique TCP Ports: $(wc -l < "$OUTPUT_DIR/artifacts/tcp_ports.txt" 2>/dev/null
1420. || echo "0")
1421.  
1422. - Unique UDP Ports: $(wc -l < "$OUTPUT_DIR/artifacts/udp_ports.txt" 2>/dev/null
1423. || echo "0")
1424.  
1425. $(if [ -s "$OUTPUT_DIR/artifacts/threat_matches" ]; then
1426.  
1427. echo "#### Threat Intelligence Matches"
1428.  
1429. echo "- **WARNING:** Traffic matching known threat indicators was detected"
1430.  
1431. echo "- See the Threat Intel section for details"
1432.  
1433. echo ""
1434.  
1435. fi)
1436.  
1437. #### Protocol Anomalies
1438.  
1439. $(if [ -s "$OUTPUT_DIR/artifacts/http_nonstandard_ports.txt" ]; then
1440.  
1441. echo "- HTTP traffic on non-standard ports detected"
1442.  
1443. fi)
1444.  
1445. $(if [ -s "$OUTPUT_DIR/artifacts/dns_nonstandard_ports.txt" ]; then
1446.  
1447. echo "- DNS traffic on non-standard ports detected"
1448.  
1449. fi)
1450.  
1451. $(if [ -s "$OUTPUT_DIR/artifacts/self_signed_certs.txt" ]; then
1452.  
1453. echo "- Self-signed SSL certificates detected"
1454.  
1455. fi)
1456.  
1457. $(if [ -s "$OUTPUT_DIR/artifacts/external_smb.txt" ]; then
1458.  
1459. echo "- SMB traffic outside local network detected"
1460.  
1461. fi)
1462.  
1463. $(if [ -s "$OUTPUT_DIR/artifacts/ssh_nonstandard_ports.txt" ]; then
1464.  
1465. echo "- SSH traffic on non-standard ports detected"
1466.  
1467. fi)
1468.  
1469. #### Data Exfiltration Indicators
1470.  
1471. $(if [ -s "$OUTPUT_DIR/artifacts/dns_tunneling_analysis.txt" ]; then
1472.  
1473. echo "- Potential DNS tunneling activity detected"
1474.  
1475. fi)
1476.  
1477. $(if [ -s "$OUTPUT_DIR/artifacts/high_entropy_dns.txt" ]; then
1478.  
1479. echo "- High entropy DNS queries detected (possible encoded data)"
1480.  
1481. fi)
1482.  
1483. $(if [ -s "$OUTPUT_DIR/artifacts/beaconing_patterns.csv" ] && [ $(grep -c "YES"
1484. "$OUTPUT_DIR/artifacts/tcp_timing_channels.txt" 2>/dev/null) -gt 0 ]; then
1485.  
1486. echo "- Command and control beaconing patterns detected"
1487.  
1488. fi)
1489.  
1490. $(if [ -s "$OUTPUT_DIR/artifacts/icmp_tunneling.txt" ]; then
1491.  
1492. echo "- ICMP tunneling indicators detected"
1493.  
1494. fi)
1495.  
1496. #### Extracted Artifacts
1497.  
1498. - Network communications preserved for investigation
1499.  
1500. - $(find "$OUTPUT_DIR/extracted_files" -type f | wc -l) files extracted from
1501. network streams
1502.  
1503. - $(wc -l < "$OUTPUT_DIR/artifacts/http_urls.txt" 2>/dev/null || echo "0")
1504. unique URLs captured
1505.  
1506. - $(wc -l < "$OUTPUT_DIR/artifacts/dns_queries.txt" 2>/dev/null || echo "0")
1507. unique DNS queries
1508.  
1509. ### Recommendations
1510.  
1511. Based on the analysis findings, the following actions are recommended:
1512.  
1513. 1. Investigate hosts with suspicious communication patterns
1514.  
1515. 2. Analyze extracted files for malicious content
1516.  
1517. 3. Block communication with identified malicious domains/IPs
1518.  
1519. 4. Review network security controls and monitoring capabilities
1520.  
1521. 5. Implement detection rules based on identified TTPs
1522.  
1523. ## Detailed Analysis Results
1524.  
1525. ### Protocol Distribution
1526.  
1527. \`\`\`
1528.  
1529. $(head -20 "$OUTPUT_DIR/reports/protocol_hierarchy.txt" 2>/dev/null || echo
1530. "Protocol hierarchy not available")
1531.  
1532. \`\`\`
1533.  
1534. ### Top Talkers
1535.  
1536. \`\`\`
1537.  
1538. $(head -10 "$OUTPUT_DIR/reports/ip_conversations.txt" 2>/dev/null || echo "IP
1539. conversation data not available")
1540.  
1541. \`\`\`
1542.  
1543. EOF
1544.  
1545. # Add protocol anomaly section
1546.  
1547. cat >> "$REPORT_FILE" << EOF
1548.  
1549. ### Protocol Anomalies
1550.  
1551. #### HTTP on Non-Standard Ports
1552.  
1553. $(if [ -s "$OUTPUT_DIR/artifacts/http_nonstandard_ports.txt" ]; then
1554.  
1555. echo "\`\`\`"
1556.  
1557. echo "Source IP,Destination IP,Destination Port,URI"
1558.  
1559. cat "$OUTPUT_DIR/artifacts/http_nonstandard_ports.txt" | tr '\t' ','
1560.  
1561. echo "\`\`\`"
1562.  
1563. else
1564.  
1565. echo "No HTTP traffic on non-standard ports detected."
1566.  
1567. fi)
1568.  
1569. #### Self-Signed Certificates
1570.  
1571. $(if [ -s "$OUTPUT_DIR/artifacts/self_signed_certs.txt" ]; then
1572.  
1573. echo "\`\`\`"
1574.  
1575. cat "$OUTPUT_DIR/artifacts/self_signed_certs.txt" | tr '\t' ','
1576.  
1577. echo "\`\`\`"
1578.  
1579. else
1580.  
1581. echo "No self-signed certificates detected."
1582.  
1583. fi)
1584.  
1585. #### Cleartext Authentication
1586.  
1587. $(if [ -s "$OUTPUT_DIR/artifacts/cleartext_auth_http.txt" ]; then
1588.  
1589. echo "\`\`\`"
1590.  
1591. echo "Source IP,Destination IP,Port,URI"
1592.  
1593. cat "$OUTPUT_DIR/artifacts/cleartext_auth_http.txt" | tr '\t' ','
1594.  
1595. echo "\`\`\`"
1596.  
1597. else
1598.  
1599. echo "No cleartext authentication detected."
1600.  
1601. fi)
1602.  
1603. EOF
1604.  
1605. # Add data exfiltration section
1606.  
1607. cat >> "$REPORT_FILE" << EOF
1608.  
1609. ### Data Exfiltration Analysis
1610.  
1611. #### Large Data Transfers
1612.  
1613. \`\`\`
1614.  
1615. $(head -10 "$OUTPUT_DIR/artifacts/large_transfers.txt" 2>/dev/null || echo "No
1616. large transfers detected")
1617.  
1618. \`\`\`
1619.  
1620. #### DNS Tunneling Indicators
1621.  
1622. $(if [ -s "$OUTPUT_DIR/artifacts/dns_tunneling_analysis.txt" ]; then
1623.  
1624. echo "\`\`\`"
1625.  
1626. head -20 "$OUTPUT_DIR/artifacts/dns_tunneling_analysis.txt"
1627.  
1628. echo "\`\`\`"
1629.  
1630. else
1631.  
1632. echo "No DNS tunneling indicators detected."
1633.  
1634. fi)
1635.  
1636. #### Beaconing Pattern Detection
1637.  
1638. $(if [ -s "$OUTPUT_DIR/artifacts/beaconing_patterns.csv" ]; then
1639.  
1640. echo "\`\`\`"
1641.  
1642. cat "$OUTPUT_DIR/artifacts/beaconing_patterns.csv"
1643.  
1644. echo "\`\`\`"
1645.  
1646. else
1647.  
1648. echo "No regular beaconing patterns detected."
1649.  
1650. fi)
1651.  
1652. EOF
1653.  
1654. # Add covert channel section
1655.  
1656. cat >> "$REPORT_FILE" << EOF
1657.  
1658. ### Covert Channels and Tunneled Protocols
1659.  
1660. #### ICMP Tunneling
1661.  
1662. $(if [ -s "$OUTPUT_DIR/artifacts/icmp_tunneling.txt" ]; then
1663.  
1664. echo "\`\`\`"
1665.  
1666. cat "$OUTPUT_DIR/artifacts/icmp_tunneling.txt"
1667.  
1668. echo "\`\`\`"
1669.  
1670. else
1671.  
1672. echo "No ICMP tunneling detected."
1673.  
1674. fi)
1675.  
1676. #### TCP Timing Channels
1677.  
1678. $(if [ -s "$OUTPUT_DIR/artifacts/tcp_timing_channels.txt" ] && [ $(grep -c "YES"
1679. "$OUTPUT_DIR/artifacts/tcp_timing_channels.txt") -gt 0 ]; then
1680.  
1681. echo "\`\`\`"
1682.  
1683. grep "YES" "$OUTPUT_DIR/artifacts/tcp_timing_channels.txt"
1684.  
1685. echo "\`\`\`"
1686.  
1687. else
1688.  
1689. echo "No TCP timing channels detected."
1690.  
1691. fi)
1692.  
1693. #### HTTP CONNECT Tunnels
1694.  
1695. $(if [ -s "$OUTPUT_DIR/artifacts/http_connect_tunnels.txt" ]; then
1696.  
1697. echo "\`\`\`"
1698.  
1699. cat "$OUTPUT_DIR/artifacts/http_connect_tunnels.txt" | tr '\t' ','
1700.  
1701. echo "\`\`\`"
1702.  
1703. else
1704.  
1705. echo "No HTTP CONNECT tunnels detected."
1706.  
1707. fi)
1708.  
1709. EOF
1710.  
1711. # Add encrypted traffic section
1712.  
1713. cat >> "$REPORT_FILE" << EOF
1714.  
1715. ### Encrypted Traffic Analysis
1716.  
1717. #### TLS Fingerprinting (JA3)
1718.  
1719. Top 10 client TLS fingerprints:
1720.  
1721. \`\`\`
1722.  
1723. $(head -10 "$OUTPUT_DIR/artifacts/tls_analysis/ja3_statistics.csv" 2>/dev/null
1724. || echo "No JA3 statistics available")
1725.  
1726. \`\`\`
1727.  
1728. #### Certificate/SNI Mismatches
1729.  
1730. $(if [ -s "$OUTPUT_DIR/artifacts/tls_analysis/sni_cert_comparison.txt" ] && grep
1731. -q "YES" "$OUTPUT_DIR/artifacts/tls_analysis/sni_cert_comparison.txt"; then
1732.  
1733. echo "\`\`\`"
1734.  
1735. grep "YES" "$OUTPUT_DIR/artifacts/tls_analysis/sni_cert_comparison.txt" | tr ','
1736. '\t'
1737.  
1738. echo "\`\`\`"
1739.  
1740. else
1741.  
1742. echo "No certificate/SNI mismatches detected."
1743.  
1744. fi)
1745.  
1746. EOF
1747.  
1748. # Add threat intelligence section if available
1749.  
1750. if [ -n "$THREAT_INTEL_DB" ] && [ -s "$OUTPUT_DIR/artifacts/threat_matches" ];
1751. then
1752.  
1753. cat >> "$REPORT_FILE" << EOF
1754.  
1755. ### Threat Intelligence Matches
1756.  
1757. The following traffic matched known threat indicators:
1758.  
1759. $(find "$OUTPUT_DIR/artifacts/threat_matches" -type f -name "domain_*" | while
1760. read file; do
1761.  
1762. domain=$(basename "$file" | cut -d_ -f2-)
1763.  
1764. echo "* Domain: $domain"
1765.  
1766. echo " * Traffic:"
1767.  
1768. cat "$file" | head -5 | tr '\t' ' ' | sed 's/^/ * /'
1769.  
1770. if [ $(wc -l < "$file") -gt 5 ]; then
1771.  
1772. echo " * ... ($(expr $(wc -l < "$file") - 5) more connections)"
1773.  
1774. fi
1775.  
1776. echo ""
1777.  
1778. done)
1779.  
1780. $(find "$OUTPUT_DIR/artifacts/threat_matches" -type f -name "ip_*" | while read
1781. file; do
1782.  
1783. ip=$(basename "$file" | cut -d_ -f2-)
1784.  
1785. echo "* IP Address: $ip"
1786.  
1787. echo " * Traffic:"
1788.  
1789. cat "$file" | head -5 | tr '\t' ' ' | sed 's/^/ * /'
1790.  
1791. if [ $(wc -l < "$file") -gt 5 ]; then
1792.  
1793. echo " * ... ($(expr $(wc -l < "$file") - 5) more connections)"
1794.  
1795. fi
1796.  
1797. echo ""
1798.  
1799. done)
1800.  
1801. EOF
1802.  
1803. fi
1804.  
1805. # Add extracted artifacts section
1806.  
1807. cat >> "$REPORT_FILE" << EOF
1808.  
1809. ### Extracted Artifacts
1810.  
1811. #### File Extraction Summary
1812.  
1813. - HTTP Objects: $(find "$OUTPUT_DIR/extracted_files/http" -type f | wc -l
1814. 2>/dev/null || echo "0") files
1815.  
1816. - SMB Objects: $(find "$OUTPUT_DIR/extracted_files/smb" -type f | wc -l
1817. 2>/dev/null || echo "0") files
1818.  
1819. - TFTP Objects: $(find "$OUTPUT_DIR/extracted_files/tftp" -type f | wc -l
1820. 2>/dev/null || echo "0") files
1821.  
1822. - Email Artifacts: $(find "$OUTPUT_DIR/extracted_files/email" -type f | wc -l
1823. 2>/dev/null || echo "0") files
1824.  
1825. #### Top Domains Contacted
1826.  
1827. \`\`\`
1828.  
1829. $(cat "$OUTPUT_DIR/artifacts/dns_queries.txt" 2>/dev/null | sort | uniq -c |
1830. sort -nr | head -20)
1831.  
1832. \`\`\`
1833.  
1834. #### Top User-Agents
1835.  
1836. \`\`\`
1837.  
1838. $(head -10 "$OUTPUT_DIR/artifacts/http_user_agents.txt" 2>/dev/null || echo "No
1839. user-agent data")
1840.  
1841. \`\`\`
1842.  
1843. ## Conclusion
1844.  
1845. The network traffic analysis has identified $(if [ -s
1846. "$OUTPUT_DIR/artifacts/threat_matches" ] || [ -s
1847. "$OUTPUT_DIR/artifacts/beaconing_patterns.csv" ] || [ -s
1848. "$OUTPUT_DIR/artifacts/high_entropy_dns.txt" ]; then echo "potentially
1849. suspicious"; else echo "no obvious malicious"; fi) activity. $(if [ -s
1850. "$OUTPUT_DIR/artifacts/threat_matches" ] || [ -s
1851. "$OUTPUT_DIR/artifacts/beaconing_patterns.csv" ] || [ -s
1852. "$OUTPUT_DIR/artifacts/high_entropy_dns.txt" ]; then echo "Further investigation
1853. is recommended to determine the full scope and impact of the identified
1854. threats."; else echo "Regular security monitoring should continue."; fi)
1855.  
1856. The most significant findings include:
1857.  
1858. $(if [ -s "$OUTPUT_DIR/artifacts/threat_matches" ]; then
1859.  
1860. echo "- Traffic to known malicious domains/IPs"
1861.  
1862. fi)
1863.  
1864. $(if [ -s "$OUTPUT_DIR/artifacts/beaconing_patterns.csv" ]; then
1865.  
1866. echo "- Potential command and control beaconing patterns"
1867.  
1868. fi)
1869.  
1870. $(if [ -s "$OUTPUT_DIR/artifacts/high_entropy_dns.txt" ]; then
1871.  
1872. echo "- Possible DNS data exfiltration"
1873.  
1874. fi)
1875.  
1876. $(if [ -s "$OUTPUT_DIR/artifacts/self_signed_certs.txt" ]; then
1877.  
1878. echo "- Use of self-signed certificates"
1879.  
1880. fi)
1881.  
1882. $(if [ -s "$OUTPUT_DIR/artifacts/http_nonstandard_ports.txt" ]; then
1883.  
1884. echo "- HTTP services on non-standard ports"
1885.  
1886. fi)
1887.  
1888. $(if [ -s "$OUTPUT_DIR/artifacts/icmp_tunneling.txt" ]; then
1889.  
1890. echo "- Possible ICMP tunneling"
1891.  
1892. fi)
1893.  
1894. $(if [ ! -s "$OUTPUT_DIR/artifacts/threat_matches" ] && [ ! -s
1895. "$OUTPUT_DIR/artifacts/beaconing_patterns.csv" ] && [ ! -s
1896. "$OUTPUT_DIR/artifacts/high_entropy_dns.txt" ] && [ ! -s
1897. "$OUTPUT_DIR/artifacts/self_signed_certs.txt" ] && [ ! -s
1898. "$OUTPUT_DIR/artifacts/http_nonstandard_ports.txt" ] && [ ! -s
1899. "$OUTPUT_DIR/artifacts/icmp_tunneling.txt" ]; then
1900.  
1901. echo "- No significant suspicious network activity"
1902.  
1903. fi)
1904.  
1905. **Report generated by:** Advanced Network Forensics PCAP Analyzer
1906.  
1907. **Date:** $(date)
1908.  
1909. EOF
1910.  
1911.  
1912.  
1913. log "[+] Final report generated: $REPORT_FILE"
1914.  
1915. }
1916.  
1917. # Main execution flow
1918.  
1919. log "[+] Starting Network Forensics Analysis on: $PCAP_FILE"
1920.  
1921. # Execute analysis functions
1922.  
1923. analyze_pcap_metadata
1924.  
1925. detect_protocol_anomalies
1926.  
1927. extract_network_artifacts
1928.  
1929. detect_data_exfiltration
1930.  
1931. detect_tunneled_protocols
1932.  
1933. analyze_encrypted_traffic
1934.  
1935. generate_final_report
1936.  
1937. log "[+] Network Forensics Analysis complete! Report available at:
1938. $OUTPUT_DIR/Network_Forensics_Report_${DATE_TAG}.md"
1939.  
1940. # Make output directory readable
1941.  
1942. chmod -R 755 "$OUTPUT_DIR"