kamenim/rpcextract
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
Repository files navigation
rpcextract 0.99
NAME
rpcextract -- rpc filter and payload extractor
SYNOPSIS
rpcextract -i <pcap file> | -l <device> [-v] [-d <outdir>] [-p <proto_name#1>] [-p <proto_name#2>] ...
DESCRIPTION
RPCExtract is a tool that can filter out specific RPC packets from a
pcap file or from a live packet capture session, based on an interface
name. The payload found in the selected RPC packets is then extracted
to separate files for later analyze.
It is based only on the pcap library, "libpcap", since last version.
(http://sourceforge.net/projects/libpcap/)
RPCExtract was initially written for the OpenChange project (www.openchange.org).
The options are as follows:
-i
The pcap file to treat. Incompatible with -l.
-l device
Specify a network device, on which packets while be captured (in non promiscous
mode) and treated.
-v Verbose option
-d outdir
Directory where payloads files while be stored. If this one doesn't, it will be
created.
-p proto_name#N
Add an RPC Over protocol to filter. Static protocols managed in this version are
"Nspi" and "Mapi" (EMSMDB).
Command Line Exemples :
* ./rpcextract -i ~/PCAP -d res1c -p Mapi -p Nspi
Will extract from ~/PCAP file, all Mapi and Nspi packets, and will store paylods files in
the ./res1c directory.
* ./rpcextract -v -l eth0 -d live
Will store every Mapi or Nspi packet that will be listened on the eth0 interface, payload
file in the ./live directory.
* ./rpcextract -v -i ~/PCAP -p Nspi
Will store every Nspi packet payload file in current directory.
Payloads filename is formatted as follows:
{PACKET NUMBER}_{PACKET TYPE (IN/OUT)}_{OVER RPC PORTOCOL NAME (NSPI/MAPI)}_{PROTOCOL'S FUNCTION NAME}
AUTHOR
* Jérome MEDEGAN <j.medegan@openchange.org>
Feel free to contact for any questions.