Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Generating PCAP Files from YAML SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Generating PCAP Files from YAML

The PCAP[1] file format is everywhere. Many applications generate PCAP files based on information collected on the network. Then, they can be used as evidence, as another data source for investigations and much more. There exist plenty of tools[2] to work with PCAP files. Common operations are to anonymize captured traffic and replay it against another tool for testing purposes (demos, lab, PoC).

When you anonymize PCAP files, the goal is to replace IP addresses by other ones (The classic operation is to replace the first byte with a ’10’ value to make the IP address non-routable). However, the payload may contain sensitive data that are more difficult to sanitize. Last week, I attended the[3] conference in Luxembourg and, during the lightning talks session, an interesting tool was demonstrated: pCraft. It can be described as a “PCAP file generator from a scenario described in YAML[4]”. The idea behind this tool is to create a scenario of network actions that will be translated into a fully-working PCAP file. 

Here is a quick example to demonstrate how to test an IDS rule:

start: GenerateNewDomain

  _plugin: GenerateNewDomain
  _next: DNSConnection

  _plugin: DNSConnection
  sleep: {"once-finished": 1}
  _next: HTTPConnection

  _plugin: HTTPConnection
  method: GET
  uri: "/shell?busybox"
  user-agent: "Mozilla/5.0"
  _next: done

The script is easy to understand: We generate a random domain name, we resolve it then we generate an HTTP request to the servers with a suspicious URI.

Let's generate the PCAP file:

# ./ test.yaml test.pcap
['PCraft/plugins/', 'PCraft/plugins/', 'PCraft/plugins/', 'PCraft/plugins/', 'PCraft/plugins/', 'PCraft/plugins/', 'PCraft/plugins/', 'PCraft/plugins/', 'PCraft/plugins/']
All plugins loaded!
Opening Script File test.yaml
[2019-10-28 18:01:35.324952] Executing: Generate_a_new_domain
[2019-10-28 18:01:35.367461] Executing: DNSConnection
[2019-10-28 18:01:35.368882] Executing: HTTPConnection
[2019-10-28 18:01:36.984010] Executing: done

The PCAP file can now be used to test our IDS or any other application.

Let's open it in a Wireshark and inspect the HTTP request:

pCraft is written in Python and, if you check the required modules, you see it relies on scapy[5] to generate packets and the PCAP file. Not many types of traffic are supported at the moment but, being based in plugins, it's easy to expand it. The current list of plugins is:

  • DNSConnection
  • GenerateNewDomain
  • HTTPConnection
  • HTTPPostConnection
  • PCAPImport
  • Ping
  • TcpRst

pCraft has been developed by Sébastien Tricaud and is available on github[6]. Great tool!


Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS London August 2021


616 Posts
ISC Handler
Oct 29th 2019

Sign Up for Free or Log In to start participating in the conversation!