Dshell - Network Forensic Analysis Framework

Dshell - Network Forensic Analysis Framework

Dshell is an extensible network forensic analysis framework.

It enables rapid development of plugins to support the dissection of network packet captures.

Key Features:

  • Robust stream reassembly
  • IPv4 and IPv6 support
  • Custom output handlers
  • Chainable decoders



  • Lists all available decoders alongside basic information about them
decode -l
  • Shows generic command-line flags available to most decoders
decode -h
  • Displays information about a decoder, including available command-line flags
decode -d <decoder>
  • Run the selected decoder on a pcap file
decode -d <decoder> <pcap>


Install all of the necessary Python modules listed above. Many of them are available via pip and/or apt-get. Pygeoip is not yet available as a package and must be installed with pip or manually.
sudo apt-get install python-crypto python-dpkt python-ipy python-pypcap
sudo pip install pygeoip
Configure pygeoip by moving the MaxMind data files (GeoIP.dat, GeoIPv6.dat, GeoIPASNum.dat, GeoIPASNumv6.dat) to <install-location>/share/GeoIP/

Run make. This will build Dshell.

Run ./dshell. This is Dshell. If you get a Dshell> prompt, you're good to go!

No comments

Powered by Blogger.