Documentation

Code available to be looked through or cloned here.

General Info

PcapTracker is a full stack application made using Python's Scapy library to help analyze user pcaps. Our Python scripts filter through user pcaps to gather packet tracking information, like where and when are packets being sent to or received from. We then visualize these finding on the front end using interactive graphs and maps.

Users have the option to use either our live site at https://pcaptracker.site or to run the project locally via Docker. The Dockerfile in our github repo can quickly spin up the backend for you locally, just follow the README instructions in the repo.


Technical details

As mentioned before, this is a full stack project. The front end is built using standard HTML, CSS, and JavaScript and we use an Apache web server to host it. The front end also makes use of the D3 library to different graphs based on information gathered from the inputted PCAP. These graphs can be scrolled through and interacted with by hovering over data points for more information.

The backend for this application was done using Python. This is where we actually analyze the PCAPs sent to us by users with help from the Scapy library. This library essentially just made it easier to read through the PCAPs packet by packet, actually filtering through the packets for interesting information was done through custom functions. We are able to generate an interactive world map showing where IPs are being sent to by using either the geoIP2 Api by MaxMind or the RipeAtlas API through a Python wrapper on this collected information.

To actually call our Python scripts to generate this information we are running a Flask server at the endpoint /analyze. This Flask server is further loadbalanced with GUnicorn as Flask is not to be used directly in a production enviorenment. GUnicorn solves the problem of Flask not inherintly compatible with multithreading, meaning that GUnicorn is what allows two people couldn't simulataneously use our application.

One important thing to note is that the live website throttles the number of geolocation API calls to a max of 20. This is done to not overwhelm MaxMind or RipeAtlas with our public tool. Should you run the project locally then you are able to customize this number to your liking.

Data Flow Diagram

Data Flow Diagram
Diagram showing how data from the pcap moves through differenet parts of our application