[sapug] Python File Format library

Chris Foote chris at inetd.com.au
Tue Oct 3 13:32:03 CEST 2006

On Tue, 3 Oct 2006, Michael Cohen wrote:

> On Tue, Oct 03, 2006 at 07:44:05PM +0930, nepBabu.cx wrote:
>> Good day Michael,
>> atm I am learning to use many of the tools such as tcpdump, ethereal, nc
>> and nmap myself to secure my box.
>> Basically, my question is, what's the advantage of pyflag over them and
>> what else can we accomplish more using pyflag other than investigating
>> large amount of logs ?
> nepBabu,
>  PyFlag is a forensic utility for post incident analysis, not so much a secure
>  your box type utility. The main page is at http://pyflag.sf.net/ which might
>  give you more information about the pyflag tool itself.
>  The File Format Library is a small part of the main project - because we need
>  to read and interpret many different file types.

Very cool!

I was fortunate to attend a presentation from OSU[1] a few years ago
(at Lisa 2000) and they took libpcap extraction to a new level with
reassembling Quake traffic[2]:

 	– Reads server to client traffic from a tcpdump log
 	– Massages it with view direction assumed from the client to
 	  server traffic
 	– Constructs a demo recording that you can play

They obviously had way too much time on their hands :-)

[1] interesting real-life security incident

[2] http://www3.net.ohio-state.edu/security/talks/2000/2000-12-07_incident-response_lisa/stuff-text.pdf

Chris Foote <chris at inetd.com.au>
Inetd Pty Ltd T/A HostExpress
Web:   http://www.hostexpress.com.au
Blog:  http://www.hostexpress.com.au/drupal/chris
Phone: (08) 8410 4566

More information about the sapug mailing list