CapTipper - Malicious HTTP Traffic Explorer

CapTipper is a python based tool to analyze, explore and revive HTTP malicious traffic.

CapTipper sets up a web server that acts exactly as the server in the PCAP file, and contains internal tools, with a powerful interactive console, for analysis and inspection of the hosts, objects and conversations found.

Note: It requires Python 2.7

The tool provides the security researcher with easy access to the files and the understanding of the network flow, and is useful when trying to research exploits, pre-conditions, versions, obfuscations, plugins, and shellcodes.


./ <PCAP_file> [arguments]

-h, --help              Print this help message and exit

-p PORT, --port PORT Set web server port

-d FOLDER, --dump FOLDER Dump all files and exit

-s, --server-off Disable web server

-short, --short-url Display shortened URI paths

-r FOLDER, --report FOLDER Create JSON & HTML report

-g, --ungzip Automatically ungzip responses

-u, --update Update CapTipper to newest version

Feeding CapTipper with a drive-by traffic capture (e.g of an exploit kit) displays the user with the requests URI's that were sent and responses meta-data.

The user can at this point browse to[host]/[URI] and receive the response back to the browser.

In addition, an interactive shell is launched for deeper investigation using various commands such as: hosts, hexdump, info, ungzip, body, client, dump and more...

CapTipper - Malicious HTTP Traffic Explorer CapTipper - Malicious HTTP Traffic Explorer Reviewed by Unknown on 9:21 PM Rating: 5