SANS Digital Forensics and Incident Response Blog

Using ProcDOT Plugins to Examine PCAP Files When Analyzing Malware

ProcDOT is a free tool for analyzing the actions taken by malware when infecting a laboratory system. ProcDOT supports plugins, which could extend the tool's built-in capabilities. This article looks at two plugins that help examine contents of the network capture file loaded into ProcDOT. If you're not already familiar with ProcDOT, review its documentation before proceeding.

As of this writing, the tool comes with the Servers List plugin. In addition, you can install the Extract Files Form PCAP plugin, mentioned below, from its Github repository. If you're using the REMnux distribution, you will find ProcDOT and these plugins already installed and configured (run the "update-remnux" command to get the latest versions).

The directory structure of ProcDOT files includes the "plugins" subdirectory. This is where you should copy the files that implement the plugins. Once the plugins have been installed, they will be visible in the Plugins menu of ProcDOT. However, you won't be able to actually use the plugins until after you've loaded the data files that you want to analyze.


The Servers List plugin, written by ProcDOT's author Christian Wojner, generates a listing of hostnames and IP addresses from the loaded PCAP file, as shown below. It's not an earth-shattering feature, but this can be handy if the network capture includes a lot of systems.


The plugin Extract Files Form PCAP was created by Brian Maloney. It allows you to extract files transferred during the network session that was captured in the PCAP file. After asking you to specify the output directory, this plugin saves the carved files there.


Though standalone PCAP carving and mining tools exist, it's convenient to perform such tasks within ProcDOT if you're already using the tool for examining other aspects of the infected system in your malware analysis lab.

Lenny Zeltser

Lenny Zeltser teaches malware analysis at SANS Institute. He is active on Twitter and writes a security blog.