Vol for Windows: be able to extract PCAP file

[GoogleCodeExporter]

Could it be possible to add an extract PCAP option on next version of 
Volatility-standalone.exe ?

Original issue reported on code.google.com by docteur....@gmail.com on 11 Oct 2013 at 3:27

[GoogleCodeExporter]

Sorry, what would you expect the pcap to contain?  Is this a pcap opened by the 
user in wireshark, or are you trying to get traffic that was sent to the 
machine itself?  The latter generally doesn't get stored in memory for very 
long, so the two packets you may get back wouldn't likely be of much use, and 
the former is an extremely specific scenario, and therefore unlikely to be 
bundled with volatility directly.

What is it you're trying to achieve?

Original comment by mike.auty@gmail.com on 11 Oct 2013 at 9:15

[GoogleCodeExporter]

Maybe he's looking for something like Jamaal's plugin:  
https://code.google.com/p/jamaal-re-tools/source/browse/volplugins/ethscan.py ?

You can use the --plugins option to use it with the standalone.

Original comment by jamie.l...@gmail.com on 11 Oct 2013 at 10:54

[GoogleCodeExporter]

Thanks for your reactive answers.

Yes, Jamaal ethscan could answers on what i am looking for, but i would like to 
know, if this pluggin or similar one could be implemented on the vol standalone 
windows package without to request a plugin, like for eg. connscan option ?

Here is the vol message when I run it:
C:\volatility>volatility-2.2.standalone.exe --plugins=volplugins ethscan -f 
winXPPro-3b8fa436.vmem
Volatile Systems Volatility Framework 2.2
Traceback (most recent call last):
  File "<string>", line 186, in <module>
  File "<string>", line 143, in main
  File "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.registry", line 157, in register_global_options
  File "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.registry", line 152, in get_plugin_classes
Exception: Object EthScan has already been defined by <class 
'volatility.plugins.ethscan.EthScan'>

Thanks

Original comment by docteur....@gmail.com on 14 Oct 2013 at 9:31

[GoogleCodeExporter]

The exception you're seeing suggests it's trying to load the plugin twice.  
Could you please check that your ethscan folder doesn't contain two copies of 
the ethscan plugin underneath it anywhere.

If it doesn't, please try deleting any *.pyo or *.pyc files and let us know if 
that helps, it may be there's a bug in the plugin loading code we haven't seen 
before...

Original comment by mike.auty@gmail.com on 14 Oct 2013 at 10:50

[GoogleCodeExporter]

I'm going to close this due to insufficient details or information required to 
continue. In the future ethscan may be built-into volatility, but for now its 
external, so using --plugins is how you do it. If you need additional help, 
feel free to re-open or discuss it on the Vol-Users mailing list. 

Original comment by michael.hale@gmail.com on 25 Oct 2013 at 12:26

• Changed state: WontFix

[GoogleCodeExporter]

Dear Michael,
Thanks for support and answer.
With your recommendations, I am able to run ethscan.
But please, if you will be able to insert in the complete windows package 
ethscan and / or NAFT by default, it will help more than me ;-)
Thanks to close ticket for me.

Original comment by docteur....@gmail.com on 25 Oct 2013 at 12:34