ERROR: Python DPKT is not installed, aborting PCAP analysis.

[allewwaly]

Hi, I'm using cuckoo on windows, and everything works except the DPKT package which is used to analysis the pcap files, which have been captured successfully.

The error shows: Python DPKT is not installed, aborting PCAP analysis.

But I have already installed DPKT using "pip install dpkt" and "pip list" shows it is installed (dpkt 1.8.7).

Only that during installation, there is a warning says:

Installing collected packages: dpkt
Successfully installed dpkt-1.8.7
C:\Python27\lib\site-packages\pip\_vendor\requests\packages\urllib3\util\ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning

Does that means DPKT is not compatible on Windows Platform? If it is, is there a replacement tool?

[swackhamer]

That is a common requests warning and I have never seen it cause a issue. You are using a more recent version of dpkt then is recommended in the requirements.txt file. You can try "pip install dpkt==1.8.6.2" to get the exact version cuckoo wants.

But it is probably not a version issue. Try running "import dpkt" in the same python interpreter that Cuckoo is run by and make sure you can import the dpkt library. If you can not it is a problem with your install of the dpkt library. Here are the lines in Cuckoo that are probably failing: https://github.com/cuckoosandbox/cuckoo/blob/4dd8262b10babdd7d3a1fac3db609c04b6a0aea0/modules/processing/network.py#L25

[jbremer]

What @swackhamer said. Looks fine to me :-)

[allewwaly]

@swackhamer I reinstalled DPKT and can now import DPKT successfully, but the dump.pcap file is only 24b large (empty actually) for all of my samples, still there is no result for the network module. I have enabled the sniffer.py in auxiliary.conf and enabled network in processing.conf.

[allewwaly]

I've also modified the sinffer.py and auxiliary.conf to use windump instead of tcpdump. The interface name is also changed according to the results of "windump -D". Using windump manually, I can get plenty of network packets which definitely is larger than 24b,

[jbremer]

24 bytes is indeed an empty pcap file (just its header). Personally I don't have experience with windump but I imagine there's a configuration error which I guess you'll have to figure out on your own.

[jbremer]

Any update on the usage of windump @allewwaly?

[allewwaly]

Run cuckoo on windows

1. dependencies: http://cyberwarzone.com/installing-cuckoo-sandbox-on-a-windows-operating-system/
2. install magic: https://github.com/ahupp/python-magic which depend on: http://gnuwin32.sourceforge.net/packages/file.htm modify object.py static.py as https://www.reddit.com/r/Python/comments/19673t/pythonmagic_is_an_interface_to_the_libmagic_file/, so as to use magic to recognize file type
3. modify cuckoo.conf: tmppath = C:\Users\john\AppData\Local\Temp connection = mysql://user:passwd@localhost/database-name and virtualbox.conf: path = C:\Program Files\Oracle\VirtualBox\VBoxManage.exe platform = windows
4. install winpcap and windump to replace tcpdump modify sniffer,py and auxiliary.conf to use the interface name of windows (which can obtained by windump -D), and enabing network in processing.conf
5. other errors it might always goes to overtime when python is not allowed to access the public network in windows firewall settings, so modify the firewall settings to enable it.

[jbremer]

Perhaps this information should be included in our official documentation, anyone interested in formatting it to fit in there @allewwaly?

[allewwaly]

I would like to, but the problem of winpcap network dumps being empty is still not solved. I've abandoned it for a while, but might recheck it sometimes.

[jbremer]

@allewwaly I guess there's no update on your earlier winpcap-related statements? I'll keep this issue open because I still think some of our documentation (and perhaps configuration defaults) should be updated to better feature Cuckoo support.