File2pcap 1.25 released 05/30/2017 07:45
Posted by: warlord
The folks over at Talos have a nice blog post on a much updated version of file2pcap, including a link over to their Github repo:



If you're using file2pcap, check out the new and much improved version.

Downtime 05/12/2016 02:24
Posted by: warlord experienced some downtime and had to be restored from a really old backup. I'm in the process of updating files that went missing.

REPOST: File2pcap updated - v 1.0 05/12/2016 02:22
Posted by: warlord
Original date of post: 07/27/2015 02:38

v 1.0

This handy utility takes any sort of input file and creates a pcap showing this file being downloaded from a remote web server, or the file being transferred via smtp/pop3/imap. The pcap is a full tcp stream from syn to fin and all the sequence numbers and checksums are all correct.
File2pcap now also supports quoted-mime encoding(experimental), additionally to the default mime(base64) encoding.

REPOST: File2pcap updated - now supports pop3/imap/smtp 05/12/2016 02:21
Posted by: warlord
Original date of post: 12/04/2014 06:56

I just posted the updated version 0.95 of file2pcap. The tool now also creates pcaps of files being transferred as email attachments via smtp/pop3/imap., besides the original functionality of creating pcaps showing a file being downloaded from an http server.

file2pcap - written by warlord /
Version: 0.95
Takes a file as input and creates a pcap showing a client grabbing that file from a webserver or transferring it it by email(smtp/pop3/imap).

-m mode h - http / s - smtp / p - pop3 / i - imap [default: http]
-o outfile output filename
-p port[:port] specify source and/or destination port. -p 1234:80 will show a tcp connection from port 1234 to port 80

./file2pcap [options] infile

./file2pcap malware.pdf
./file2pcap -mshp malware.pdf
./file2pcap -mi malware.pdf -o outfile.pcap

REPOST: Poison updated to 1.5.41 05/12/2016 02:20
Posted by: warlord
Original date of post: 09/18/2014 05:34

I had to release a bugfix here. Poison 1.5.4 had a minor change in how it determines its own source IP address. As a result that code broke when scanning hostnames, or ranges of hostnames. So while poison 1.5.3 would happily scan, version 1.5.4 would not. This has now been fixed. Don't ask how this could have possibly evaded me.