A comprehensive network packet analysis tool that provides multi-dimensional feature extraction and protocol analysis capabilities.
LizProbe is designed to generate multi-dimensional feature vectors for network traffic analysis, supporting custom cross-features.
- Multi-Protocol Support: TCP, UDP, VXLAN, VLAN, WiFi, GRE, HTTP, DNS, TLS, ARP, ICMP
- Deep Packet Inspection: TLS handshake analysis, HTTP header parsing, DNS query analysis
- Custom Cross-Features: Protocol behavior + context logic fusion
- Flexible Output Formats: JSON and structured log outputs
- Statistics and Analytics: Comprehensive packet and protocol statistics
- Operating System: Linux (Ubuntu 20.04+ recommended)
- Compiler: GCC 7.0+ with C++17 support
- Dependencies:
- PcapPlusPlus library
- libpcap
- pthread
- libfftw3
-
Install PcapPlusPlus:
# Download and install PcapPlusPlus wget https://github.com/seladb/PcapPlusPlus/releases/download/v25.05/pcapplusplus-25.05-ubuntu-22.04-gcc-11.4.0-x86_64.tar.gz tar -xzf pcapplusplus-25.05-ubuntu-22.04-gcc-11.4.0-x86_64.tar.gz sudo mv pcapplusplus-25.05-ubuntu-22.04-gcc-11.4.0-x86_64 /root/Documents/ -
Install system dependencies:
sudo apt-get update sudo apt-get install build-essential libpcap-dev libfftw3-dev
-
Clone the repository:
git clone <repository-url> cd lizprobe
-
Build the project:
make clean make
-
Verify installation:
./pcap_parser --help
# Analyze a PCAP file with default settings
./pcap_parser -i dataset/http_test.pcap
# Analyze with verbose output and JSON format
./pcap_parser -i dataset/dns_test.pcap -v -j
# Analyze with custom output directory
./pcap_parser -i input.pcap -o custom_output# Filter by protocol
./pcap_parser -i input.pcap -p tcp
# Apply BPF filter
./pcap_parser -i input.pcap -f "tcp port 80"
# Limit packet processing
./pcap_parser -i input.pcap -m 1000
# Combine multiple options
./pcap_parser -i input.pcap -p tcp -f "port 443" -m 500 -v -j -s| Option | Long Option | Description |
|---|---|---|
-i |
--input_file |
Input PCAP file to analyze (required) |
-o |
--output_dir |
Output directory for logs (default: logs) |
-f |
--filter |
BPF filter expression |
-p |
--protocol |
Filter by specific protocol |
-m |
--max_packets |
Maximum number of packets to process |
-v |
--verbose |
Enable verbose output |
-q |
--quiet |
Suppress normal output |
-s |
--statistics |
Show packet statistics |
-j |
--json |
Output results in JSON format |
-h |
--help |
Show help message |
-V |
--version |
Show version information |
- Transport Layer: TCP, UDP
- Network Layer: IPv4, IPv6, ICMP, ARP
- Tunneling: VXLAN, VLAN, GRE
- Application Layer: HTTP, DNS, TLS, DHCP, SMTP, FTP, NTP
- Wireless: 802.11 (WiFi)
# Analyze HTTP traffic with detailed output
./pcap_parser -i dataset/http_test.pcap -v -j -s
# Filter only HTTP traffic
./pcap_parser -i mixed_traffic.pcap -f "tcp port 80" -p tcp# Analyze DNS queries and responses
./pcap_parser -i dataset/dns_test.pcap -v -j
# Filter DNS traffic
./pcap_parser -i mixed_traffic.pcap -f "udp port 53" -p udp# Analyze TLS handshakes and certificates
./pcap_parser -i dataset/ssl_test.pcap -v -j -s
# Filter HTTPS traffic
./pcap_parser -i mixed_traffic.pcap -f "tcp port 443" -p tcplizprobe/
├── src/ # Source code
│ ├── utils/ # Utility classes
│ ├── parsers/ # Protocol parsers
│ └── *.cpp # Core components
├── include/ # Header files
│ ├── utils/ # Utility headers
│ ├── parsers/ # Parser headers
│ └── *.h # Core headers
├── dataset/ # Test PCAP files
├── logs/ # Output directory
├── build/ # Build artifacts
├── main.cpp # Main entry point
├── Makefile # Build configuration
└── README.md # This file