Didier Stevens

Monday 12 March 2012

NAFT Release

Filed under: My Software,Networking — Didier Stevens @ 19:41

You can find a first release of my Network Appliance Forensic Toolkit here. This first release contains a tool for generic network appliances, but also works on memory dumps of PC operating systems like Windows.


  1. Hi,
    I’m trying to run the naft-gfe.py tool against a Windows 7 (64-bit) DD memory image, and I’m getting the following:

    shell$ python ~/NAFT_V0_0_5/naft-gfe.py memory.pcap memory.raw

    20120312-153845: Start
    20120312-153845: Reading file memory.raw
    python(30758) malloc: *** mmap(size=140201087209472) failed (error code=12)
    *** error: can’t allocate region
    *** set a breakpoint in malloc_error_break to debug
    20120312-153858: File is too large to fit in memory
    20120312-153858: Done

    Am I doing something wrong? The dump is only 4GB.


    Comment by Tom Yarrish — Monday 12 March 2012 @ 20:42

  2. @Tom Yarrish

    No, but here is why: 20120312-153858: File is too large to fit in memory

    Take into account that I designed this tool for network appliances, which have a much smaller amount of ram than PCs.
    My Python tool reads the complete file into memory, and on 32-bit python, you’ll get errors reading 1GB files and larger.
    If you don’t have 64-bit Python, you can always split your dump in 512MB blocks.
    naft-gfe accepts more than one dump files as argument, so you can parse all the 512MB blocks together.
    You only risk missing packets that are split in 2.

    Comment by Didier Stevens — Monday 12 March 2012 @ 20:53

  3. Ok, then just so I’m clear, is the tool designed to read dumps only from network devices or from desktop/laptops as well?

    And if I split the file, then I’m I just doing:

    naft-gfe.py memory-part1.pcap memory-part1.dd
    naft-gfe.py memory-part2.pcap memory-part2.dd

    Comment by Tom Yarrish — Monday 12 March 2012 @ 21:06

  4. @Tom It will work on any file, provided it will fit in memory. 512MB on 32-bit Python is the limit.

    You could do that, but it’s better to do this:

    naft-gfe.py memory.pcap memory-part1.dd memory-part2.dd …

    Gives you only 1 pcap file.

    Comment by Didier Stevens — Monday 12 March 2012 @ 21:11

  5. That worked when I broke it into 512 chunks. That you for this tool, I think I’ll be able to use it on a lot of engagements.

    Comment by Tom Yarrish — Monday 12 March 2012 @ 21:48

  6. @Tom You’re welcome.

    Final remark: if you worry about packets that might be split over 2 blocks, just split the file a second time with another size so that the blocks overlap.
    And then let naft-gfe scan all the blocks, it will filter out duplicates.

    Comment by Didier Stevens — Monday 12 March 2012 @ 22:20

  7. Is the maximum different if 64 bit python is used? What is the maximum that this script can handle and what should the version of python be for that. Thanks!

    Comment by Anonymous — Tuesday 13 March 2012 @ 21:45

  8. Yes, you get to load more on 64-bit Python. Haven’t discovered a limit yet.

    Comment by Didier Stevens — Thursday 15 March 2012 @ 10:00

  9. One small suggestion: Request you to kindly add a functionality to split a big file more than a GB into 512MB blocks so that it becomes a standard and there would be no difficulty in parsing a file.

    Comment by Alfred — Thursday 15 March 2012 @ 13:15

  10. @Alfre No, I’m not going to do that. What I will do, is introduce an abstraction layer so that the complete file does not have to be read into memory. But first I want to add IPv6 carving.

    Comment by Didier Stevens — Thursday 15 March 2012 @ 13:59

  11. […] NAFT(Network Appliance Forensic Toolkit) 메모리 덤프에서 네트워크 패킷을 뽑아 하나의 pcap 파일로 만들어주는 도구이다. 패킷 레코드 검증 알고리즘 때문에 다소 느린것이 단점이다. […]

    Pingback by [Mar 2012] FI Newsletter | FORENSIC INSIGHT — Tuesday 8 May 2012 @ 9:04

  12. […] Herramienta forense. La versión ‘free edition’ está limitado a 1GB de tráfico. Network Appliance Forensic Toolkit – Conjunto de utilidades para la adquisición y análisis de la red. Xplico – Extrae todo el […]

    Pingback by Listado de Herramientas Forenses | ROOTAGAINSTTHEMACHINE — Monday 7 July 2014 @ 12:14

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: