Didier Stevens

Monday 29 November 2021

New Tool: cs-parse-traffic.py

Filed under: Announcement,My Software — Didier Stevens @ 0:00

This tool is the combination of beta tool cs-parse-http-traffic.py (discontinued) and unreleased tool cs-parse-dns-traffic.py: it can decrypt and parse Cobalt Strike DNS and HTTP beacon network traffic.

By default it handles HTTP traffic. Use option -f dns to handle DNS traffic.

cs-parse-traffic_V0_0_3.zip (https)
MD5: D11D64222CD77407FCEE5E6235470828
SHA256: 916B44513620FD2BB3F7263D279E8219419A87F89CDA1253011D7338896405DD


  1. […] have developed a tool, cs-parse-traffic, that can decrypt and parse DNS traffic and HTTP(S). Similar to what we did with encrypted HTTP […]

    Pingback by Cobalt Strike: Decrypting DNS Traffic – Part 5 – NVISO Labs — Tuesday 30 November 2021 @ 10:02

  2. Hi,
    I’ve used cs-parse-http-traffic.py before and it was amazing. When I try the new tool on my PCAPs it breaks in the middle of execution.
    I get an error about “HMAC signature is invalid’. Could you please suggest a solution?

    Comment by Or — Wednesday 1 December 2021 @ 13:29

  3. Do you use a display filter? (-Y)

    Comment by Didier Stevens — Wednesday 1 December 2021 @ 14:57

  4. […] New Tool: cs-parse-traffic.py […]

    Pingback by Week 49 – 2021 – This Week In 4n6 — Sunday 5 December 2021 @ 10:45

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.