Packet Capture ICMP Carver (pic)

pic is short for PCAP ICMP Carver. It is a utility that was initially designed and developed during the evenings while attending a SANS Institute networking forensics class. In its current form, pic is restricted to reading packet capture (pcap) files and just concentrates on the Internet Control Message Protocol (ICMP) network traffic. Below are the options available with this tool.

pic's menu-options

The various options available allow one to specify which internal metadata one wishes to key on and filter out or to chain portions of packets together.

There are both Windows and Linux versions of pic. Whether using either the 32 bit or 64 bit version of the tool, the internal architecture is geared toward (a) minimizing memory usage and (b) reading and analyzing very large pcap files that may exceed the 32 bit size restrictions. As a convenience option, pic allows files to be piped in from standard input which allows one to process a number of pcap files in one run.

Downloads

32-bit Version64-bit Version
Windows:pic32.v.0.27.win.zippic64.v.0.27.win.zipmd5/sha1
Linux:pic32.v.0.27.lin.tar.gzpic64.v.0.27.lin.tar.gzmd5/sha1
Mac OS X:Not AvailableNot Availablemd5/sha1
*32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present.