Scapy is Awesome

Created 2 scripts using scapy to analyze some packet captures.  Just wanted to preserve what took some time to design.

This first capture takes a packet capture and displays the Destination, Source, data in the packet, and the time.  A challenge was to identify a way to display the time in a readable format.

#!/usr/bin/env python


from scapy.all import *
import time

packets = rdpcap("file.pcap")
totalPackets = 0
totalDataSize = 0

for pkt in packets:
        pktSrc = pkt.sprintf("%IP.src%")
        pktDst = pkt.sprintf("%IP.dst%")
        # Remember that the time is in UTC format
        pktTime = time.strftime("%d %b %Y %H:%M:%S", time.gmtime(pkt.time))
        pktHour = time.strftime("%H", time.gmtime(pkt.time))
        pktMinute = time.strftime("%M", time.gmtime(pkt.time))
        pktData = pkt.sprintf("%Raw.load%")
        pktDataLength = len(pkt.sprintf("%Raw.load%"))
        if pktHour == "7" and int(pktMinute) == 4:
                totalPackets+=1
                totalDataSize+=pktDataLength
                print "Destination: %s" % pktDst
                print "Source: %s" % pktSrc
                print "Data Length: %s" % pktDataLength
                print "Packet Time: %s" % pktTime
                print pktData
                print "\n"

print "Total number of packets analyzed: %s" % totalPackets
averageDataSize=totalDataSize/totalPackets
print "Average size of packets: %s" % averageDataSize


This second script was designed to look at packets from 2 different sources and compare minute to minute how many they sent to each other over a period of time.  We broke it down minute to minute to determine if the 1:1 ratio of sent to received packets was being maintained.

#!/usr/bin/env python


from scapy.all import *
import time

packets = rdpcap("file.pcap")
totalPacketsSource1 = 0
totalPacketsSource2 = 0
startHour = 0
startMinute = 0
loopCount = 0

for pkt in packets:
        pktSrc = pkt.sprintf("%IP.src%")
        pktDst = pkt.sprintf("%IP.dst%")
        # Remember that the time is in UTC format 

        pktTime = time.strftime("%d %b %Y", time.gmtime(pkt.time))
        pktHour = time.strftime("%H", time.gmtime(pkt.time))
        pktTimeZoneHour = int(pktHour)-2

        pktMinute = time.strftime("%M", time.gmtime(pkt.time))
        if loopCount == 0:
                startHour = pktHour
                startMinute = pktMinute
        if pktHour == startHour and pktMinute == startMinute and pktSrc == "1.1.1.1":
                totalPacketsSource1+=1
        elif pktHour == startHour and pktMinute == startMinute and pktSrc == "2.2.2.2":
                totalPacketsSource2+=1
        elif pktHour == startHour and pktMinute != startMinute:
                print "%s %s:%s Source1 Packets: %s   Source2 Packets: %s" % (pktTime, str(pktTimeZoneHour), pktMinute, totalPacketsSource1, totalPacketsSource2)
                startMinute = pktMinute
                if pktSrc == "1.1.1.1":
                        totalPacketsSource1=1
                        totalPacketsSource2=0
                else:
                        totalPacketsSource1=0
                        totalPacketsSource2=1
        elif pktHour != startHour and pktMinute != startMinute:
                print "%s %s:%s Source1 Packets: %s   Source2 Packets: %s" % (pktTime, str(pktTimeZoneHour), pktMinute, totalPacketsSource1, totalPacketsSource2)
                startMinute = pktMinute
                startHour = pktHour
                if pktSrc == "1.1.1.1":
                        totalPacketsSource1=1
                        totalPacketsSource2=0
                else:
                        totalPacketsSource1=0
                        totalPacketsSource2=1
        loopCount+=1



Comments

Popular posts from this blog

Netflix Streaming Blocked by Sophos UTM

BSides 2016 Hackers Challenge

Python - Vega Conflict Script to Maximize Fleet Sizes based on Fleet Mass

VBA - Script to Download a file from a URL

IoT Malware Analysis - CnC Server - Part 3