Created 2 scripts using scapy to analyze some packet captures. Just wanted to preserve what took some time to design.
This first capture takes a packet capture and displays the Destination, Source, data in the packet, and the time. A challenge was to identify a way to display the time in a readable format.
#!/usr/bin/env python
from scapy.all import *
import time
packets = rdpcap("file.pcap")
totalPackets = 0
totalDataSize = 0
for pkt in packets:
pktSrc = pkt.sprintf("%IP.src%")
pktDst = pkt.sprintf("%IP.dst%")
# Remember that the time is in UTC format
pktTime = time.strftime("%d %b %Y %H:%M:%S", time.gmtime(pkt.time))
pktHour = time.strftime("%H", time.gmtime(pkt.time))
pktMinute = time.strftime("%M", time.gmtime(pkt.time))
pktData = pkt.sprintf("%Raw.load%")
pktDataLength = len(pkt.sprintf("%Raw.load%"))
if pktHour == "7" and int(pktMinute) == 4:
totalPackets+=1
totalDataSize+=pktDataLength
print "Destination: %s" % pktDst
print "Source: %s" % pktSrc
print "Data Length: %s" % pktDataLength
print "Packet Time: %s" % pktTime
print pktData
print "\n"
print "Total number of packets analyzed: %s" % totalPackets
averageDataSize=totalDataSize/totalPackets
print "Average size of packets: %s" % averageDataSize
This second script was designed to look at packets from 2 different sources and compare minute to minute how many they sent to each other over a period of time. We broke it down minute to minute to determine if the 1:1 ratio of sent to received packets was being maintained.
#!/usr/bin/env python
from scapy.all import *
import time
packets = rdpcap("file.pcap")
totalPacketsSource1 = 0
totalPacketsSource2 = 0
startHour = 0
startMinute = 0
loopCount = 0
for pkt in packets:
pktSrc = pkt.sprintf("%IP.src%")
pktDst = pkt.sprintf("%IP.dst%")
# Remember that the time is in UTC format
pktTime = time.strftime("%d %b %Y", time.gmtime(pkt.time))
pktHour = time.strftime("%H", time.gmtime(pkt.time))
pktTimeZoneHour = int(pktHour)-2
pktMinute = time.strftime("%M", time.gmtime(pkt.time))
if loopCount == 0:
startHour = pktHour
startMinute = pktMinute
if pktHour == startHour and pktMinute == startMinute and pktSrc == "1.1.1.1":
totalPacketsSource1+=1
elif pktHour == startHour and pktMinute == startMinute and pktSrc == "2.2.2.2":
totalPacketsSource2+=1
elif pktHour == startHour and pktMinute != startMinute:
print "%s %s:%s Source1 Packets: %s Source2 Packets: %s" % (pktTime, str(pktTimeZoneHour), pktMinute, totalPacketsSource1, totalPacketsSource2)
startMinute = pktMinute
if pktSrc == "1.1.1.1":
totalPacketsSource1=1
totalPacketsSource2=0
else:
totalPacketsSource1=0
totalPacketsSource2=1
elif pktHour != startHour and pktMinute != startMinute:
print "%s %s:%s Source1 Packets: %s Source2 Packets: %s" % (pktTime, str(pktTimeZoneHour), pktMinute, totalPacketsSource1, totalPacketsSource2)
startMinute = pktMinute
startHour = pktHour
if pktSrc == "1.1.1.1":
totalPacketsSource1=1
totalPacketsSource2=0
else:
totalPacketsSource1=0
totalPacketsSource2=1
loopCount+=1
Subscribe to:
Post Comments (Atom)
-
Here is a quick walk through of GetBoo. The first item that I found was you can harvest the usernames of the existing users that are regist... -
As I was glancing through the logs of my honeypots I spent some time to look at the following logs. In the past I have just overlooked them... -
I thought I would work through a few of these web applications provided by OWASP on their broken web applications VM. The first one I th... -
Today looking at the logs of the honeypots, I became curious based on the whois of the IP Addresses attempting to login to SSH which country...
-
Recently I was doing some scanning with a tool that is available on github called masscan. The tool allows you to configure a configuration...
No comments:
Post a Comment