Created 2 scripts using scapy to analyze some packet captures. Just wanted to preserve what took some time to design.
This first capture takes a packet capture and displays the Destination, Source, data in the packet, and the time. A challenge was to identify a way to display the time in a readable format.
#!/usr/bin/env python
from scapy.all import *
import time
packets = rdpcap("file.pcap")
totalPackets = 0
totalDataSize = 0
for pkt in packets:
pktSrc = pkt.sprintf("%IP.src%")
pktDst = pkt.sprintf("%IP.dst%")
# Remember that the time is in UTC format
pktTime = time.strftime("%d %b %Y %H:%M:%S", time.gmtime(pkt.time))
pktHour = time.strftime("%H", time.gmtime(pkt.time))
pktMinute = time.strftime("%M", time.gmtime(pkt.time))
pktData = pkt.sprintf("%Raw.load%")
pktDataLength = len(pkt.sprintf("%Raw.load%"))
if pktHour == "7" and int(pktMinute) == 4:
totalPackets+=1
totalDataSize+=pktDataLength
print "Destination: %s" % pktDst
print "Source: %s" % pktSrc
print "Data Length: %s" % pktDataLength
print "Packet Time: %s" % pktTime
print pktData
print "\n"
print "Total number of packets analyzed: %s" % totalPackets
averageDataSize=totalDataSize/totalPackets
print "Average size of packets: %s" % averageDataSize
This second script was designed to look at packets from 2 different sources and compare minute to minute how many they sent to each other over a period of time. We broke it down minute to minute to determine if the 1:1 ratio of sent to received packets was being maintained.
#!/usr/bin/env python
from scapy.all import *
import time
packets = rdpcap("file.pcap")
totalPacketsSource1 = 0
totalPacketsSource2 = 0
startHour = 0
startMinute = 0
loopCount = 0
for pkt in packets:
pktSrc = pkt.sprintf("%IP.src%")
pktDst = pkt.sprintf("%IP.dst%")
# Remember that the time is in UTC format
pktTime = time.strftime("%d %b %Y", time.gmtime(pkt.time))
pktHour = time.strftime("%H", time.gmtime(pkt.time))
pktTimeZoneHour = int(pktHour)-2
pktMinute = time.strftime("%M", time.gmtime(pkt.time))
if loopCount == 0:
startHour = pktHour
startMinute = pktMinute
if pktHour == startHour and pktMinute == startMinute and pktSrc == "1.1.1.1":
totalPacketsSource1+=1
elif pktHour == startHour and pktMinute == startMinute and pktSrc == "2.2.2.2":
totalPacketsSource2+=1
elif pktHour == startHour and pktMinute != startMinute:
print "%s %s:%s Source1 Packets: %s Source2 Packets: %s" % (pktTime, str(pktTimeZoneHour), pktMinute, totalPacketsSource1, totalPacketsSource2)
startMinute = pktMinute
if pktSrc == "1.1.1.1":
totalPacketsSource1=1
totalPacketsSource2=0
else:
totalPacketsSource1=0
totalPacketsSource2=1
elif pktHour != startHour and pktMinute != startMinute:
print "%s %s:%s Source1 Packets: %s Source2 Packets: %s" % (pktTime, str(pktTimeZoneHour), pktMinute, totalPacketsSource1, totalPacketsSource2)
startMinute = pktMinute
startHour = pktHour
if pktSrc == "1.1.1.1":
totalPacketsSource1=1
totalPacketsSource2=0
else:
totalPacketsSource1=0
totalPacketsSource2=1
loopCount+=1
Subscribe to:
Post Comments (Atom)
-
Here is a quick walk through of GetBoo. The first item that I found was you can harvest the usernames of the existing users that are regist... -
As I was glancing through the logs of my honeypots I spent some time to look at the following logs. In the past I have just overlooked them... -
I ran a Nikto scan and found the following vulnerability in the report that it produces: "OSVDB-637: Enumeration of users is possible...
-
I thought I would work through a few of these web applications provided by OWASP on their broken web applications VM. The first one I th... -
In the honeypot I found over 276 requests for cgi files that could be accessed to leverage the shellshock vulnerability documented as CVE-20...
No comments:
Post a Comment