PCAP analysis
- Scapy has pretty handy functions for handling PCAP files.
- Although there are dedicated tools like dpkt, pcapy etc to deal with packet captures(using Python), Scapy is still a go-to tool for PCAP aanalysis because of it’s dense methods that aid you in number of packet analysis operations.
- Although Scapy is all powerful, it’s takes a lot of memory when reading packets so analysing larger packet will take toll on your system memory.
PCAP operations
Memory matters!
- Scapy looks at each packet as a class which takes toll on the system memory, so it is not a right choice for analysing large PCAPs
- When investigating large PCAP’s(several Giga Bytes) use light-weight tools like Tshark for initial analysis, when investigation boils down to smaller set of packets, use Scapy.
Reading pcap
- You can read a PCAP file in Scapy using
rdpcapfunction.
>>> rdpcap('port_knock_seq.pcap')
<port_knock_seq.pcap: TCP:6 UDP:0 ICMP:0 Other:0>
>>> pkts = sniff(offline="temp.cap")
Writing pcap
- You can write a set of packets into a PCAP file using
wrpcapfunction.
>>> wrpcap("attack.pcap",packets)
Simple tcp-replay tool
- You can write a very simple tcp-replay tools in one line of scapy.
- This piece of code send packets in a PCAP over the network, very handy in some forensic analysis situations.
>>> sendp(rdpcap("/tmp/pcapfile")) # tcpreplay
...........
Sent 11 packets.
Exercise time - packet hunting
Please solve Exercise 5- packet hunting (Misc exercises) Please solve Exercise 6 (Misc exercises)