Scapy/Conversations: Difference between revisions
From charlesreid1
| Line 7: | Line 7: | ||
First is the source address. This will be a MAC address - you will not get an IP address unless you're on the same network and there is some kind of name resolution service available to turn a MAC address (Layer 2) into an IP address (Layer 3). | First is the source address. This will be a MAC address - you will not get an IP address unless you're on the same network and there is some kind of name resolution service available to turn a MAC address (Layer 2) into an IP address (Layer 3). | ||
A simple script to pull out the source and destination of each packet using scapy is given below: | |||
<pre> | |||
$ cat analyze.py | |||
from scapy.all import * | |||
plist = rdpcap("airportSniffNERR6R.cap") | |||
getsrcdst = lambda x:(x.addr1, x.addr2, x.addr3) | |||
for p in plist: | |||
try: | |||
c = getsrcdst(p) | |||
print c | |||
except AttributeError: | |||
pass | |||
</pre> | |||
This script reads a relatively small pcap file and prints out the addr1, addr2, and addr3 fields for each packet. This can be used to build a list of MAC addresses. | |||
Further parsing could be done to identify packets that are beacons from access points, to determine which MAC addresses are access points. | |||
==Scapy Built-In Conversation Analysis== | ==Scapy Built-In Conversation Analysis== | ||
Revision as of 17:00, 26 January 2016
Conversations
Components
To analyze a wireless conversation, you need to be able to parse a few different pieces of information.
First is the source address. This will be a MAC address - you will not get an IP address unless you're on the same network and there is some kind of name resolution service available to turn a MAC address (Layer 2) into an IP address (Layer 3).
A simple script to pull out the source and destination of each packet using scapy is given below:
$ cat analyze.py
from scapy.all import *
plist = rdpcap("airportSniffNERR6R.cap")
getsrcdst = lambda x:(x.addr1, x.addr2, x.addr3)
for p in plist:
try:
c = getsrcdst(p)
print c
except AttributeError:
pass
This script reads a relatively small pcap file and prints out the addr1, addr2, and addr3 fields for each packet. This can be used to build a list of MAC addresses.
Further parsing could be done to identify packets that are beacons from access points, to determine which MAC addresses are access points.
Scapy Built-In Conversation Analysis
Scapy has a built-in conversations method. You'll need to build ImageMagick with X11: on the Mac, that's
brew uninstall imagemagick brew install imagemagick --with-x11
Once we've done that, we can take a look at the existing method to print out a graph of all the conversations. This method is built into Scapy. We can utilize it to create our own conversations list, bypassing the graphing part and processing the information ourselves.
However, I have no idea whether the graphs look good, because even after the above steps I still can't get it to work.
 |
scapy a Python library for interfacing with network devices and analyzing packets from Python.
Building Wireless Utilities: Scapy/Airodump Clone · Scapy/AP Scanner Analyzing Conversations: Scapy/Conversations Database: Scapy/Wifi Database Category:Scapy · Category:Python · Category:Networking
|