from IPython.core.display import Image Image(url='http://smhttp.23575.nexcesscdn.net/80ABE1/sbmedia/blog/wp-content/uploads/2013/04/computer-hacker.jpg') from scapy.all import * a = sniff(iface="en0", filter="tcp and port 80", count=10) a a.res a.res[0] # first packet a.res[0] # first packet a.res[0].show() a.res[0].show() # importing pcap file sample_http = 'data/yahoo_search.cap' pkts = sniff(offline=sample_http) # importing pcap file sample_http = 'data/yahoo_search.cap' pkts = sniff(offline=sample_http) # online sniffing pkts = sniff(filter="tcp and host search.yahoo.com", count=300) # saving for later wrpcap("data/yahoo_search.cap", pkts) pkts pkts pkts.nsummary() pkts.nsummary() pkts[79].show() pkts[79].show() pkts[79].getlayer(Raw) pkts[79].getlayer(Raw) first_query = pkts[79].getlayer(Raw) print first_query.fields.get('load').split('?p=')[1].split('&')[0] first_query = pkts[79].getlayer(Raw) print first_query.fields.get('load').split('?p=')[1].split('&')[0] second_query = pkts[148].getlayer(Raw) print second_query.fields.get('load').split('?p=')[1].split('&')[0] second_query = pkts[148].getlayer(Raw) print second_query.fields.get('load').split('?p=')[1].split('&')[0] third_query = pkts[227].getlayer(Raw) print third_query.fields.get('load').split('?p=')[1].split('&')[0] third_query = pkts[227].getlayer(Raw) print third_query.fields.get('load').split('?p=')[1].split('&')[0] from scapy.all import * # pkts = sniff(filter="tcp and host 8.8.8.8", count=100) sample_http = 'data/http.cap' pkts = sniff(offline=sample_http) pkts pkts pkts[3].show() pkts[3].show() raw = pkts[3].getlayer(Raw) load = raw.fields.get('load') print load raw = pkts[3].getlayer(Raw) load = raw.fields.get('load') print load # your search term 'GET /download' in load import select as s def trace_route(pkts): for pkt in pkts: try: IP_layer = pkt.getlayer(IP) proto_layer = pkt.getlayer(TCP) except Exception: continue destination = IP_layer.dst src = IP_layer.src dport = proto_layer.dport sport = proto_layer.sport while True: try: res, unans = traceroute(target=destination, dport=dport, sport=sport, maxttl=20) traces = res.res hops = [src] for trace in traces: hops.append(trace[1].src) return hops, sport except s.error: continue tr = ['192.168.0.1', '10.218.160.4', '10.218.160.2', '10.218.161.61', '10.218.161.34', '10.218.162.20', '10.218.162.26', '92.79.230.53', '92.79.211.210', '213.248.75.217', '80.91.246.6', '80.91.253.215', '213.155.135.215', '213.248.69.62', '93.92.131.65', '93.92.131.110', '93.92.134.70', '81.28.232.189'] tr, sport = trace_route(pkts) tr import pygeoip def map_ip(hops): gip = pygeoip.GeoIP('data/GeoLiteCity.dat') coordinates = [] for hop in hops: geo_data = gip.record_by_addr(hop) if geo_data: lat = geo_data['latitude'] lon = geo_data['longitude'] coordinates.append((lon, lat)) return coordinates coordinates = map_ip(tr) coordinates import geojson def create_geojson(coordinates): geo_list = [] j = 1 for route in coordinates: data = {} data["type"] = "Feature" data["id"] = j data["properties"] = {"title": "hop %i" % j} data["geometry"] = {"type": "LineString", "coordinates": route} j += 1 geo_list.append(data) d = {"type": "FeatureCollection"} for item in geo_list: d.setdefault("features", []).append(item) return geojson.dumps(d) search_route = create_geojson(coordinates) print search_route from IPython.display import HTML HTML('') from scapy.all import * sample_smtp = "data/smtp.pcap" packets = sniff(offline=sample_smtp) packets.nsummary() packets[11] raw = packets[11].getlayer(Raw) raw load = raw.fields.get('load').split()[0] load import base64 base64.b64decode(load) packets[12] raw = packets[12].getlayer(Raw) load = raw.fields.get('load') some_encoded_string = load.split(' ')[1] print some_encoded_string base64.b64decode(some_encoded_string) raw = packets[13].getlayer(Raw) load = raw.fields.get('load').split()[0] print load # what could this be?!? base64.b64decode(load) base64.b64decode(load) def filter_packet_by_string(pkt, string): if pkt.haslayer(Raw): raw_load = pkt.getlayer(Raw).fields.get('load') if string in raw_load: print pkt.sprintf("\n**QUERY FOUND:**\n" "From {IP:%IP.src% -> %IP.dst%\n}") print raw_load for pkt in packets: filter_packet_by_string(pkt, 'attachment') for pkt in packets: filter_packet_by_string(pkt, 'attachment') pgp_email_file = open('pgpemail.txt', 'r') pgp_email = pgp_email_file.read() print pgp_email # per RFC 3156 'protocol="application/pgp-encrypted"' in pgp_email # quick and dirty email parser/traceroute import spy pgp_email_file = 'pgpemail.txt' ip_addrs = spy.parse_email(pgp_email_file) ip_addrs tr = spy.trace_route(ip_addrs, 'PGPEmail.geojson') from IPython.display import HTML HTML('') from scapy.all import * sample_irc = "data/SkypeIRC.cap" pkts = sniff(offline=sample_irc) pkts pkts.show() pkts.summary(prn=lambda x:x.sprintf("{IP:%IP.src% -> %IP.dst%\n}" "{Raw:%Raw.load%\n}")) def filter_packet_by_string(pkt, string): try: raw_load = pkt.getlayer(Raw).fields.get('load') if string in raw_load: print pkt.sprintf("QUERY FOUND:\nFrom " "{IP:%IP.src% -> %IP.dst%\n}") print raw_load except Exception: pass for pkt in pkts: filter_packet_by_string(pkt, 'amarok') for pkt in pkts: filter_packet_by_string(pkt, 'amarok') import nmap nm = nmap.PortScanner() bitbucket = nm.scan('bitbucket.org', '22-443') bitbucket bitbucket_hosts = nm.all_hosts() bitbucket_hosts import pygeoip def map_ip(ip): # locally saved dat file gip = pygeoip.GeoIP('data/GeoLiteCity.dat') geo_data = gip.record_by_addr(ip) if geo_data: lat = geo_data['latitude'] lon = geo_data['longitude'] return lon, lat import geojson def create_geojson(coordinates): geo_list = [] data = {} data["type"] = "Feature" data["id"] = 1 data["properties"] = {"title": "hop %i" % 1} data["geometry"] = {"type": "Point", "coordinates": coordinates} geo_list.append(data) d = {"type": "FeatureCollection"} for item in geo_list: d.setdefault("features", []).append(item) return geojson.dumps(d) coordinates = map_ip(bitbucket_hosts[0]) geojson_file = create_geojson(coordinates) print geojson_file from IPython.display import HTML HTML('')