Network traffic captures are a wonderful thing. However, they can be an absolute chore to read and Wireshark isn't the most newbie-friendly tool in the world. Thankfully, we have a fantastic Python module named Scapy to make our lives a little easier.

To begin, let's grab a bit of traffic from our own machine. First, start tcpdump listening on all interfaces, saving full sized packets, and writing the results to a pcap file:

sudo tcpdump -i any -s 65535 -w example.pcap

Now, while that's running, we'll open a browser and hop to a few different sites. Let's say Github to check our PRs and Twitter to check if the sky is falling. When we're done, go back to the terminal window and Ctrl+C to end the tcpdump.

Now, let's create analysis.py and see if we can find the DNS answer packets in the dump we just created:

from scapy.all import *

# rdpcap comes from scapy and loads in our pcap file
packets = rdpcap('example.pcap')

# Let's iterate through every packet
for packet in packets:
    # We're only interested packets with a DNS Round Robin layer
    if packet.haslayer(DNSRR):
        # If the an(swer) is a DNSRR, print the name it replied with.
        if isinstance(packet.an, DNSRR):
            print(packet.an.rrname)

Running this should, depending on the state of our caches before running tcpdump anyway, give us the DNS responses from opening Github and Twitter:

pbs.twimg.com.
0.ubuntu.pool.ntp.org. # Oh hey there NTP.
github.com.
p-va-1.e.lv.twimg.com.
t.lv.twimg.com.
twitter.com.
api.github.com.
live.github.com.

Neato.

Anyway, Scapy is huge, this post won't be, but I'll hopefully add more as I learn.