Network traffic captures are a wonderful thing. However, they can be an absolute chore to read and Wireshark isn't the most newbie-friendly tool in the world. Thankfully, we have a fantastic Python module named Scapy to make our lives a little easier.
To begin, let's grab a bit of traffic from our own machine. First, start tcpdump listening on all interfaces, saving full sized packets, and writing the results to a pcap file:
sudo tcpdump -i any -s 65535 -w example.pcap
Now, while that's running, we'll open a browser and hop to a few different sites. Let's say Github to check our PRs and Twitter to check if the sky is falling. When we're done, go back to the terminal window and Ctrl+C to end the tcpdump.
Now, let's create
analysis.py and see if we can find the DNS answer
packets in the dump we just created:
from scapy.all import * # rdpcap comes from scapy and loads in our pcap file packets = rdpcap('example.pcap') # Let's iterate through every packet for packet in packets: # We're only interested packets with a DNS Round Robin layer if packet.haslayer(DNSRR): # If the an(swer) is a DNSRR, print the name it replied with. if isinstance(packet.an, DNSRR): print(packet.an.rrname)
Running this should, depending on the state of our caches before running tcpdump anyway, give us the DNS responses from opening Github and Twitter:
pbs.twimg.com. 0.ubuntu.pool.ntp.org. # Oh hey there NTP. github.com. p-va-1.e.lv.twimg.com. t.lv.twimg.com. twitter.com. api.github.com. live.github.com.
Anyway, Scapy is huge, this post won't be, but I'll hopefully add more as I learn.