All right, here we are!
Since this is the first post for my blog, I would like to share a WIP (Work In Progess) tool for packet sniffing.
Hopefully, with time, it will become a useful tool for Incident Response and Threat Hunting.
Components
The tool is written in Python and is built on the awesome Scapy library.
For those who don’t know what Scapy is… Scapy is a library that allows for advanced packet crafting, but for our needs, we are more interested in its parsing capabilities. Scapy can read packets and dissect them, making each part of them easily accessible.
The main file is just a Python script that reads pcap files or listens to live traffic and processes each packet in turn.
This file also imports custom modules placed in the plugins folder. Each function, then, can be passed as argument for specific actions on the packets.
The folder tree is structured like this:
├── sniffer.py
└── plugins
├── ftp.py
├── ip.py
├── netbios.py
└── ...
The tool also supports the BPF syntax to further filter packets.
Usage
A list of supported switches:
-r, --read: pcap file(s) to parse
-b, --bpf: BPF syntax to filter packets
-i, --interface: interface to read live packets from
-a, --action: Specify which plugin function to callExample:
sniffer.py --read file.pcap --bpf 'udp port 53' --action dns_c2_beaconGithub Repository
Here is the link to the repo.
I’m not a programmer, so expect errors in my code.
Any help and ideas are appreciated.
Please bookmark this page as it will be updated in the future as new features are added to the tool.
Last update: 31/10/2024