From 7358b3f1eea6ed8bac542c62ec53dc64e7f8d5f3 Mon Sep 17 00:00:00 2001 From: David Westgate Date: Tue, 28 May 2024 16:24:15 -0700 Subject: [PATCH] work on hw4 --- hw4/app.py | 38 ++++++++++++++++++++++++++++++++++++++ hw4/hw4.md | 14 +++++++++++++- 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 hw4/app.py diff --git a/hw4/app.py b/hw4/app.py new file mode 100644 index 0000000..c140a74 --- /dev/null +++ b/hw4/app.py @@ -0,0 +1,38 @@ +from scapy.all import * #pull in all of scapy -- you could do it other ways, but this makes it isomorphic to using scapy command line +import socket +import sys +import time + +def main(): + if len(sys.argv) > 1: #if we have a command line argument + try: + packets: PacketList = rdpcap(sys.argv[1]) + #rdpcap is how we read a previously captured pcap file + except: + print("File read failure: %s not found" % sys.argv[1]) + sys.exit(1) + else: + print("Need a pcap file to read!") + sys.exit(1) + #bpf = 'tcp and src host 192.168.86.228 and src port 80 and dst host 192.168.86.167' + #filtered = packets.filter(bpf) + #print(packets) #this gives us a nice summary of what we have in the pcap file + + for p in packets[:5]: #let's only look at the first 100 + packet : Packet = p + #we can filter based on what scapy calls "layers" + #each layer is a portion of a packet + #so a DNS packet would have an IP layer, a UDP layer, and a DNS layer + #ICMP would be IP, TCP, ICMP layers + #and because we're on an ethernet network, all of the above also has an ether layer + #let's not print DNS packets + #if not packet.haslayer(DNS): + # print(packet.summary) + lsc() + #packet.show() #print the contents of the packet + #print(packet.summary()) #we also can print out a summary of the packet, similar to tcpdump default output + time.sleep(0.2) #small pause between packets + + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/hw4/hw4.md b/hw4/hw4.md index 99ab20f..141cdc0 100644 --- a/hw4/hw4.md +++ b/hw4/hw4.md @@ -14,9 +14,21 @@ First lets open this capture up in wireshark and do a high level overview Knowing we are ultimetly looking to re-construct a firmware download, we can discern some important info from wireshark * There are 241,531 packets in this capture, but only some are the traffic directly related to this download -* Client of the download is 192.168.86.167 and server origin is 192.168.86.228 +* Client of the download is 192.168.86.167 and server origin is 192.168.86.228:5000 * The download is split over multiple HTTP requests by the shown convention, which themselves are split over multiple TCP requests +A starting point of a BPF might look like `tcp and src host 192.168.86.228 and src port 5000 and dst host 192.168.86.167` + +As a wireshark filter, this would be `tcp && ip.src == 192.168.86.228 && tcp.srcport == 5000 && ip.dst == 192.168.86.167` + +Before moving on to scapy, we can filter down our `firmware.pcap` to a new capture called `filtered.pcap` with the following command + +``` +tcpdump -r firmware.pcap -w filtered.pcap 'tcp and src host 192.168.86.228 and src port 5000 and dst host 192.168.86.167' + +``` + + ### ## Questions