5 min read · Jun 9, 2020
--
Getting start to analyse a sniffed file (pcap file) with Python.
I got used to with capturing packets and analyze packets via WireShark App for penetration testing. I used to manually check security vulnerability of those packets by scrolling down to see some security risks, such as protocol, port, plaintext. However, it is too much overwhelm when I have more packets to be checked. So, I come up with a lazy idea whether I can make a script to automatically detect vulnerabilities from those packets for me?
I choose PyShark, which is a Python-based wrapper for the Wireshark CLI (TShark), and I show how to deal with PyShark on Mac OS. You may wonder “Why is it matter for Mac OS environment?” Of course, Mac’s way is not always easy as it is in Debien community. Some common installation commands may not always work with Mac OS environment even though they work with Debien environment.
This article will walk you through how to install PyShark and use it to analyze the captured packets for penetration testing.
- Mac OS 10.15.4 Catalina
- Python 3.8.3
- WireShark and Tshark
brew cask install wiresharkYou may find an error message once you have already installed WireShark App on your Mac. If so, you have to uninstall WireShark App from your Mac first. The command is used to reinstall it as shown below.
brew cask reinstall wiresharkThen, after WireShark is installed. It will show the message “wireshark was successfully installed!”. We can simply check by typing tshark command.
If the screen shows as the picture above, congratulations! You did it!
2. xcode-select
xcode-select --install3. Install libxml
brew install libxml2If an error message shows due to homebrew permission issue like this…
Error: Permission denied @ apply2files - /usr/local/lib/node_modules/node-red/node_modules/websocket-stream/node_modules/ws/lib/.DS_StoreYou need to do following this command.
sudo chown -R $(whoami) /usr/localPython environmentA simple command to install PyShark is the same as Debien ways.
pip install pysharkI got the result from installing pyshark as follows.
➜ ~ pip install pysharkCollecting pysharkUsing cached pyshark-0.4.2.11-py3-none-any.whl (30 kB)Collecting lxmlUsing cached lxml-4.5.1-cp38-cp38-macosx_10_9_x86_64.whl (4.5 MB)Collecting pyUsing cached py-1.8.1-py2.py3-none-any.whl (83 kB)Installing collected packages: lxml, py, pysharkSuccessfully installed lxml-4.5.1 py-1.8.1 pyshark-0.4.2.11➜ ~ pip listPackage Version---------- ----------certifi 2020.4.5.1lxml 4.5.1pip 20.1.1py 1.8.1pyshark 0.4.2.11setuptools 41.2.0➜ ~
To work around PyShark with Python3 on a terminal, I select file “music_1.cap” as an example.
import pyshark
file = "file.cap"
print(cap[0])To see all possible options, I use command “dir()”
import pprint
pprint.pprint(dir(cap[0]))I see all packets rather than only packet 0 as follows.
for pkt in cap: print(pkt.highest_layer)I want to filter packets to see only http packets.
caphttp = pyshark.FileCapture(file, display_filter='http')The results show the first http packet.
print(caphttp[0])Packet (Length: 189)Layer ETH:Destination: 74:4d:28:58:d2:d1Address: 74:4d:28:58:d2:d1.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default).... ...0 .... .... .... .... = IG bit: Individual address (unicast)Source: 54:e5:bd:8c:5c:5e.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default).... ...0 .... .... .... .... = IG bit: Individual address (unicast)Type: IPv4 (0x0800)Address: 54:e5:bd:8c:5c:5eLayer IP:0100 .... = Version: 4.... 0101 = Header Length: 20 bytes (5)Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)0000 00.. = Differentiated Services Codepoint: Default (0).... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)Total Length: 175Identification: 0x04fd (1277)Flags: 0x00000... .... .... .... = Reserved bit: Not set.0.. .... .... .... = Don't fragment: Not set..0. .... .... .... = More fragments: Not setFragment offset: 0Time to live: 255Protocol: TCP (6)Header checksum: 0xbbc7 [validation disabled]Header checksum status: UnverifiedSource: 192.168.1.17Destination: 47.246.8.213Layer TCP:Source Port: 62283Destination Port: 80Stream index: 3TCP Segment Len: 135Sequence number: 1 (relative sequence number)Sequence number (raw): 16602Next sequence number: 136 (relative sequence number)Acknowledgment number: 1 (relative ack number)Acknowledgment number (raw): 22979622300101 .... = Header Length: 20 bytes (5)Flags: 0x018 (PSH, ACK)000. .... .... = Reserved: Not set...0 .... .... = Nonce: Not set.... 0... .... = Congestion Window Reduced (CWR): Not set.... .0.. .... = ECN-Echo: Not set.... ..0. .... = Urgent: Not set.... ...1 .... = Acknowledgment: Set.... .... 1... = Push: Set.... .... .0.. = Reset: Not set.... .... ..0. = Syn: Not set.... .... ...0 = Fin: Not setTCP Flags: \xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7\xc2\xb7AP\xc2\xb7\xc2\xb7\xc2\xb7Window size value: 5840Calculated window size: 5840Window size scaling factor: -2 (no window scaling used)Checksum: 0x616d [unverified]Checksum Status: UnverifiedUrgent pointer: 0SEQ/ACK analysisiRTT: 0.008328000 secondsBytes in flight: 135Bytes sent since last PSH flag: 135TimestampsTime since first frame in this TCP stream: 0.009321000 secondsTime since previous frame in this TCP stream: 0.000993000 secondsTCP payload (135 bytes)Layer HTTP:GET /en/resource/31/31_418.mp3 HTTP/1.1\r\nExpert Info (Chat/Sequence): GET /en/resource/31/31_418.mp3 HTTP/1.1\r\nGET /en/resource/31/31_418.mp3 HTTP/1.1\r\nSeverity level: ChatGroup: SequenceRequest Method: GETRequest URI: /en/resource/31/31_418.mp3Request Version: HTTP/1.1Host: cdn.aidoor.net\r\nUser-Agent: Allwinner/CedarX 2.7\r\nConnection: close\r\nFull request URI: http://cdn.aidoor.net/en/resource/31/31_418.mp3HTTP request 1/1\r\nRange: bytes=0-\r\n
ฺHowever, you may find some errors due to Asyncio in python version 3.8.3 as following.
This error can be fixed by adding one command line as
caphttp.close()So, the simple read packet from a pcap file will be..
import pyshark
file = '/Users/MyCome/Documents/music_1.cap'
caphttp = pyshark.FileCapture(file,display_filter='http')
print(caphttp[0])
caphttp.close()With PyShark library, you can work as WireShark App on Python program. This brings you a benefit for writing a script to capture read, and filter packets and display on one click (Run .py).
