Network Traffic Analysis

Network Traffic Analysis

Basic PCAP File Parsing

1
require 'packetfu'
2
packets = PacketFu::PcapFile.read_packets 'packets.pcap'
Copied!
Download packets.pcap file.

Find FTP Credentials

1
#!/usr/bin/env ruby
2
require 'packetfu'
3
4
pcap_file = ARGV[0]
5
packets = PacketFu::PcapFile.read_packets pcap_file
6
7
packets.each_with_index do |packet, i|
8
if packet.tcp_dport == 21
9
if packet.payload.match(/(USER|PASS)/)
10
src = [packet.ip_src].pack('N').unpack('C4').join('.')
11
dst = [packet.ip_dst].pack('N').unpack('C4').join('.')
12
puts "#{src} => #{dst}"
13
print packet.payload
14
end
15
end
16
end
Copied!
Returns
1
192.168.2.127 => 192.168.2.128
2
USER ayoi
3
192.168.2.127 => 192.168.2.128
4
PASS kambingakuilang
Copied!
Download ftp.pcap file

Capturing and building PCAP file

Sometime we don't have the time or option to install external libraries on our environment. Let's work capture all packets on all interfaces then see how to build a pcap file to write in it.
1
#!/usr/bin/env ruby
2
#
3
# KING SABRI | @KINGSABRI
4
#
5
require 'socket'
6
7
class Pcap
8
9
def initialize(pcap_file)
10
@pcap_file = open(pcap_file, 'wb')
11
# Pcap Global https://wiki.wireshark.org/Development/LibpcapFileFormat#Global_Header
12
global_header = [
13
0xa1b2c3d4, # magic_number: used to identify pcap files
14
2, # version_major
15
4, # version_minor
16
0, # thiszone
17
0, # sigfigs
18
65535, # snaplen
19
1 # network (link-layer), 1 for Ethernet
20
].pack('ISSIIII')
21
@pcap_file.write global_header
22
end
23
24
def write(data)
25
time_stamp = Time.now.to_f.round(2).to_s.split('.').map(&:to_i)
26
data_length = data.length
27
# Pcap Record (Packet) Header: https://wiki.wireshark.org/Development/LibpcapFileFormat#Record_.28Packet.29_Header
28
packet_header = [
29
time_stamp[0], # ts_sec timestamp seconds
30
time_stamp[1], # ts_usec timestamp microseconds
31
data_length, # incl_len the number of bytes of packet data actually captured
32
data_length # orig_len the length of the packet as it appeared on the network when it was captured
33
].pack('IIII')
34
record = "#{packet_header}#{data}"
35
@pcap_file.write(record)
36
rescue
37
@pcap_file.close
38
end
39
end
40
41
pcap = Pcap.new(ARGV[0])
42
socket = Socket.new(Socket::PF_PACKET, Socket::SOCK_RAW, 0x03_00)
43
loop do
44
raw_data = socket.recvfrom(65535)[0]
45
pcap.write raw_data
46
end
Copied!
<!--

!/usr/bin/env ruby

#
require 'packetfu' require 'pp'
capture = PacketFu::Capture.new :iface => 'mon0', :promisc => true, :start => true
capture.stream.each do |p|
pkt = PacketFu::Packet.parse p pp pkt end
\

array 56

include PacketFu packets = PcapFile.file_to_array '/home/KING/wireless.pcap'
packets.eachwith_index do |packet , ref| puts "" 75 puts "Reference: #{ref}" puts "\" _ 75
pkt = Packet.parse(packet) puts pkt.dissect sleep 2
end
\
packets = PcapFile.read_packets '/home/KING/wireless.pcap' packet = packets[56] pkt = Packet.parse(packet) puts pkt.inspect_hex
=begin 1876 1551 1550 1339 1324 459 458 =end --->