PCAP Analysis

  • Scapy has pretty handy functions for handling PCAP files
  • Although there are dedicated tools like dpkt, pcapy etc to deal with packet captures (using Python), Scapy is still a go-to tool for PCAP analysis because of it’s dense methods that aid you in number of packet analysis operations
  • Although Scapy is all powerful, it’s takes a lot of memory when reading packets so analysing larger packet captures will take toll on your system memory

PCAP operations

Memory matters!

Scapy looks at each packet as a class which takes toll on the system memory, so it is not a right choice for analysing large PCAPs

When investigating large PCAP’s(several Giga Bytes) use light-weight tools like Tshark for initial analysis, when investigation boils down to smaller set of packets, use Scapy.

Reading PCAP

You can read a PCAP file in Scapy using rdpcap function.

>>> rdpcap('port_knock_seq.pcap')
<port_knock_seq.pcap: TCP:6 UDP:0 ICMP:0 Other:0>
>>> pkts = sniff(offline="temp.cap")

Writing pcap

You can write a set of packets into a PCAP file using wrpcap function.

>>> wrpcap("attack.pcap",packets)

Simple tcp-replay tool

  • You can write a very simple tcp-replay tools in one line of scapy This piece of code send packets in a PCAP over the network, very handy in some forensic analysis situations
>>> sendp(rdpcap("/tmp/pcapfile")) # tcpreplay
Sent 11 packets.

Exercise time - packet hunting

Please solve Exercise 5- packet hunting (Misc exercises)

Please solve Exercise 6 (Misc exercises)