Skip to content

Instantly share code, notes, and snippets.

@valenting
Last active January 13, 2018 13:13
Show Gist options
  • Save valenting/f3567532f6d6701081825b4624713d97 to your computer and use it in GitHub Desktop.
Save valenting/f3567532f6d6701081825b4624713d97 to your computer and use it in GitHub Desktop.
import pyshark
from datetime import datetime,timedelta
import time
capture = pyshark.LiveCapture(interface='wlp3s0')
# capture.set_debug()
connection_map = {}
# generates a sorted key based on the source/destination of the packet
def key(pkt):
src = src_addr(pkt)
dst = dst_addr(pkt)
if src < dst:
return src + "+" + dst
return dst + "+" + src
def src_addr(pkt):
if 'ip' in pkt:
src = pkt.ip.src
elif 'ipv6' in pkt:
src = pkt.ipv6.src
try:
src_port = pkt[pkt.transport_layer].srcport
except:
src_port = 0
return src + ":" + str(src_port)
def dst_addr(pkt):
if 'ip' in pkt:
dst = pkt.ip.dst
elif 'ipv6' in pkt:
dst = pkt.ipv6.dst
try:
dst_port = pkt[pkt.transport_layer].dstport
except:
dst_port = 0
return dst + ":" + str(dst_port)
def log(pkt, desc, value):
src = None
if 'ip' in pkt:
src = pkt.ip.src
dst = pkt.ip.dst
elif 'ipv6' in pkt:
src = pkt.ipv6.src
dst = pkt.ipv6.dst
try:
src_port = pkt[pkt.transport_layer].srcport
except:
src_port = 0
try:
dst_port = pkt[pkt.transport_layer].dstport
except:
dst_port = 0
print datetime.utcnow(), src_addr(pkt), "->", dst_addr(pkt), "===", desc, value
def print_callback(pkt):
# print dir(pkt)
if 'ip' in pkt:
pass
elif 'ipv6' in pkt:
pass
else: return
try:
log(pkt, "SNI", pkt.ssl.handshake_extensions_server_name)
except: pass
try:
log(pkt, "Cert name", pkt.ssl.x509ce_dnsname)
except: pass
try:
dns = pkt.dns
log(pkt, "DNS "+ str("Response" if str(dns.flags_response) == "1" else "Query"),
str(dns.qry_name)+" id:"+str(dns.id))
except: pass
try:
if str(pkt.tcp.flags_syn)=="1" and str(pkt.tcp.flags_ack)=="1":
log(pkt, "New connection", "")
for k in connection_map:
t = connection_map[k]['time']
now = datetime.now()
dif = now - t
if dif.seconds < 10:
connection_map[k]['counter'] += 1
if dif.seconds > 600:
del connection_map[k]
for ke, value in sorted(connection_map.iteritems(), key=lambda (k,v): (v,k), reverse=True)[:3]:
print "**** %s: %s" % (ke, value)
print "-------------"
except: pass
try:
log(pkt, "HTTP Request", pkt.http.request_full_uri)
except: pass
try:
ssl = pkt.ssl
k = key(pkt)
entry = {'time': datetime.now(), 'counter': 0}
try:
if k in connection_map:
entry = connection_map[k]
except: pass
entry['time'] = datetime.now()
connection_map[k] = entry
except: pass
try:
if str(pkt.tcp.flags_fin)=="1" or str(pkt.tcp.flags_reset)=="1":
log(pkt, "Connection closed", "FIN" if str(pkt.tcp.flags_fin)=="1" else "RESET")
k = key(pkt)
del connection_map[k]
except: pass
def start():
print "starting capture"
capture.apply_on_packets(print_callback, timeout=10000)
# try:
# capture.apply_on_packets(print_callback, timeout=10000)
# except:
# print "Exception: restarting."
# start()
start()
# while True:
# for packet in capture.sniff_continuously(packet_count=1):
# # ssl.handshake.extensions_server_name
# try:
# print packet.ssl.handshake #.extensions_server_name
# print "-----------------"
# except:
# print "packet"
# # print 'Just arrived:', packet
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment