HNT: Sniffing Network Using Scapy

Start Packet Sniffer

>>> sniff(iface="eth2", prn=lambda x: x.show())

To Stop Sniffing Ctrl + C

<Lines Omitted>

###[ Ethernet ]###

dst= 94:db:c9:aa:aa:aa

src= 08:00:27:a5:02:ea

type= 0x800

###[ IP ]###

version= 4L

ihl= 5L

tos= 0x10

len= 140

id= 22800

flags= DF

frag= 0L

ttl= 64

proto= tcp

chksum= 0x5d20

src= 192.168.1.113

dst= 192.168.1.106

options= ''

###[ TCP ]###

sport= ssh

<Sniffed: TCP:603 UDP:3 ICMP:2 Other:13>

Make Summary

>>> sniff(iface="eth2", prn=lambda x: x.summary())

To Stop Sniffing Ctrl + C

Ether / IP / TCP 192.168.1.113:ssh > 192.168.1.106:56594 PA / Raw
Ether / IP / TCP 192.168.1.113:ssh > 192.168.1.106:56594 PA / Raw
Ether / IP / TCP 192.168.1.113:ssh > 192.168.1.106:56594 PA / Raw
Ether / IP / TCP 192.168.1.113:ssh > 192.168.1.106:56594 PA / Raw
Ether / IP / TCP 192.168.1.113:ssh > 192.168.1.106:56594 PA / Raw
^C
<Sniffed: TCP:9327 UDP:44 ICMP:0 Other:1>

Make Some Basic Filter

Sniff Only 5 Packets Of Host 192.168.1.1

>>> sniff(filter="host 192.168.1.1", count=5)

<Sniffed: TCP:1 UDP:2 ICMP:0 Other:2>

To Verify Sniffed Packets Make This Steeps

>>> a=_

>>> a.nsummary()

0000 Ether / IP / TCP 192.168.1.113:ssh > 192.168.1.106:56594 PA / Raw

0001 Ether / ARP who has 192.168.1.1 says 192.168.1.106 / Padding

0002 Ether / ARP is at 74:31:70:c2:aa:aa says 192.168.1.1 / Padding

0003 Ether / IP / UDP 192.168.1.1:1900 > 239.255.255.250:1900 / Raw

0004 Ether / IP / UDP 192.168.1.1:1900 > 192.168.1.106:53593 / Raw

You have 5 Packets Here To Open Each One, Use This Command

>>> a[1]

a[1] (Where 1 is Nummber Of Packets)

##########################################################################################################

12 June, 2013

Sniffing Network Using Scapy