Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!goblin3!goblin2!goblin.stu.neva.ru!newsfeed.xs4all.nl!newsfeed1.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail
MIME-Version: 1.0
In-Reply-To: <50FF5312.50309@davea.name>
References: <CAN4UfGzwzHJvpY=Er2B2otZMBm=8eVA6FDGejJbirXLZFTXvsg@mail.gmail.com> <50FF5312.50309@davea.name>
Date: Tue, 22 Jan 2013 22:15:29 -0500
Subject: Re: Parse a Wireshark pcap file
From: Kevin Holleran <kdawg44@gmail.com>
To: Dave Angel <d@davea.name>
Content-Type: multipart/alternative; boundary=e0cb4efe31103f248b04d3ec1b1b
Cc: "python-list@python.org" <python-list@python.org>
Precedence: list
Newsgroups: comp.lang.python
Message-ID: <mailman.856.1358910937.2939.python-list@python.org>
Lines: 124
NNTP-Posting-Host: 2001:888:2000:d::a6
Xref: csiph.com comp.lang.python:37402

--e0cb4efe31103f248b04d3ec1b1b
Content-Type: text/plain; charset=ISO-8859-1

Thanks, I have been trying to get it to work but I am on Mac OS 10.8.2.  I
tried to get it from Macports and download/install it myself.  Both seem to
get me to here:

ImportError: No module named dnet

I tried to download libdnet but no matter what I do this is what I get.
 Granted I am doing;

from scapy.all import *


But I have no idea what I need.  I am not trying to craft packets but
filter packets based on tcp.dstport 80 & frame matches signin.aspx.  Then
my goal is to parse the data looking for post vars txtUserId & txtPwd and
extract them, dumping them to the screen as userid_value => password.


Thanks for your help.

--
Kevin Holleran
Master of Science, Computer Information Systems
Grand Valley State University
Master of Business Administration
Western Michigan University
SANS GCFA, SANS GCFE, CCNA, ISA, MCSA, MCDST, MCP

"Do today what others won't, do tomorrow what others can't" - SEALFit

"We are what we repeatedly do. Excellence, then, is not an act, but a
habit." - Aristotle


On Tue, Jan 22, 2013 at 10:03 PM, Dave Angel <d@davea.name> wrote:

> On 01/22/2013 08:32 PM, Kevin Holleran wrote:
>
>> Is there a way to parse out a wireshark pcap file and extract key value
>> pairs from the data?  I am illustrated a sniff of some traffic and why it
>> needs utilize HTTPS instead of HTTP but I was hoping to run the pcap
>> through a python script and just output some interesting key value
>> pairs....
>>
>>
> Sure.  scapy can create and/or parse pcap files.
>
> http://pypi.python.org/pypi/**Scapy <http://pypi.python.org/pypi/Scapy>
>
>
> --
> DaveA
> --
> http://mail.python.org/**mailman/listinfo/python-list<http://mail.python.org/mailman/listinfo/python-list>
>

--e0cb4efe31103f248b04d3ec1b1b
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Thanks, I have been trying to get it to work but I am on M=
ac OS 10.8.2. =A0I tried to get it from Macports and download/install it my=
self. =A0Both seem to get me to here:<div><br></div><div><div>ImportError: =
No module named dnet</div>
</div><div><br></div><div style>I tried to download libdnet but no matter w=
hat I do this is what I get. =A0Granted I am doing;</div><div style>







<p class=3D""><span class=3D"">from</span> scapy.all <span class=3D"">impor=
t</span> *</p><p class=3D""><br></p><p class=3D"" style>But I have no idea =
what I need. =A0I am not trying to craft packets but filter packets based o=
n tcp.dstport 80 &amp;=A0frame matches signin.aspx. =A0Then my goal is to p=
arse the data looking for post vars txtUserId &amp; txtPwd and extract them=
, dumping them to the screen as userid_value =3D&gt; password.</p>
<p class=3D"" style><br></p><p class=3D"" style>Thanks for your help.</p></=
div></div><div class=3D"gmail_extra"><br clear=3D"all"><div><div dir=3D"ltr=
">--<br>Kevin Holleran<br>Master of Science, Computer Information Systems<b=
r>Grand Valley State University<br>
Master of Business Administration<br>Western Michigan University<br><span s=
tyle=3D"font-family:arial;font-size:small">SANS GCFA,=A0</span>SANS GCFE, C=
CNA, ISA, MCSA, MCDST, MCP<br><div><br>&quot;Do today what others won&#39;t=
, do tomorrow what others can&#39;t&quot; - SEALFit<div>
<br></div><div>&quot;We are what we repeatedly do. Excellence, then, is not=
 an act, but a habit.&quot; - Aristotle<br></div></div></div></div>
<br><br><div class=3D"gmail_quote">On Tue, Jan 22, 2013 at 10:03 PM, Dave A=
ngel <span dir=3D"ltr">&lt;<a href=3D"mailto:d@davea.name" target=3D"_blank=
">d@davea.name</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" s=
tyle=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class=3D"HOEnZb"><div class=3D"h5">On 01/22/2013 08:32 PM, Kevin Holle=
ran wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
Is there a way to parse out a wireshark pcap file and extract key value<br>
pairs from the data? =A0I am illustrated a sniff of some traffic and why it=
<br>
needs utilize HTTPS instead of HTTP but I was hoping to run the pcap<br>
through a python script and just output some interesting key value<br>
pairs....<br>
<br>
</blockquote>
<br></div></div>
Sure. =A0scapy can create and/or parse pcap files.<br>
<br>
<a href=3D"http://pypi.python.org/pypi/Scapy" target=3D"_blank">http://pypi=
.python.org/pypi/<u></u>Scapy</a><span class=3D"HOEnZb"><font color=3D"#888=
888"><br>
<br>
<br>
-- <br>
DaveA<br>
-- <br>
<a href=3D"http://mail.python.org/mailman/listinfo/python-list" target=3D"_=
blank">http://mail.python.org/<u></u>mailman/listinfo/python-list</a><br>
</font></span></blockquote></div><br></div>

--e0cb4efe31103f248b04d3ec1b1b--