Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!newsfeed.xs4all.nl!newsfeed3.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.007 X-Spam-Evidence: '*H*': 0.99; '*S*': 0.00; 'url:pypi': 0.03; 'output': 0.04; 'importerror:': 0.05; 'matches': 0.07; 'subject:file': 0.07; 'python': 0.09; '22,': 0.09; 'craft': 0.09; 'get.': 0.09; 'https': 0.09; 'cc:addr:python-list': 0.10; 'files.': 0.13; 'michigan': 0.16; 'pairs': 0.16; 'sure.': 0.16; 'wrote:': 0.17; 'thanks,': 0.18; 'jan': 0.18; '>>>': 0.18; 'module': 0.19; 'email addr:gmail.com>': 0.20; 'trying': 0.21; 'import': 0.21; 'do.': 0.21; 'http': 0.22; 'parse': 0.22; 'password.': 0.22; 'help.': 0.22; 'cc:2**0': 0.23; 'kevin': 0.23; 'this:': 0.23; 'idea': 0.24; 'script': 0.24; 'tried': 0.25; 'cc:addr:python.org': 0.25; 'header :In-Reply-To:1': 0.25; 'message-id:@mail.gmail.com': 0.27; 'run': 0.28; 'post': 0.28; '"do': 0.29; 'act,': 0.29; 'leverage': 0.29; 'url:mailman': 0.29; 'url:code': 0.29; 'url:python': 0.32; 'file': 0.32; 'mac': 0.32; 'url:listinfo': 0.32; 'extract': 0.33; 'science,': 0.33; 'received:google.com': 0.34; 'screen': 0.34; 'thanks': 0.34; 'filter': 0.35; 'pm,': 0.35; 'received:209.85': 0.35; 'there': 0.35; 'but': 0.36; 'url:org': 0.36; 'why': 0.37; 'received:209': 0.37; 'data': 0.37; 'subject:: ': 0.38; 'university': 0.38; 'some': 0.38; 'instead': 0.39; 'url:mail': 0.40; 'your': 0.60; '&': 0.61; 'matter': 0.61; 'traffic': 0.61; 'here:': 0.62; 'url:p': 0.63; 'information': 0.63; 'today': 0.67; 'business': 0.70; 'sans': 0.71; 'hoping': 0.72; 'goal': 0.74; '"do': 0.84; '"we': 0.84; '2013': 0.84; 'excellence,': 0.84; 'illustrated': 0.84; 'mcp': 0.84; 'western': 0.89; 'angel': 0.93; 'tomorrow': 0.96 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=+O3EGBLclWhwx+Gn5uut7h1CSAqdQtLyxiTpIUQjYA4=; b=Cw4fCAsQ4+gfyPPTu924N3fWSJ4AvVWSpS/e5zlvqWhMnW3y05dq91d7Ng5fw7cIFD 3ZeUPiZtYDq55YAj03NpfAOhqfmhTMRqDnvXR0r54/1Zl5JQQTPaTcGg9YulVy/cHd63 REHrn2k8lH9+53eNI3A+p30WOftgyfms3tyCgaTuGV951jTUhADBquOp/OAXEK7b1GA+ Ag91N7U8votubFxnDG8HIYVs+uwaXI6YnJQ6yHla2nnIQfVPId6plRYeDg9PieaaWIKX PyTGR2qRi3peYSgZv3uqDkxRdyznRRLIqw5GUkUiZjxY2dEA6Vh2ZXBduECFtWha4whG h/Vg== MIME-Version: 1.0 X-Received: by 10.152.147.36 with SMTP id th4mr8333506lab.19.1358911560295; Tue, 22 Jan 2013 19:26:00 -0800 (PST) In-Reply-To: References: <50FF5312.50309@davea.name> Date: Tue, 22 Jan 2013 22:26:00 -0500 Subject: Re: Parse a Wireshark pcap file From: Kevin Holleran To: Dave Angel Content-Type: multipart/alternative; boundary=e89a8f22c381d5259b04d3ec404d Cc: "python-list@python.org" X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 173 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1358911568 news.xs4all.nl 6891 [2001:888:2000:d::a6]:44953 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:37405 --e89a8f22c381d5259b04d3ec404d Content-Type: text/plain; charset=ISO-8859-1 I also found this: http://code.google.com/p/py-greppcap/ Which I can leverage to do what I want but I also get that dnet error! -- Kevin Holleran Master of Science, Computer Information Systems Grand Valley State University Master of Business Administration Western Michigan University SANS GCFA, SANS GCFE, CCNA, ISA, MCSA, MCDST, MCP "Do today what others won't, do tomorrow what others can't" - SEALFit "We are what we repeatedly do. Excellence, then, is not an act, but a habit." - Aristotle On Tue, Jan 22, 2013 at 10:15 PM, Kevin Holleran wrote: > Thanks, I have been trying to get it to work but I am on Mac OS 10.8.2. I > tried to get it from Macports and download/install it myself. Both seem to > get me to here: > > ImportError: No module named dnet > > I tried to download libdnet but no matter what I do this is what I get. > Granted I am doing; > > from scapy.all import * > > > But I have no idea what I need. I am not trying to craft packets but > filter packets based on tcp.dstport 80 & frame matches signin.aspx. Then > my goal is to parse the data looking for post vars txtUserId & txtPwd and > extract them, dumping them to the screen as userid_value => password. > > > Thanks for your help. > > -- > Kevin Holleran > Master of Science, Computer Information Systems > Grand Valley State University > Master of Business Administration > Western Michigan University > SANS GCFA, SANS GCFE, CCNA, ISA, MCSA, MCDST, MCP > > "Do today what others won't, do tomorrow what others can't" - SEALFit > > "We are what we repeatedly do. Excellence, then, is not an act, but a > habit." - Aristotle > > > On Tue, Jan 22, 2013 at 10:03 PM, Dave Angel wrote: > >> On 01/22/2013 08:32 PM, Kevin Holleran wrote: >> >>> Is there a way to parse out a wireshark pcap file and extract key value >>> pairs from the data? I am illustrated a sniff of some traffic and why it >>> needs utilize HTTPS instead of HTTP but I was hoping to run the pcap >>> through a python script and just output some interesting key value >>> pairs.... >>> >>> >> Sure. scapy can create and/or parse pcap files. >> >> http://pypi.python.org/pypi/**Scapy >> >> >> -- >> DaveA >> -- >> http://mail.python.org/**mailman/listinfo/python-list >> > > --e89a8f22c381d5259b04d3ec404d Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
I also found this:


Which I can leverage to do what I want but = I also get that dnet error!


--
Kevin Holleran
Master of Science, Computer Info= rmation Systems
Grand Valley State University
Master of Business Admi= nistration
Western Michigan University
SANS GCFA,=A0SANS GCFE, CCNA, ISA, MCSA, MCDST, MCP
"Do today what others won't, do tomorrow what others can't&q= uot; - SEALFit

"We are what we repeatedly do. Excellence, then, is not= an act, but a habit." - Aristotle


On Tue, Jan 22, 2013 at 10:15 PM, Kevin = Holleran <kdawg44@gmail.com> wrote:
Thanks, I have been trying to get it to work but I am on M= ac OS 10.8.2. =A0I tried to get it from Macports and download/install it my= self. =A0Both seem to get me to here:

ImportError: = No module named dnet

I tried to download libdnet but no matter what I = do this is what I get. =A0Granted I am doing;

from scapy.all import *


But I= have no idea what I need. =A0I am not trying to craft packets but filter p= ackets based on tcp.dstport 80 &=A0frame matches signin.aspx. =A0Then m= y goal is to parse the data looking for post vars txtUserId & txtPwd an= d extract them, dumping them to the screen as userid_value =3D> password= .


Thanks for your help.


--
Kevin Holleran
Master o= f Science, Computer Information Systems
Grand Valley State University Master of Business Administration
Western Michigan University
SANS GCFA,=A0SANS GCFE, C= CNA, ISA, MCSA, MCDST, MCP

"Do today what others won't= , do tomorrow what others can't" - SEALFit

"We are what we repeatedly do. Excellence, then, is not= an act, but a habit." - Aristotle


On Tue, Jan 22, 2013 at 10:03 PM, Dave A= ngel <d@davea.name> wrote:
On 01/22/2013 08:32 PM, Kevin Holleran wrote:
Is there a way to parse out a wireshark pcap file and extract key value
pairs from the data? =A0I am illustrated a sniff of some traffic and why it=
needs utilize HTTPS instead of HTTP but I was hoping to run the pcap
through a python script and just output some interesting key value
pairs....


Sure. =A0scapy can create and/or parse pcap files.

http://pypi= .python.org/pypi/Scapy


--
DaveA
--
http://mail.python.org/mailman/listinfo/python-list


--e89a8f22c381d5259b04d3ec404d--