After collecting data by using Wireshark, I started thinking of ways to identify services and hosts in the network.
I found it was quite easy to identify web servers in a network as packets sent by them have a header field called ‘Server’ from which we can identify what server is exactly running like Nginx, Apache, or CISCO IOS server.
Essentially, I wrote a python program that can parse pcap files easily. Although, we’ll need a program that will dynamically capture packets and parse them too, we will see later how will this current program help us.
The following is a code snippet of how I did it:
import dpkt
import socket
data = {}
filename = 'capture.pcap'
pcap = dpkt.pcap.Reader(open(filename,'r'))
for ts, buf in pcap:
eth = dpkt.ethernet.Ethernet(buf)
ip = eth.data
if isinstance(ip.data, dpkt.tcp.TCP):
ipAddress = socket.inet_ntoa(ip.dst)
tcp = ip.data
try:
reply = dpkt.http.Response(tcp.data).headers
except (dpkt.dpkt.NeedData, dpkt.dpkt.UnpackError):
continue
data[ipAddress] = reply['server']
print data
Now, I’m looking for ideas to identify other services too.
Leave a Reply