After finishing a basic pcap parser that discovers web-servers running in a network, I wrote a simple wireshark-like program in python that can capture any packet either on the specified interface or on all interfaces.
I wrote two different variations of this code: one that captures the raw packets without using any sort of library and another that uses libpcap.
These programs can run on the machine that the switch sends the mirrored packets to. The reason I wrote a pcap parser program last week was to have an option in-case the sysadmins wants a distributed computing approach where packets are captured in one machine, saved in a pcap and analysed in another machine. Another advantage apart from having a distributed architecture is that we can filter out packets that we have already identified or any redundant packet that is not required for analysis.
I also spent some time on the SRS report this week as we had our first review coming up. It went well and it was good to review the goals of the project again to gain a clearer understanding.
There are a few problems in the programs I wrote this week, where I can’t see the data properly. May be the data is encrypted, or may be I’m unpacking it wrong, but the latter seems less possible to me. I aim to complete Passive Service Discovery by this month end.
Leave a Reply