1

I need to parse a .pcap file to detect possible SYS scans. I need to be able to display the IP address of any IP addresses that sent 3 times as many SYS packets as the number of SYS+ACK packets they received. Now I have a general idea of how to implement this. My issue is that I do not how to get the different SYS packets (how to differentiate from the sent/received packets) when parsing the pcap file. I have looked at other posts, and the documentation but have been unlucky.

I started a python program that starts a bit like this: 

import dptk

    //take in command line arguement
    file = arg

        openFile = open(file)
        pcap = dpkt.pcap.Reader(openFile)

    //not sure about these two lines
        syn_flag = ( tcp.flags & dpkt.tcp.TH_SYN ) != 0       
        ack_flag = ( tcp.flags & dpkt.tcp.TH_ACK ) != 0

When I call those last two lines, am I getting all SYS and all ACK packets from the pcap? How do I tell which have been sent/received?

GGMU
  • 165
  • 1
  • 2
  • 13

1 Answers1

-1

I would recommend that you use the Scapy tool that can be found here. Scapy is a packet generation and manipulation tool that gives you a large amount of flexibility to dissect packets. Following is a quick example of what the Scapy code might look like:

pkts = PcapReader(inFile)
for p in pkts:
        F = bin(p['TCP'].flags)
        if F == SYN # 0x02:
            # Process Syn Packet
        elif F == ACK # 0x10:
            # Process Ack Packet

Scapy can be used from its interpreter, or you can import the Scapy frame work into your own environment

Brian Cain
  • 946
  • 1
  • 7
  • 20
  • Thank you very much. I also looked at scapy. The sample code above is very helpful. I will take a look at it. But I still have the question regarding how I would differentiate between sent/received SYS/ACK packets. @BrianCain – GGMU Dec 01 '15 at 22:44
  • or is it that SYN is the sent, and SYN+ACK is the received? Sorry I am a bit new to all of this. – GGMU Dec 01 '15 at 23:01
  • 1
    Your best bet may be to start with an understanding of how the Transmission Control Protocol (TCP) works. I suggest starting with the wiki page https://en.wikipedia.org/wiki/Transmission_Control_Protocol The page provides a good visual of the TCP header. You are particularly interested in the Flags field. – Brian Cain Dec 02 '15 at 01:36