Created
October 28, 2016 15:52
-
-
Save BeanBagKing/08acf4ed94f71881391ce2a0f2e2c731 to your computer and use it in GitHub Desktop.
Combines multiple pcaps, extracts and decodes TCP streams.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# Takes multiple pcap files (packet*.pcap) and... | |
### Combines them into one pcap (combined.pcap) | |
### Detects the number of TCP streams | |
### For each stream, converts it to ascii and stores them in order in a file (encoded_streams.txt) | |
### Converts URL (percent encoded) values to plaintext equivalent (decoded_streams.txt) | |
# Run this in the same directory as your packet*.pcap files | |
import urllib | |
from subprocess import call, Popen, PIPE | |
# System call to combine all the packets | |
call("mergecap -w combined.pcap packet*", shell=True) | |
# Get the number of TCP Streams | |
# tshark -r combined.pcap -T fields -e tcp.stream | sort -u | wc -l | |
ps = Popen(['tshark', '-rcombined.pcap','-Tfields', '-etcp.stream'], stdout=PIPE) | |
ps = Popen(['sort', '-u'], stdin=ps.stdout, stdout=PIPE) | |
ps = Popen(['wc', '-l'], stdin=ps.stdout, stdout=PIPE) | |
t = int(ps.stdout.read()) | |
for i in range (0, t): | |
#tshark -r combined.pcap -q -z follow,tcp,ascii,0 | |
f = open("encoded_streams.txt", "a+") | |
command = ["tshark", "-rcombined.pcap", "-q", "-z", "follow,tcp,ascii," + str(i)] | |
call(command, stdout=f) | |
fin = open("encoded_streams.txt") | |
fout = open("decoded_streams.txt", "wt") | |
for line in fin: | |
fout.write(urllib.unquote(line)) | |
fin.close() | |
fout.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment