3 pcap-ng format to pcap for scapy
4 editcap -F libpcap team15_ex21.pcap ex21.pcap
6 filter out large flows (>=400 packets)
9 % (src, dst) : (srctodst, dsttosrc)
10 %{('113.15.85.25', '179.160.238.111'): (463, 0),
11 % ('114.176.157.191', '221.72.61.209'): (541, 0),
12 % ('134.134.122.170', '179.187.246.122'): (419, 0),
13 % ('179.187.53.117', '129.49.173.82'): (472, 0),
14 % ('211.2.138.61', '144.66.241.253'): (462, 151),
15 % ('221.100.234.92', '161.194.49.146'): (547, 0),
16 % ('8.73.98.88', '144.66.191.77'): (535, 0)}
18 split into separate files
20 (ip.addr == 113.15.85.25 and ip.addr == 179.160.238.111) % large_flow_1.pcap
21 (ip.addr == 114.176.157.191 and ip.addr == 221.72.61.209) % large_flow_2.pcap
22 (ip.addr == 134.134.122.170 and ip.addr == 179.187.246.122) % large_flow_3.pcap
23 (ip.addr == 179.187.53.117 and ip.addr == 129.49.173.82) % large_flow_4.pcap
24 (ip.addr == 211.2.138.61 and ip.addr == 144.66.241.253) % large_flow_5.pcap
25 (ip.addr == 221.100.234.92 and ip.addr == 161.194.49.146) % large_flow_6.pcap
26 (ip.addr == 8.73.98.88 and ip.addr == 144.66.191.77) % large_flow_7.pcap
28 generate csv from wireshark for full pcap
33 cat large_flow_2.dehexed.csv | awk -F, '{print \$8}' | sed 's/5950/0/' | sed 's/5960/1/' | sed 's/"//g' > bits
37 Data acquired. Key for message (len=42 & pkts>200): nSa123 (Scott)
41 pcap-ng format to pcap for scapy
42 editcap -F libpcap team15_ex22.pcap ex22.pcap
44 filter out large flows (>200 packets and frame.len == 42)
47 % {('53.151.211.106', '217.115.203.44'): (213, 0)}
50 ip.addr == 53.151.211.106 and ip.addr == 217.115.203.44 and eth.len == 42
55 save bytes (ipid) from stream to file
58 try decoding with password from previous task
59 openssl enc -d -rc4 -nosalt -k nSa123 -in stream_encrypted -out stream_decrypted
63 tried reversing the bytes (lower byte first, upper byte next)
67 trying to decode the second-largest flow:
68 ip.addr == 96.55.191.225 and ip.addr == 217.115.203.44 and eth.len == 42
72 found out, that scapy removes the frame length from the packet, rewrote the script...
78 manually create csv files
80 for i in large_flow_*.csv ; do ./../../only_decimal.sh $i > ${i\%.csv}.dehexed.csv ; done
82 ./autocorrelate.sh | grep -v "All values are identical" | sort -k2
84 -> ./parse_stream_data.py
87 Agent South was captured! Aborting operation. (Agent Scott)