DEV Community

Cover image for Simple Wireshark Scripts for Easy Network Forensics
William Baptist
William Baptist

Posted on • Edited on

Simple Wireshark Scripts for Easy Network Forensics

In this article, I’ll show you some practical Python code snippets to simplify network forensics.

Capturing Packets:

With the help of the pyshark library, the script can swiftly grab packets based on filters and save them for further analysis.

To install pyshark, type in the terminal:

pip install pyshark
Enter fullscreen mode Exit fullscreen mode

Then take a look at this code snippet:

import pyshark

#Define capture interface and filter fields
capture = pyshark.LiveCapture(interface='eth0', display_filter='tcp')

#Start capturing packets
capture.sniff(timeout=10)

#Save captured packets to a file
capture.export_packet_stream("packets.pcap")
Enter fullscreen mode Exit fullscreen mode

Analysing Packets:

Now that the packets are captured, let’s analyse them with the next script. Pyshark provides a straightforward way to extract valuable information from captured packets.

Check out this example that extracts the source and destination IP addresses of TCP packets:

import pyshark

#Open the packets file
cap = pyshark.FileCapture("packets.pcap")

#Extract source and destination IP addresses of TCP packets
for pkt in cap:
    if "TCP" in pkt:
        print(f"Source IP: {pkt.ip.src}, Destination IP: {pkt.ip.dst}")
Enter fullscreen mode Exit fullscreen mode

Filtering Packets:

Filtering out noise from captured packets will makes lives much easier. Pyshark allows us to apply display filters to narrow down the packets we analyse.

Let’s see how to filter and count HTTP packets:

import pyshark

#Open the captured packets file
cap = pyshark.FileCapture("packets.pcap")

#Apply a display filter to focus on HTTP packets
cap.set_display_filter('http')

#Count the number of HTTP packets
http_count = 0
for pkt in cap:
    http_count += 1

print(f"Total HTTP packets: {http_count}")
Enter fullscreen mode Exit fullscreen mode

Filtering Packets with a Twist:

Let’s take packet filtering to the next level. Pyshark is not only used for simple filtering but also offers a range of powerful filtering options that can make the analysis even more precise.

Look at this more advanced filtering script using Pyshark:

import pyshark

#Open the captured packets file
cap = pyshark.FileCapture("packets.pcap")

#Apply a complex display filter to focus on specific traffic
cap.set_display_filter('tcp.port == 80 && ip.dst == 192.168.0.1')

#Count the number of filtered packets
filtered_count = 0
for pkt in cap:
    filtered_count += 1

print(f"Total filtered packets: {filtered_count}")
Enter fullscreen mode Exit fullscreen mode

In this example, there is a display filter that targets TCP packets with a destination IP of 192.168.0.1 and a port of 80. Feel free to unleash your creativity and customise the filters based on your specific investigation needs.

Adding a Dash of Visualisation:

Now, let’s bring the network forensics findings to life with some eye-catching visualisations. The Matplotlib library is handy, allowing the creation of captivating charts and graphs.

Install Matplotlib library in terminal with the following:

pip install matplotlib
Enter fullscreen mode Exit fullscreen mode

Then the scapy library:

pip install scapy
Enter fullscreen mode Exit fullscreen mode

Here’s the script that visualises the distribution of IP types for each packet:

from scapy.all import *
import matplotlib.pyplot as plt

#Read the pcap file
packets = rdpcap("packets.pcap")

#Dictionary to store protocol counts
protocol_counts = {}

#Iterate over the captured packets
for pkt in packets:
    if IP in pkt:
        protocol = pkt[IP].proto
        protocol_counts[protocol] = protocol_counts.get(protocol, 0) + 1

#Prepare data for the diagram
protocols = list(protocol_counts.keys())
count_values = list(protocol_counts.values())

#Plotting the diagram
plt.bar(protocols, count_values)
plt.xlabel('Protocol')
plt.ylabel('Count')
plt.title('Protocol Distribution')
plt.show()
Enter fullscreen mode Exit fullscreen mode

The script reads the pcap file that was created from Wireshark and iterates over the captured packets, counting the occurrences of different IP protocols. The diagram created provides insights into the protocol distribution, helping to understand the composition of the network traffic captured in the pcap file.

You’ll be able to witness the the occurrences of different IP protocols, all in a beautifully rendered chart:

From crafting precise display filters to visualising packet characteristics, Python and Wireshark scripting empowers us to navigate the intricate digital realm with clarity.

Capture, analyse, filter, and visualise your way to the heart of your network’s darkest mysteries. Happy scripting and may your investigations be as smooth as my packet capture visualisation.

Top comments (0)