Examples usage thsark and pyshark

Posted on Oct 31, 2020

forensics

Solution for homework

First homework solution

in homework1.pcapng we seen tunnel over icmp solution with bash

tshark -2 -R "((icmp) && (ip.src == 192.168.200.81) ) && (data.len == 8)" -r homework1.pcapng -T fields -e data|xxd -r -p>result.jpg

if you solve on windows use hex to file

Second homework solution

in homework2.pcapng we seen tunnel over dns, but the dns channel also has legitimate requests.We can use pyshark for extract data. because DNS works over udp, filtering of repeat is required solution with pyshark

import pyshark
import base64

cap = pyshark.FileCapture("homework2.pcapng", display_filter="dns")

result = b""
previous = b""
for data in cap:
    if ("vairelt.disasm.me" in data.dns.qry_name)\
      and data.dns.flags_response=='0':
        #get request hostname
        current = data.dns.qry_name.encode()
        #replace stub
        current = current.replace(b".vairelt.disasm.me",b"")
        if current!=previous:
            result+=current
        previous = current

img = base64.b64decode(result)
open("result.jpg","wb").write(img)