conpot icon indicating copy to clipboard operation
conpot copied to clipboard

Published 20 hours ago verified publisher icon mushorg

Investigate using wireshark to dissect protocols

Open glaslos opened this issue 10 years ago • 4 comments

Wireshark has powerful dissectors for many of the protocols of interest to us. There are a couple of libraries to interface with wireshark: https://github.com/KimiNewt/pyshark and https://github.com/lukaslueg/wirepy

glaslos avatar Jan 13 '15 14:01 glaslos

Cool, so there's no even need to wrap the C code directly?

adepasquale avatar Jan 13 '15 14:01 adepasquale

If you can feed them the proper data from inside Conpot I assume your assumption is true :)

glaslos avatar Jan 13 '15 14:01 glaslos

I don't think calling tshark for every packet is a good idea, anyway this could work: https://github.com/KimiNewt/pyshark/blob/master/src/pyshark/capture/inmem_capture.py#L69

adepasquale avatar Jul 08 '15 12:07 adepasquale

LGTM. You might be able to tie this to our session handler to have a packet consumer per active session.

glaslos avatar Jul 15 '15 08:07 glaslos