- Understand how scapy can be used to interpret pcap files.
- Explore and experiment different functions in Scapy.
- Find out the OS from pcap packet content using different approach as given below.
There are some signs to find the OS, but none of them are 100% reliable. Look for
- Typical values for MSS and Windows size in TCP connections
- RTT values: http://www.netresec.com/?page=Blog&month=2011-11&post=Passive-OS-Fingerprinting
- Protocols of a certain OS (netbios, etc.)
- Sign of certain client software (Browser: User-Agent, Banner, etc.)
- TCP source ports used. There are difference of those ranges between different OSes
- IP ID and how it changes. There are difference of ID between different OSes
- Extract GET/POST Request.
- Look for User-Agent string in HTTP Headers
- In User-Agent - find OS
- For malicious packets monitor HTTP Status Code - 302 - Redirection
- Analyze hexdump to find signatures related to metasploit etc. For example metasploit = 6D 65 74 61 73 70 6C 6F 69 74
- Analyze unique strings in hexdump to find OS, services etc.
- Identify other network devices like firewalls, switches, router etc.
- Use of gnuplot python library