First I would use the Wireshark build-in filter. file->'strip headers...' select ip add filter: `ip.flags.rb != 1`, click ok. then right-click a package and click follow -> 'udp stream'. But if you do what to use the commandline it is easier with tcpdump: `tcpdump 'ip[6] != 128' -Ar EBE.pcap` and if the print should be on one line, fix that with `awk`, while also remove all the package info.
11:35 import sys from scapy.all import * print(b"".join([p[Raw].load for p in rdpcap(sys.argv[1]) if not "evil" in p[IP].flags]).decode("utf-8")) And now you can use it on any .pcap file. It will throw an error if you don't provide a filename as the first argument on the command line
Thats awesome again. I think You should make a video on most usefull Python libraries for ctfs/penetration testing. I've noticed weird thing, sponsor adds are usually anoying, but John somehow chooses the right ones (not advertising lingerie, drinks, or other unrelated stuff), and makes them interesting. For scapy, just pip install scapy --upgrade fixes errors.
Found out about your channel through Network Chuck. You guys rock! Sort of new to WireShark, and have been able to capture some BLE transmissions between my phone and a wireless thermometer just for tinkering. Never was able to make sense of what the heck to do with the massive .pcap file. I look forward to reading the docs for the “scapy” library to see what all cool stuff I might be able to do with it. Thanks so much for your awesome tutorials!
This was awesome. I feel dumb when watching your videos, lol. I miss your TH-cam videos. I have a long way to go, but you, sir, are a GOD, and we newbies appreciate all you do.
Why would anyone sane abide by RFC 3514? It makes no sense as an attacker to intentionally announce the attack within the packet ? o.O Also cant unsee that it was published on April 1, 2003, also known as April Fool's Day :/
And many RFCs published with this date are worth reading. My favorite is RFC1925. When you read many RFCs you'll notice that only the ones published on April 1st mention the day. All others have Month / Year as publishing date.
Yo this RFC made no sense to me. Why would attackers want us to know that their traffic is evil? And then I did some googling and found out it was published on April 1st :/
You wanted a one liner, you get a one line. Can you try the following with the pcap file? tshark -Y "ip.flags.rb==0" -r EBE.pcap -Tfields -e data | xxd -r -p
"List Comprehension" you say? "Cramming your code verbatim all onto one line for no good reason" you say? ("To shreds" you say?) from scapy.all import * print(b"".join([packet[Raw].load for packet in rdpcap("./EBE.pcap") if not "evil" in packet[IP].flags]).decode("utf-8")) For extra credit, here's the same thing but also technically a one-liner shell command: python3 -c 'from scapy.all import *; print(b"".join([packet[Raw].load for packet in rdpcap("./EBE.pcap") if not "evil" in packet[IP].flags]).decode("utf-8"))'
You constantly making these small tutorials for ctfs makes me really want to get back into hacking so thank you so much for all your work here!
First I would use the Wireshark build-in filter. file->'strip headers...' select ip add filter: `ip.flags.rb != 1`, click ok. then right-click a package and click follow -> 'udp stream'.
But if you do what to use the commandline it is easier with tcpdump: `tcpdump 'ip[6] != 128' -Ar EBE.pcap` and if the print should be on one line, fix that with `awk`, while also remove all the package info.
John never disappoints
11:35
import sys
from scapy.all import *
print(b"".join([p[Raw].load for p in rdpcap(sys.argv[1]) if not "evil" in p[IP].flags]).decode("utf-8"))
And now you can use it on any .pcap file. It will throw an error if you don't provide a filename as the first argument on the command line
Learned about new things about scapy. I used to use pyshark. Thank you, sir.
very cool, bro
Thats awesome again. I think You should make a video on most usefull Python libraries for ctfs/penetration testing. I've noticed weird thing, sponsor adds are usually anoying, but John somehow chooses the right ones (not advertising lingerie, drinks, or other unrelated stuff), and makes them interesting.
For scapy, just pip install scapy --upgrade fixes errors.
What is so bad about John in lingerie?
Man ... be a little bit more open minded!
Hehehe:)
Found out about your channel through Network Chuck. You guys rock!
Sort of new to WireShark, and have been able to capture some BLE transmissions between my phone and a wireless thermometer just for tinkering. Never was able to make sense of what the heck to do with the massive .pcap file. I look forward to reading the docs for the “scapy” library to see what all cool stuff I might be able to do with it.
Thanks so much for your awesome tutorials!
This was awesome. I feel dumb when watching your videos, lol. I miss your TH-cam videos. I have a long way to go, but you, sir, are a GOD, and we newbies appreciate all you do.
Appreciate the content...
And the outro music as well...
Good job editor...
Please more...
Super awesome John
Great video John!
Helped seeing the a use case too as I’m learning Python myself.
Don't ever take the red pill man...we'd miss you. Another great video...
Scapy is great not only for packet inspection, but also as easy to use building base layer for new things ;) And please, update your scapy to 2.5.0 :D
That's so satisfying seeing it just present the flag like that!
Great video, nice to use Python Libs 👏👏👏
Really nice tutorial. Thanks
Hey there from Va
Something to play with when I get home later now!
You are my master
Why would anyone sane abide by RFC 3514?
It makes no sense as an attacker to intentionally announce the attack within the packet ? o.O
Also cant unsee that it was published on April 1, 2003, also known as April Fool's Day :/
It is not a "real" thing but an april fools joke by Steve Bellovin.
Because they needed a theme for a CTF. :P
And many RFCs published with this date are worth reading. My favorite is RFC1925. When you read many RFCs you'll notice that only the ones published on April 1st mention the day. All others have Month / Year as publishing date.
Yo this RFC made no sense to me. Why would attackers want us to know that their traffic is evil? And then I did some googling and found out it was published on April 1st :/
You wanted a one liner, you get a one line. Can you try the following with the pcap file?
tshark -Y "ip.flags.rb==0" -r EBE.pcap -Tfields -e data | xxd -r -p
Hi john
best
"List Comprehension" you say? "Cramming your code verbatim all onto one line for no good reason" you say? ("To shreds" you say?)
from scapy.all import *
print(b"".join([packet[Raw].load for packet in rdpcap("./EBE.pcap") if not "evil" in packet[IP].flags]).decode("utf-8"))
For extra credit, here's the same thing but also technically a one-liner shell command:
python3 -c 'from scapy.all import *; print(b"".join([packet[Raw].load for packet in rdpcap("./EBE.pcap") if not "evil" in packet[IP].flags]).decode("utf-8"))'
🔥🔥🔥
i have question is it possible to crack password from wpa2.pcap using programming without worldlist , bruteforce...🤔
🤩
One liner
4th comment buddy
me first
First ong
here's a horrenduous one-liner:
tshark -Y "ip.flags.rb==0" -r EBE.pcap -Tfields -e data | xxd -r -p
Hey john Why don't u make a course?
Ultimate 🥏
Wow you are the first ever comment!