picatz
/ packet_summary.rb
Created
November 5, 2016 20:57
A sample of how to use packetfu to capture traffic and parse packets to get a basic, readable summary in the terminal.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'packetfu' | |
| # iface becomes the default routeable interface | |
| iface = PacketFu::Utils.default_int | |
| # cap starts capturing packets on iface | |
| cap = PacketFu::Capture.new(:iface => iface, :start => true) | |
| # will parse packets providing summary data of packet contents | |
| cap.stream.each do | packet | |
picatz
/ iface_summary.rb
Created
November 5, 2016 21:09
Example use case to use packetfu to get basic iface information.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'packetfu' | |
| # iface becomes the default routeable interface | |
| iface = PacketFu::Utils.default_int | |
| # config will determine the ifconfig data for iface | |
| config = PacketFu::Utils.ifconfig(iface) | |
| # print out some of the relevant information | |
| puts " iface: " + config[:iface] |
picatz
/ packet_type_summary.rb
Last active
November 5, 2016 21:43
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'packetfu' | |
| iface = PacketFu::Utils.default_int | |
| cap = PacketFu::Capture.new(:iface => iface, :start => true) | |
| # create an empty hash that starts for our base stats | |
| stats = Hash.new(0) | |
| # a hash inside of stats for types, which also starts at 0 | |
| stats[:types] = Hash.new(0) |
picatz
/ bpf_examle.rb
Created
November 5, 2016 23:35
PacketFu example setting a Berkeley Packet Filter syntax for a capture.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'packetfu' | |
| # get the default routable interface | |
| iface = PacketFu::Utils.default_int | |
| # Get my local ip | |
| my_ip = PacketFu::Utils.ifconfig(iface)[:ip_saddr] | |
| # Create a new capture on the en0 interface, just because I can | |
| cap = PacketFu::Capture.new(:iface => 'en0') |
picatz
/ ssh_connection_statistics.rb
Last active
November 6, 2016 00:24
A very simple sample of using PacketFu to be able to keep statistics of your machines ssh connections using ipv4 on port 22.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'packetfu' | |
| class SshStatistics | |
| attr_accessor :stats | |
| # initialize() is the method that is called | |
| # when we create a new SshStatistics object. | |
| # | |
| # == Example | |
| # |
picatz
/ simple_ids.rb
Last active
November 6, 2016 00:40
Example modified/extracted from PacketFu's example code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'packetfu' | |
| iface = PacketFu::Utils.default_int | |
| cap = PacketFu::Capture.new(:iface => iface, :start => true, :filter => "ip") | |
| attack_patterns = ["^gotcha", "owned!*$", "^\x04[^\x00]{50}"] | |
| loop do | |
| cap.stream.each do |pkt| |
picatz
/ packetfu_and_pry.rb
Last active
November 6, 2016 00:49
An example of using packetfu and pry
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'packetfu' | |
| require 'pry' | |
| iface = PacketFu::Utils.default_int | |
| cap = PacketFu::Capture.new(:iface => iface, :start => true) | |
| cap.stream.each do | packet | | |
| # will dump you into a pry repl | |
| binding.pry | |
| end |
picatz
/ web_server_api_example.rb
Last active
November 6, 2016 05:12
An simple sinatra application to act as a demo for my lsof and fosl examples.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'sinatra' | |
| require 'json' | |
| set :port, 80 | |
| get '/time' do | |
| content_type :json | |
| { :time => Time.now }.to_json | |
| # => {"time":"2016-11-06 01:11:42 -0400"} | |
| end |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'fosl/parser' | |
| pid = "27869" | |
| parser = FOSL::Parser.new | |
| data = parser.lsof("-p #{pid}") | |
| # => example output ... | |
| # data => {27869=> | |
| # #<FOSL::Process:0x00000001c64480 | |
| # @command="ruby", |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'fosl/parser' | |
| # -P : Do not resolve port names | |
| # -n : Do not resolve hostnames | |
| parser = FOSL::Parser.new | |
| all_data = parser.lsof("-Pn") | |
| # store statistics | |
| stats = Hash.new(0) | |
| stats[:users] = [] |
OlderNewer