$ scapy aSPY//YASa apyyyyCY//////////YCa | sY//////YSpcs scpCY//Pp | Welcome to Scapy yp ayyyyyyySCP//Pp syY//C | Version 2.4.0 YAsAYYYYYYYY///Ps cY//S | pCCCCY//p cSSps y//Y | https://github.com/secdev/scapy SPPPP///a pP///AC//Y | A//A cyP////C | Have fun! p///Ac sC///a | P////YCpc A//A | Craft packets like it is your last scccccp///pSP///p p//Y | day on earth. sY/////////y caa S//P | -- Lao-Tze cayCyayP//Ya pY/Ya | sY/PsY////YCc aC//Yp sc sccaCY//PCypaapyCP//YSs spCPY//////YPSps ccaacs using IPython 5.8.0 >>> >>> # read pcap file ito a var using rdpcap() >>> >>> pcap = rdpcap("2019-04-15-traffic-analysis-exercise.pcap") >>> pcap <2019-04-15-traffic-analysis-exercise.pcap: TCP:10521 UDP:276 ICMP:0 Other:10> >>> >>> >>> # render image showing conversations and participants >>> pcap.conversations() >>> >>> pcap.sessions() {'IP 10.0.90.175 > 224.0.0.22 proto=igmp': , .... 'TCP 10.0.90.175:49184 > 10.0.90.9:88': , 'TCP 10.0.90.175:49185 > 10.0.90.9:88': , 'TCP 10.0.90.175:49186 > 10.0.90.9:88': , 'TCP 10.0.90.175:49187 > 10.0.90.9:88': , 'TCP 10.0.90.175:49188 > 10.0.90.9:445': , 'TCP 10.0.90.175:49189 > 10.0.90.9:88': , 'TCP 10.0.90.175:49190 > 10.0.90.9:88': , 'TCP 10.0.90.175:49191 > 10.0.90.9:389': , 'TCP 10.0.90.175:49192 > 10.0.90.9:88': , 'TCP 10.0.90.175:49193 > 10.0.90.9:389': , 'TCP 10.0.90.175:49194 > 10.0.90.9:445': , 'TCP 10.0.90.175:49196 > 10.0.90.9:389': , 'TCP 10.0.90.175:49197 > 10.0.90.9:389': , 'TCP 10.0.90.175:49198 > 10.0.90.9:88': , 'TCP 10.0.90.175:49303 > 10.0.90.9:49155': , 'TCP 10.0.90.175:49304 > 10.0.90.9:389': , 'TCP 10.0.90.175:49305 > 10.0.90.9:389': , 'TCP 10.0.90.175:49306 > 10.0.90.9:445': , 'TCP 10.0.90.175:49307 > 185.136.169.160:443': , 'TCP 10.0.90.175:49308 > 185.136.169.160:443': , 'TCP 10.0.90.175:49309 > 185.136.169.160:443': , 'TCP 10.0.90.175:49310 > 185.136.169.160:443': , 'TCP 10.0.90.175:49311 > 185.136.169.160:443': , 'TCP 10.0.90.175:49312 > 10.0.90.9:445': , 'TCP 10.0.90.175:49313 > 185.136.169.160:443': , 'TCP 10.0.90.175:49314 > 185.136.169.160:443': , 'TCP 10.0.90.175:49315 > 185.136.169.160:443': , 'TCP 10.0.90.175:49316 > 10.0.90.9:135': , 'TCP 10.0.90.175:49317 > 10.0.90.9:49155': , 'TCP 10.0.90.175:49318 > 10.0.90.9:389': , 'TCP 10.0.90.175:49319 > 10.0.90.9:389': , 'TCP 10.0.90.175:49320 > 10.0.90.9:88': , 'TCP 10.0.90.175:49322 > 10.0.90.9:445': , 'TCP 10.0.90.175:49323 > 208.91.197.91:443': , 'TCP 10.0.90.175:49324 > 10.0.90.9:445': , 'TCP 10.0.90.175:49353 > 10.0.90.9:49155': , 'TCP 10.0.90.175:49354 > 10.0.90.9:135': , 'TCP 10.0.90.175:49355 > 10.0.90.9:49155': , 'TCP 10.0.90.175:49356 > 10.0.90.9:49158': , 'TCP 10.0.90.175:49357 > 10.0.90.9:389': , 'TCP 10.0.90.175:49358 > 10.0.90.9:389': , 'TCP 10.0.90.175:49359 > 10.0.90.9:445': , 'TCP 10.0.90.175:49360 > 185.158.249.39:443': , 'TCP 10.0.90.175:49361 > 185.158.249.39:443': , 'TCP 10.0.90.175:49362 > 198.54.125.57:443': , 'TCP 10.0.90.175:49363 > 109.230.199.24:443': , 'TCP 10.0.90.175:49364 > 109.230.199.24:443': , 'TCP 10.0.90.175:49365 > 10.0.90.9:445': , 'TCP 10.0.90.175:49366 > 109.230.199.24:443': , 'TCP 10.0.90.175:49367 > 109.230.199.24:443': , 'TCP 10.0.90.175:49368 > 109.230.199.24:443': , 'TCP 10.0.90.175:49369 > 198.54.115.33:443': , 'TCP 10.0.90.175:49370 > 10.0.90.9:445': , 'TCP 10.0.90.175:49371 > 176.10.125.110:443': } >>> pcap.display() .... 10799 Ether / IP / TCP 176.10.125.110:https > 10.0.90.175:49396 PA / Raw 10800 Ether / IP / TCP 10.0.90.175:49396 > 176.10.125.110:https A 10801 Ether / IP / TCP 176.10.125.110:https > 10.0.90.175:49396 FPA 10802 Ether / IP / TCP 10.0.90.175:49396 > 176.10.125.110:https A 10803 Ether / IP / TCP 176.10.125.110:https > 10.0.90.175:49397 PA / Raw 10804 Ether / IP / TCP 10.0.90.175:49397 > 176.10.125.110:https A 10805 Ether / IP / TCP 10.0.90.175:49396 > 176.10.125.110:https FA 10806 Ether / IP / TCP 176.10.125.110:https > 10.0.90.175:49396 A >>> pcap[10806] >>> pkt = pcap[10806] >>> pkt.show() ###[ Ethernet ]### dst= d0:67:e5:b1:53:fa src= 20:e5:2a:b6:93:f1 type= 0x800 ###[ IP ]### version= 4 ihl= 5 tos= 0x0 len= 40 id= 17089 flags= frag= 0 ttl= 128 proto= tcp chksum= 0x65e7 src= 176.10.125.110 dst= 10.0.90.175 \options\ ###[ TCP ]### sport= https dport= 49396 seq= 3052274181 ack= 3845137964 dataofs= 5 reserved= 0 flags= A window= 64239 chksum= 0x9cbc urgptr= 0 options= [] >>> pkt[IP].src '176.10.125.110' >>> pkt[IP].dst '10.0.90.175' >>> pkt[TCP].dport 49396 >>> hexdump(pkt) 0000 D067E5B153FA20E52AB693F108004500 .g..S. .*.....E. 0010 002842C10000800665E7B00A7D6E0A00 .(B.....e...}n.. 0020 5AAF01BBC0F4B5EE0205E530262C5010 Z..........0&,P. 0030 FAEF9CBC0000 >>> src_ips = set() ...:for p in pcap: ...: try: ...: src_ips.add(p[IP].src) ...: except: ...: pass ...: >>> >>> src_ips {'10.0.90.175', '10.0.90.9', '104.73.85.137', '109.230.199.24', '151.106.27.208', '162.213.250.131', '176.10.125.110', '185.136.169.160', '185.139.69.88', '185.158.249.39', '185.212.47.167', '187.188.166.192', '198.54.115.33', '198.54.125.57', '208.67.222.222', '208.91.197.91', '216.98.148.157', '23.218.156.11', '37.230.112.226', '68.65.122.52', '72.21.81.200', '85.114.134.49', '89.163.144.224', '91.240.87.19'}