This Python script provides a command-line interface for analyzing pcap (Packet Capture) files to extract network traffic fingerprints. It leverages various tools such as tshark, p0f, and Snort for deep packet inspection and analysis.
- Protocol Analysis: Utilizes
tsharkto perform protocol analysis, extracting information such as source IP, destination IP, TCP/UDP ports, and protocols. - p0f Integration: Incorporates
p0fto identify OS and application signatures associated with IP addresses. - Snort Analysis: Utilizes
Snortintrusion detection system to analyze network traffic and extract application layer information. - Output to CSV: Saves the extracted fingerprint information into a CSV file for further analysis and processing.
- Python 3.x
tshark: Packet analyzer tool (part of Wireshark)p0f: Passive OS fingerprinting toolSnort: Intrusion detection and prevention system
- Clone or download the repository to your local machine.
- Ensure all dependencies (
tshark,p0f,Snort) are installed and configured properly.
Run the script with appropriate command-line options to analyze pcap files:
python3 fingerprint.py -f <PATH_TO_PCAP> -s <SNORT_PATH> -c <SNORT_CONFIG.LUA>Example usage:
python3 fingerprint.py -f ../../some.pcap -s /opt/snort3/ -c snort.luaFor analyzing multiple pcap files listed in a file:
python3 fingerprint.py -s /opt/snort3 -c snort.lua -l pcapfiles.list --verbose-f, --file: Path to the pcap file for analysis.-s, --snort: Path to the Snort base directory.-c, --config: Path to the Snort configuration Lua file.-l, --list: Path to a file containing a list of pcap files to process.-o, --out: Path to the output directory for saving fingerprint information (default: current directory).--verbose: Enable verbose output.--noP0f: Skip p0f analysis.--noSnort: Skip Snort analysis.
The script generates a CSV file containing the extracted fingerprint information for each pcap file analyzed.
This project is licensed under the MIT License - see the LICENSE file for details.