0

I want to create a mini sniffing network. I asked in a previous question about how to capture and decrypt packets in real time.

Now I want to analyze it, and I am developing a script for it but can I do it on the fly? Like when dumpcap is running and writing to file can I read it at the same time and analyze new appended packets? Or is there a better way of sniffing and analyzing at the same time?

I will use two raspberry pi 2's. One for sniffing and saving pcaps and other for reading, analyzing and populating a database with extracted info.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Adrian Rudy Dacka
  • 43
  • 7
  • It is not clear how exactly you want to analyze, but there are existing tools (for example IDS like snort, suricata or bro) which already does this. Also, dumpcap can write the sniffed data to stdout (look into the documentation for details) so you could put whatever you want behind it with a simple pipe. – Steffen Ullrich Aug 31 '18 at 05:20
  • I know there are existing tools but I test my programming skills :D Please write your comment about stdout as anwsear and I'll mark it. Thanks for help – Adrian Rudy Dacka Aug 31 '18 at 05:25

2 Answers2

2

As the documentation for dumpcap shows you can simply write to stdout, i.e. dumpcap -w -. Then you can put whatever you want after this, i.e. something like

 dumpcap -w - | your-own-analysis    # analyze it directly
 dumpcap -w - | nc ip port           # send for analysis to some remote system
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
2

If you want to analyze network traffic, and do it yourself to test your programming abilities (I read that in other comment), you can pick a programming language and use libpcap or similar libraries to get access to the network traffic.

  • python have at least scappy and pypcap to read network traffic and do ''stuff''.
  • in C you can use libpcap.
  • with java you have jNetPcap.
  • with C# you have PcapDotNet.
  • with go you can use gopacket.

I'm almost sure other programming languages will have their own libraries or wraps around libpcap.

Hugo Glez
  • 121
  • 3