Kick Off

[mhendy25]

We need to make some design decisions before we start:

• [ ] Which programming language to choose?
• [ ] For that programming language, what are some of the examples (GitHub, source codes, libraries, Medium/ YouTube tutorials, etc.) we could refer to?
• [ ] Try to run different protocols using an already-developed Command-Line-Interface (CLI) tool that is similar to what we are doing. It's a good idea to keep the end goal in mind while developing.

[mhendy25]

@danysigha look at tshark.

[mhendy25]

@AsikoGomis look at TCPDump.

[mhendy25]

@mhendy25 look at ngrep.

[danysigha]

Here are the readings Mohamed shared with us today for reference:

1. https://stackoverflow.com/questions/2198972/is-there-an-api-for-wireshark-to-develop-programs-plugins-that-interact-with-it
2. https://www.wireshark.org/docs/man-pages/tshark.html
3. https://medium.com/@mayberryjalin/mastering-network-traffic-analysis-a-closer-look-at-tcpdump-eedcd9e8ea74

[mhendy25]

1. Most of the available code is in Python for implementing a "Packet Sniffer," which is the name I commonly saw for our project's Offline Network Traffic Analyzer name. I also think Python is easier to implement and debug. So, I'm for Python
2. This is an already-implemented library, but it lacks DNS and DHCP. This is a YouTube tutorial to start with the project, but we need to build most of the protocols by ourselves (we can just use their templates for other protocols I think?)
3. Working on it

[AsikoGomis]

That Youtube Series was a good find.

[danysigha]

Based on my research we have 3 options. Pyshark, dpkt and Scapy. I think we should go with dpkt because it is simple, offers a stand alone solution, and it uses pure python.

Some references:

• https://github.com/kbandla/dpkt?tab=readme-ov-file
• https://engineering-notebook.readthedocs.io/en/stable/engineering/dpkt.html
• https://www.w3computing.com/articles/analyzing-network-traffic-patterns-pythons-dpkt-library/
• https://bromiley.medium.com/full-packet-friday-parsing-dhcp-traffic-a5a811482c32

[danysigha]

Hi guys, we need to keep digging... Pyshark does not output hexdumps and will likely not be able to deal with hexdumps as input. I think Spathis may want us to figure this one out by ourselves.

https://stackoverflow.com/questions/38712080/is-it-possible-to-access-the-hexdump-of-a-packet-in-pyshark

edit1: There is an extra step in between actually. Spathis answered correctly. We first need to convert the hexdumps to pcap files using text2pcap. Only then can we use Pyshark.

edit2: As usual setup is pretty annoying. idk about you but I just downloaded Wireshark off the web but for this we want to use brew install. Here are the steps:

1. Set up brew
2. get rid of old wireshark. Delete app and run brew uninstall --force wireshark to be safe
3. Install wireshark by running brew install wireshark and brew install --cask wireshark
4. Check that it worked brew info --cask wireshark
5. Add an alias to your path directory alias wireshark='/Applications/Wireshark.app/Contents/MacOS/Wireshark'