-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsniff.py
78 lines (63 loc) · 3.56 KB
/
sniff.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#!/usr/bin/env python
# The previous line ensures that this script is run under the context
# of the Python interpreter. Next, import the Scapy functions:
from scapy.all import *
from subprocess import call
import time
import logging
import graypy
#IP and port where to send the GELF UDP packages to
SentToHost = "192.0.2.1"
SentToPort = "12201"
#enter the name of this sniffer
Name = "SniffPy"
#enter the location that you are running this sniffer from; like home, or Garlicstreet 3 or whatever
location = "home"
#what is the name of the SYSLOG level you want to use
SyslogLevel = 1
print "---- INSTRUCTIONS ----"
print " "
print "This script will sniff three management frame subtypes in 802.11: 0, 2 and 4 and will send it to Graylog2. Make sure you first set the interface you want to use in monitoring mode, before starting this script: airmon-ng start wlan0. Also, make sure you have a GELF UDP listener ready on " + SentToHost + ":" + SentToPort + ". In the same directory as this script, store the file you get from https://gist.github.com/derlinkshaender/5995776 and name it graylogger.py."
print " "
print "---- THIS PROGRAM IS \"AS IS\" WITHOUT WARRANTY OF ANY KIND ----"
# Define the interface name that we will be sniffing from, you can
# change this if needed.
interface = "mon0"
# Next, declare a Python list to keep track of client MAC addresses
# that we have already seen so we only print the address once per client.
observedclients = []
my_logger = logging.getLogger(Name)
my_logger.setLevel(logging.DEBUG)
handler = graypy.GELFHandler(SentToHost, int(SentToPort))
my_logger.addHandler(handler)
# The sniffmgmt() function is called each time Scapy receives a packet
# (we'll tell Scapy to use this function below with the sniff() function).
# The packet that was sniffed is passed as the function argument, "p".
def sniffmgmt(p):
# Define our tuple (an immutable list) of the 3 management frame
# subtypes sent exclusively by clients. I got this list from Wireshark.
stamgmtstypes = (0, 2, 4)
# Make sure the packet has the Scapy Dot11 layer present
if p.haslayer(Dot11):
# Check to make sure this is a management frame (type=0) and that
# the subtype is one of our management frame subtypes indicating a
# a wireless client
if p.type == 0 and p.subtype in stamgmtstypes:
# We only want to print the MAC address of the client if it
# hasn't already been observed. Check our list and if the
# client address isn't present, print the address and then add
# it to our list.
if p.addr2 not in observedclients:
epoch = int(time.time())
localtime = time.asctime( time.localtime(time.time()) )
#print to stdout the time and the MAC
print localtime + " " + p.addr2
#now send the GELF message
my_adapter = logging.LoggerAdapter(logging.getLogger(Name),
{ 'client_mac': 'true', 'location': Name, 'epoch': epoch })
my_logger.debug(p.addr2)
#subprocess.call("./graylogger.py -l INFO -f \"SNIFFER\" -p " + SentToPort + " " + SentToHost + " " + p.addr2 + " -d \"epoch:`date +%s`\" -d \"client_mac:true\" -d location:" + location, shell=True)
observedclients.append(p.addr2)
# With the sniffmgmt() function complete, we can invoke the Scapy sniff()
# function, pointing to the monitor mode interface, and telling Scapy to call
sniff(iface=interface, prn=sniffmgmt)