Motivation: I wanted to combine 2 or more packet capture, or pcap, files in order to create an example:
One that contains just malicious (or simulated malicious) network traffic
Another contains legitimate, non-malicious network traffic
Many example packet capture files focus either specifically on malware, exploits, C2 traffic, etc. (like Security Onion’s list of PCAPs for Testing) or on examples of legitimate traffic (like Wireshark’s Sample Captures). I wanted to create an example that would interweave such sources and intersperse malicious and legitimate traffic, as they would typically occur concurrently.
In addition to tcpdump, there are three CLI tools provided by Wireshark that I used to help accomplish this:
capinfos – provides high-level data about a packet capture file
mergecap – combines 2 or more packet capture files
editcap – modified packet details, such as timestamps, in a packet capture file
My motivation was to start from a known good packet capture, for example, a DNS request and reply, and modify that request to create something interesting: an example to examine in Wireshark, or positive and negative test cases for an IDS software (Snort, Suricata).
I haven’t done much with Scapy before, but it seemed like the right tool for the task. My planned steps were as follows:
I had been using the Python socket module to create a very basic client-server for testing purposes, but soon I wanted to have something slightly more standard, like an HTTP server. I decided to try the Python Flask framework.
First I set up a Flask server on a CentOS 7 Linux VM running on VirtualBox:
Obviously, if you are dealing with a machine connected directly to the Internet, this would be a terrible solution. You’d want to add rules allowing only the hosts and ports from which you expect to receive connections. But for testing communications between my desktop and a virtual host running on it, this seemed like a quick solution.
After those 2 changes, I was able to load the sample “hello” Flask app in a browser: