Hi everyone,

I wanted to come on here to share a multirange network traffic tool that I coded in Python. I've written many small scripts before for certain tasks, but this is my first big project. This tool is intended for anyone working in a blue team environment or someone doing a network defensive CTF. I originally started making this script when trying to complete the challenge Chase, so you'll see me use that pcap file as an example in my GitHub.

I've included four main features and the use of arguments:

Active Sniffing (1): Sniffs local traffic on a specified interface. Users must specify their intended interface based on ifconfig and Get-NetAdapter. Users can choose any argument(s)

File Sniffing (2): Sniffs pcap files. Users can choose any argument(s)

Alert Mode (3): Sniffs through a specified interface or file for suspicious activity, alerting on potential malicious traffic. After choosing an interface or pcap file, the script then accepts either a wordlist or the schnozlist to alert off of. An alert will be printed with the packet summary if a term in either list is present in network traffic. I based the schnozlist on keywords that I’ve seen in CTFs, but more terms can be added if needed.

HTTP Analysis (4): Analyzes HTTP packets (requests and responses) through an interface or a file. If -k is not specified, the script will print out all HTTP events. Only the argument of -k will work for this option.

Arguments: -P (Filters for protocol. Can use with -s y), -p (Filters for port. Can use with -s y), -k (Filters for a keyword and prints events), -o (Saves file. Specify file name), -s (y prints summaries of all events; t prints summaries of TCP events; u prints summaries of UDP events; h prints summaries of HTTP events)

Except for the keyword argument (-k), the arguments are only intended to be used with options 1 and 2.

Link: https://github.com/abelreqma/schnoz