We wrote the preceding script with some complexity. We could have also achieved this using pyshark. Pyshark is a Python library that provides an API for accessing tshark. Let's create a small Python script using the pyshark library, as follows:
import pyshark
import struct
#Place your PCAP here
cap = pyshark.FileCapture(r'C:\Users\Apex\Desktop\loki-bot_network_traffic.pcap')
def Exfil(pkt):
try:
if pkt.http.request_method == "POST":
if pkt.http.user_agent == "Mozilla/4.08 (Charon; Inferno)":
print "Infected IP:" + pkt.ip.src
print "Communicating From:" + pkt[pkt.transport_layer].srcport
print "Malicious HTTP Request:" + pkt.http.request_uri
print "Malicious User...
