Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Passer, a passive machine and service sniffer

Published: 2008-04-16
Last Updated: 2008-04-16 22:57:55 UTC
by William Stearns (Version: 3)
0 comment(s)

Last summer I did a short post on detecting servers using tcpdump or windump, syn/ack packets, and a few command line tools.  It was.... well, pretty rudimentary.  *smile*
 
https://isc.sans.org/diary.html?storyid=3018
 
This spring I decided to put together a passive service sniffer -  "Passer".  It can report on live tcp and udp servers and clients, ethernet cards and manufacturers, dns records, operating systems, and routers.  If you have nmap installed, it will use nmap's service fingerprint file to get a really good guess at exactly what service is running on a port.
 
The output is comma separated for easy import into a database, a spreadsheet, or command line tools.
 
Because it's written in python, it should be portable to almost any operating system.  Because of my odd Windows XP set up I hit a snag with the underlying packet capture library (scapy) on windows, but it should work on almost anything with python.

Home site: http://www.stearns.org/passer/

Instructions: http://www.stearns.org/passer/passer.txt

Sample output: http://www.stearns.org/passer/passer-sample-log.txt

-- Bill Stearns

0 comment(s)
Diary Archives