Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Passer, a aassive machine and service sniffer SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Passer, a aassive machine and service sniffer

Last summer I did a short post on detecting servers using tcpdump or windump, syn/ack packets, and a few command line tools.  It was.... well, pretty rudimentary.  *smile*
 
https://isc.sans.org/diary.html?storyid=3018
 
This spring I decided to put together a passive service sniffer -  "Passer".  It can report on live tcp and udp servers and clients, ethernet cards and manufacturers, dns records, operating systems, and routers.  If you have nmap installed, it will use nmap's service fingerprint file to get a really good guess at exactly what service is running on a port.
 
The output is comma separated for easy import into a database, a spreadsheet, or command line tools.
 
Because it's written in python, it should be portable to almost any operating system.  Because of my odd Windows XP set up I hit a snag with the underlying packet capture library (scapy) on windows, but it should work on almost anything with python.

Home site: http://www.stearns.org/passer/

Instructions: http://www.stearns.org/passer/passer.txt

Sample output: http://www.stearns.org/passer/passer.txt

-- Bill Stearns

William

80 Posts
Apr 16th 2008

Sign Up for Free or Log In to start participating in the conversation!