Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Passer, a aassive machine and service sniffer - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Passer, a aassive machine and service sniffer

Last summer I did a short post on detecting servers using tcpdump or windump, syn/ack packets, and a few command line tools.  It was.... well, pretty rudimentary.  *smile*
This spring I decided to put together a passive service sniffer -  "Passer".  It can report on live tcp and udp servers and clients, ethernet cards and manufacturers, dns records, operating systems, and routers.  If you have nmap installed, it will use nmap's service fingerprint file to get a really good guess at exactly what service is running on a port.
The output is comma separated for easy import into a database, a spreadsheet, or command line tools.
Because it's written in python, it should be portable to almost any operating system.  Because of my odd Windows XP set up I hit a snag with the underlying packet capture library (scapy) on windows, but it should work on almost anything with python.

Home site:


Sample output:

-- Bill Stearns


80 Posts
Apr 16th 2008

Sign Up for Free or Log In to start participating in the conversation!