# Analyzing HTTP Traffic

A PCAP "HTTP_Traffic.pcap" is present in the current working directory. Write code snippets to read/process the PCAP and perform the given tasks.

**PyShark** and **Scapy** are installed on the machine.



### Hunting Tasks

**Task 1:**  How many HTTP packets contain the "password" string?

In [1]:
import pyshark

count = 0

capture = pyshark.FileCapture('HTTP_traffic.pcap', display_filter='http contains password')

for packet in capture:
    count = count + 1

print(count)

4


**Task 2:**  Which IP address sent GET requests for New York Times (www.nytimes.com)?

In [2]:
import pyshark

count = 0
ip_list = []

capture = pyshark.FileCapture('HTTP_traffic.pcap', display_filter='http.request.method==GET && http.host=="www.nytimes.com"')

for packet in capture:
    if packet.ip.dst not in ip_list:
        ip_list.append(packet.ip.dst)

print(ip_list)

['170.149.159.130']


**Task 3:**  What is the session ID being used by 192.168.252.128 for Amazon India store (amazon.in)?

In [3]:
import pyshark

count = 0

capture = pyshark.FileCapture('HTTP_traffic.pcap', display_filter='ip contains amazon.in && ip.src==192.168.252.128')

for packet in capture:
    print(packet.http.cookie)
    break
    

x-wl-uid=1YUrrvyo2aOwaC2tX1u3CL5JwhNCwEZhfsOUf8932b9zxC9BkYOYTKpVuh02IxmGM3Gs2/XgdUCA=; session-id-time=2082758401l; session-id=278-7381968-4337153; csm-hit=0JAE5VRXPMH77731K1TX+s-0JAE5VRXPMH77731K1TX|1466408308416; visitCount=2; ubid-acbin=280-4213374-9863463; lc-acbin=en_IN; session-token=4pTTa7bIe2i6bm7hJhGt4Jp7Mr2r5jgqscUc9YZTkXxjaaP+H+ezTpZLgyH8KjFSbiwETGfn0kOVzX5WUyryAQphMTcttvLjvBRVEBmw0UkKdZhVIoiDIT1EdQPUzTnfJDAQCKzdVpEGdKxlOlU+rQw+L2ZCE5eMBIZ2ip7xXq3PMsOCq+k2RSZ+4wh50U4EawgJPj7CaidkmVdFLbn0WrJKQw1f9hnd82LtRSDccz8FXsH8ksdKEQ==


**Task 4:**  What type of OS the machine on IP address 192.168.252.128 is using (i.e. Windows/Linux/MacOS/Solaris/Unix/BSD)? Bonus: Can you also guess the distribution/flavor?

In [4]:
import pyshark

count = 0

capture = pyshark.FileCapture('HTTP_traffic.pcap', display_filter='ip.src==192.168.252.128 && http')

for packet in capture:
    print(packet.http.user_agent)
    break
    

Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0


### Gathering Tasks

**Task 1:**  Create a unique list of websites visited from IP 192.168.252.128?

In [5]:
import pyshark

count = 0

url_list = []

capture = pyshark.FileCapture('HTTP_traffic.pcap', display_filter='ip.src==192.168.252.128 && http && http.request.method=="GET"')

for packet in capture:
    host_name = packet.http.host
    host_name = ".".join(host_name.split('.')[-2:])
    if host_name not in url_list:
        url_list.append(host_name)
        
print(url_list)

['amazon.in', 'images-amazon.com', 'amazon-adsystem.com', 'doubleclick.net', 'google.com', 'co.in', 'nytimes.com', 'googletagservices.com', 'optimizely.com', 'googleadservices.com', 'googlesyndication.com', 'cloudfront.net', 'moatads.com', 'facebook.net', 'imrworldwide.com', 'dynamicyield.com', 'amazonaws.com', 'chartbeat.net', 'scorecardresearch.com', 'media.net', 'keywee.co', 'newrelic.com', 'brealtime.com', 'adnxs.com', 'nr-data.net', 'securitytube.net', 'getclicky.com', 'statcounter.com', 'adbutler-tachyon.com', 'alexa.com', 'googleapis.com', 'gstatic.com', 'googletagmanager.com', 'bootstrapcdn.com', 'bizographics.com', 'webbyawards.com', 'tumblr.com', 'bbc.com', 'chartbeat.com', 'co.uk', 'facebook.com', 'twitter.com', 'cnn.com', 'turner.com', 'awe.sm', 'postrelease.com', 'rubiconproject.com', 'ugdturner.com', 'krxd.net', 'visualrevenue.com', 'go-mpulse.net', 'quantserve.com', 'outbrain.com', 'truste.com', 'usabilla.com', 'livefyre.com', 'gigya.com', 'budgetedbauer.com', 'zqtk.net'

**Task 2:**  Create a unique list of DNS servers were used to make DNS resolutions?

In [1]:
import pyshark

count = 0

unique_list = []

capture = pyshark.FileCapture('HTTP_traffic.pcap', display_filter='dns.flags.response == 1')

for packet in capture:
    if packet.ip.src not in unique_list:
        unique_list.append(packet.ip.src)
        
print(unique_list)

['192.168.252.2']
