FATT /fingerprintAllTheThings - a pyshark based script for extracting network metadata and fingerprints from pcap files and live network traffic
License: BSD 3-Clause "New" or "Revised" License
ssl renamed to tls from tshark/wireshark v2.9.0
wireshark/wireshark@cd95e19
─$ tshark -v
TShark (Wireshark) 3.0.0 (v3.0.0-0-g937e33de)
─$ python3 fatt.py -i en0 --print_output --json_logging
172.21.155.141:64655 -> 10.110.151.5:443 [TLS] ja3=e70e3fa3254bc795d1d96f17ec5dfb16
10.110.151.5:443 -> 172.21.155.141:64655 [TLS] ja3s=f4febc55ea12b31ae17cfb7e614afda8
Traceback (most recent call last):
File "fatt.py", line 974, in
main()
File "fatt.py", line 968, in main
cap.apply_on_packets(pp.process)
File "/Users/test/.local/share/virtualenvs/fatt-KOlk9kGi/lib/python3.7/site-packages/pyshark/capture/capture.py", line 248, in apply_on_packets
return self.eventloop.run_until_complete(coro)
File "/opt/homebrew/Cellar/python37/3.7.3_2/Frameworks/Python.framework/Versions/3.7/lib/python3.7/asyncio/base_events.py", line 584, in run_until_complete
return future.result()
File "/Users/test/.local/share/virtualenvs/fatt-KOlk9kGi/lib/python3.7/site-packages/pyshark/capture/capture.py", line 259, in packets_from_tshark
await self._go_through_packets_from_fd(tshark_process.stdout, packet_callback, packet_count=packet_count)
File "/Users/test/.local/share/virtualenvs/fatt-KOlk9kGi/lib/python3.7/site-packages/pyshark/capture/capture.py", line 285, in _go_through_packets_from_fd
packet_callback(packet)
File "fatt.py", line 144, in process
record = self.client_ja3(packet)
File "fatt.py", line 475, in client_ja3
"sourceIp": packet.ip.src,
File "/Users/test/.local/share/virtualenvs/fatt-KOlk9kGi/lib/python3.7/site-packages/pyshark/packet/packet.py", line 117, in getattr
raise AttributeError("No attribute named %s" % item)
AttributeError: No attribute named ip
python3 fatt.py -i eth0 --print_output --json_logging
config:
With quic enabled I am getting the following error, strangely it only happens within a VM environment, not on a physical device:
Traceback (most recent call last):
File "fatt.py", line 974, in <module>
main()
File "fatt.py", line 968, in main
cap.apply_on_packets(pp.process)
File "/usr/lib/python3.8/site-packages/pyshark/capture/capture.py", line 248, in apply_on_packets
return self.eventloop.run_until_complete(coro)
File "/usr/lib/python3.8/asyncio/base_events.py", line 616, in run_until_complete
return future.result()
File "/usr/lib/python3.8/site-packages/pyshark/capture/capture.py", line 259, in packets_from_tshark
await self._go_through_packets_from_fd(tshark_process.stdout, packet_callback, packet_count=packet_count)
File "/usr/lib/python3.8/site-packages/pyshark/capture/capture.py", line 285, in _go_through_packets_from_fd
packet_callback(packet)
File "fatt.py", line 283, in process
if 'tag' in packet.gquic.field_names:
File "/usr/lib/python3.8/site-packages/pyshark/packet/packet.py", line 117, in __getattr__
raise AttributeError("No attribute named %s" % item)
AttributeError: No attribute named gquic
The following log entry is associated with the error:
{"timestamp": "2021-05-30T13:42:14.236588", "sourceIp": "1.2.3.4", "destinationIp": "172.20.254.143", "sourcePort": "443", "destinationPort": "34076", "protocol": "tls", "tls": {"ja3s": "ad79b260268c688aca351dae7229c877", "ja3sAlgorithms": "771,49200,65281-11-23-16", "ja3sVersion": "771", "ja3sCiphers": "49200", "ja3sExtensions": "65281-11-23-16"}}
Please let me know if I can be of further assistance.
Possible values for encryptionMethods are 0x00000001, 0x00000002, 0x00000008 and 0x00000010. FATT doesn't extract the right values.
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/6b58e11e-a32b-4903-b736-339f3cfe46ec
Running with an old tshark version and no json loggning:
(fatt-MY6RzNOM) # python3 fatt.py -i eth0 -p
(fatt-MY6RzNOM) #
Running with -j and -p:
# python3 fatt.py -i eth0 -p -j
Traceback (most recent call last):
File "fatt.py", line 974, in <module>
main()
File "fatt.py", line 968, in main
cap.apply_on_packets(pp.process)
File "/root/.local/share/virtualenvs/fatt-MY6RzNOM/lib/python3.7/site-packages/pyshark/capture/capture.py", line 248, in apply_on_packets
return self.eventloop.run_until_complete(coro)
File "/usr/lib/python3.7/asyncio/base_events.py", line 584, in run_until_complete
return future.result()
File "/root/.local/share/virtualenvs/fatt-MY6RzNOM/lib/python3.7/site-packages/pyshark/capture/capture.py", line 264, in packets_from_tshark
await self._close_async()
File "/root/.local/share/virtualenvs/fatt-MY6RzNOM/lib/python3.7/site-packages/pyshark/capture/capture.py", line 407, in _close_async
await self._cleanup_subprocess(process)
File "/root/.local/share/virtualenvs/fatt-MY6RzNOM/lib/python3.7/site-packages/pyshark/capture/capture.py", line 400, in _cleanup_subprocess
% process.returncode)
pyshark.capture.capture.TSharkCrashException: TShark seems to have crashed (retcode: 1). Try rerunning in debug mode [ capture_obj.set_debug() ] or try updating tshark.
Exception ignored in: <function Capture.__del__ at 0x7f41763f7378>
Traceback (most recent call last):
File "/root/.local/share/virtualenvs/fatt-MY6RzNOM/lib/python3.7/site-packages/pyshark/capture/capture.py", line 412, in __del__
File "/root/.local/share/virtualenvs/fatt-MY6RzNOM/lib/python3.7/site-packages/pyshark/capture/capture.py", line 403, in close
File "/usr/lib/python3.7/asyncio/base_events.py", line 584, in run_until_complete
File "/root/.local/share/virtualenvs/fatt-MY6RzNOM/lib/python3.7/site-packages/pyshark/capture/capture.py", line 407, in _close_async
File "/root/.local/share/virtualenvs/fatt-MY6RzNOM/lib/python3.7/site-packages/pyshark/capture/capture.py", line 400, in _cleanup_subprocess
pyshark.capture.capture.TSharkCrashException: TShark seems to have crashed (retcode: 1). Try rerunning in debug mode [ capture_obj.set_debug() ] or try updating tshark.
(fatt-MY6RzNOM)
#
When i'm enabling debug in capture.py:
(fatt-MY6RzNOM) # python3 fatt.py -i eth0 -p --json_logging
Capturing on 'eth0'
File: -
Running as user "root" and group "root". This could be dangerous.
tshark: Unknown protocol -- "tls"
tshark: Valid protocols for layer type "tcp.port" are:
..8<..
How can this script be used for extracting fingerprints for traffic similar to one shown in image, i tried by command in example but does'nt work
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.