Python TLS handshake sniffer to extract domain names

These details have not been verified by PyPI

Project links

Homepage

Project description

PyTLSSniff

PyTLSSniff - Python TLS handshake sniffer to extract domain names

Getting Started

Prerequisites for installation

This project uses the Python wrapper for tshark (pyshark). It is therefore necessary to install tshark before using PyTLSSniff.

Debian / Ubuntu / Mint

sudo apt install tshark

Install PyTLSSniff

pip3 install PyTLSSniff

Visit PyTLSSniff on PyPi: https://pypi.org/project/PyTLSSniff

Usage

Command line parameters

pytlssniff [-h] [-d] [-s] [-a] [-c] [-i INTERFACE] [-r INPUT_FILE]
                  [-p PACKET_COUNT] [-b BPF_FILTER] [-Y DISPLAY_FILTER]

optional arguments:
  -h, --help            show this help message and exit
  -d, --debug           enable debug mode
  -s, --sni             sniff SNI values from TLS handshakes
  -a, --san             sniff domains from certificate SAN section
  -c, --cn              sniff Common Name from certificate CN section
  -i INTERFACE, --interface INTERFACE
                        name or idx of interface (default: any)
  -r INPUT_FILE, --input-file INPUT_FILE
                        set the filename to read from (- to read from stdin)
  -p PACKET_COUNT, --packet-count PACKET_COUNT
                        stop after n packets (def: infinite)
  -b BPF_FILTER, --bpf-filter BPF_FILTER
                        packet filter in Berkeley Packet Filter (BPF) syntax
                        (for live trace only)
  -Y DISPLAY_FILTER, --display-filter DISPLAY_FILTER
                        packet displaY filter in Wireshark display filter

Live trace example with Berkeley Packet Filter (BPF)

$ pytlssniff -s -i eth0 -p 5 -b "ip host 10.8.3.35"
client_hello(1) IPv4    10.8.3.35:60588 88.99.24.79:443         biot.com
client_hello(1) IPv4    10.8.3.35:53412 91.198.174.194:443      wikipedia.com
client_hello(1) IPv4    10.8.3.35:58990 91.198.174.192:443      www.wikipedia.org
client_hello(1) IPv4    10.8.3.35:55302 140.82.118.3:443        github.com
client_hello(1) IPv4    10.8.3.35:48082 185.199.110.154:443     github.githubassets.com

File trace example with Wireshark display filter

$ pytlssniff -s -r "~/example/trace.pcap" -Y "ip.addr == 10.8.3.35"
client_hello(1) IPv4    10.8.3.35:56670 91.198.174.192:443      www.wikipedia.org
client_hello(1) IPv4    10.8.3.35:52000 91.198.174.208:443      upload.wikimedia.org
client_hello(1) IPv4    10.8.3.35:56674 91.198.174.192:443      de.wikipedia.org
client_hello(1) IPv4    10.8.3.35:52984 140.82.118.3:443        github.com
client_hello(1) IPv4    10.8.3.35:51770 151.101.12.133:443      avatars0.githubusercontent.com

Project details

These details have not been verified by PyPI

Project links

Homepage

Release history Release notifications | RSS feed

This version

0.1.3

May 9, 2020

0.1.2

May 2, 2020

0.1.1

May 2, 2020

0.1.0

May 2, 2020

0.0.8

Mar 28, 2020

0.0.7

Mar 28, 2020

0.0.6

Mar 28, 2020

0.0.5

Mar 28, 2020

0.0.4

Mar 28, 2020

0.0.3

Mar 27, 2020

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

PyTLSSniff-0.1.3.tar.gz (6.0 kB view details)

Uploaded May 9, 2020 Source

File details

Details for the file PyTLSSniff-0.1.3.tar.gz.

File metadata

Download URL: PyTLSSniff-0.1.3.tar.gz
Upload date: May 9, 2020
Size: 6.0 kB
Tags: Source
Uploaded using Trusted Publishing? No
Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.23.0 setuptools/46.1.3 requests-toolbelt/0.9.1 tqdm/4.46.0 CPython/3.6.10

File hashes

Hashes for PyTLSSniff-0.1.3.tar.gz
Algorithm	Hash digest
SHA256	`7e23a6df0ada610366ad928ef41858ac3490b0521f889cce4d51ef81f54ced1c`
MD5	`4b33f484dc3ec8540952b41a15609ea6`
BLAKE2b-256	`fab06f2fbd2ff75fbfe131422b6f11716cb84ef3adcc853248f65ed82fdf42ba`