In [ ]:

    

from scapy.all import *


    

In [ ]:

    

sample_smtp = "data/smtp.pcap"
packets = sniff(offline=sample_smtp)


    

In [ ]:

    

packets.nsummary()


    

In [ ]:

    

packets[11]


    

In [ ]:

    

raw = packets[11].getlayer(Raw)


    

In [ ]:

    

raw


    

In [ ]:

    

load = raw.fields.get('load').split()[0]


    

In [ ]:

    

load


    

In [ ]:

    

import base64
base64.b64decode(load)


    

In [ ]:

    

packets[12]
raw = packets[12].getlayer(Raw)
load = raw.fields.get('load')
some_encoded_string = load.split(' ')[1]
print some_encoded_string


    

In [ ]:

    

base64.b64decode(some_encoded_string)  # only need the encoded part


    

In [ ]:

    

raw = packets[13].getlayer(Raw)
load = raw.fields.get('load').split()[0]
print load


    

In [ ]:

    

base64.b64decode(load)  # what could this be?!?


    

In [ ]:

    

# ^^ a password!


    

In [ ]:

    

def filter_packet_by_string(pkt, string):
    if pkt.haslayer(Raw):
        raw_load = pkt.getlayer(Raw).fields.get('load')
        if string in raw_load:
            print pkt.sprintf("\n**QUERY FOUND:**\nFrom {IP:%IP.src% -> %IP.dst%\n}")
            print raw_load


    

In [ ]:

    

for pkt in packets:
    filter_packet_by_string(pkt, 'attachment')


    

In [ ]: