{"id":13542566,"url":"https://github.com/activecm/passer","last_synced_at":"2025-04-09T17:24:10.917Z","repository":{"id":33255492,"uuid":"156663620","full_name":"activecm/passer","owner":"activecm","description":"Passive service locator, a python sniffer that identifies servers, clients, names and much more","archived":false,"fork":false,"pushed_at":"2023-02-16T04:35:14.000Z","size":389,"stargazers_count":249,"open_issues_count":2,"forks_count":51,"subscribers_count":12,"default_branch":"master","last_synced_at":"2025-04-02T10:44:24.931Z","etag":null,"topics":["capturing-packets","dns","docker-command","gplv3","hacktoberfest","linux","macosx","network-monitoring","packet-analyzer","packet-sniffer","packets","passer","pcap","pcap-analyzer","python","python-2","scapy","security","sniffer"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/activecm.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2018-11-08T06:56:50.000Z","updated_at":"2025-03-22T10:43:33.000Z","dependencies_parsed_at":"2023-10-20T16:19:21.677Z","dependency_job_id":null,"html_url":"https://github.com/activecm/passer","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/activecm%2Fpasser","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/activecm%2Fpasser/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/activecm%2Fpasser/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/activecm%2Fpasser/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/activecm","download_url":"https://codeload.github.com/activecm/passer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248075552,"owners_count":21043613,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["capturing-packets","dns","docker-command","gplv3","hacktoberfest","linux","macosx","network-monitoring","packet-analyzer","packet-sniffer","packets","passer","pcap","pcap-analyzer","python","python-2","scapy","security","sniffer"],"created_at":"2024-08-01T10:01:10.920Z","updated_at":"2025-04-09T17:24:10.889Z","avatar_url":"https://github.com/activecm.png","language":"Python","readme":"# passer\nPassive service locator, a python sniffer that identifies servers, clients, names and much more\n\n## Introduction\n\nQuick notes for getting going with passer, the passive service\nsniffer.  You're responsible for getting permission to sniff.\n\nPasser can work off a live packet capture or from a pcap file\n(command line parameter, see examples below).  It reports live services\nand clients, ethernet cards on the lan, dns entries, operating systems,\nand routers - all passively!\n\nIf you're using windows or your paths to the support files don't\nmatch mine for some other reason, let me know where they are and I'll be\nglad to update the script.\n\n## Installation\n\n### Requirements\n- Python \u003e=2.4 and \u003c3.0\n- Python libraries (see [requirements.txt](/requirements.txt))\n  - ipaddress\n  - pytz\n  - scapy\u003e=2.4.0\n\n### Optional (but recommended)\n- nmap\n\t- for Ethernet manufacturers and service strings\n- ettercap, wireshark, and/or arp-scan\n\t- for more Ethernet manufacturers\n- p0f version 2\n\t- for the OS fingerprint file\n\n### Ubuntu/Debian and deb-based distros\n```bash\n# Install system dependencies\nsudo apt-get install arp-scan ettercap-text-only nmap wireshark \n# Install python dependencies\nsudo pip install -r requirements.txt\n# Prevent Scapy from performing DNS lookups\necho 'noenum = [ Resolve(), TCP_SERVICES, UDP_SERVICES ]' \u003e\u003e ~/.scapy_startup.py\n```\n\n### Redhat/CentOS/Fedora and rpm-based distros\n```bash\n# Install system dependencies\nsudo yum install arp-scan ettercap nmap wireshark\n# Install python dependencies\nsudo pip install -r requirements.txt\n# Prevent Scapy from performing DNS lookups\necho 'noenum = [ Resolve(), TCP_SERVICES, UDP_SERVICES ]' \u003e\u003e ~/.scapy_startup.py\n```\n\n### Windows (incomplete)\n\nTo install scapy, see the [installation guide](https://scapy.readthedocs.io/en/latest/installation.html#windows).\n\n### Docker\n\nPasser also comes packaged as a Docker image. If you don't already have Docker here is a quick and dirty way to install it on Linux:\n\n```bash\ncurl -fsSL https://get.docker.com | sh -\n```\n\nOtherwise, follow the [install instructions](https://docs.docker.com/get-docker/) for your operating system.\n\nFor most uses, we recommend the [`passer`](https://github.com/activecm/passer/blob/master/passer) script included in this repo. This script will handle all docker-specific\n\n```bash\nwget https://raw.githubusercontent.com/activecm/passer/master/passer\nchmod +x passer\n```\n\nYou can then use this script just as you would in any of the examples below. For example:\n\n```bash\n./passer -i eth0\n# The equivalent without using the included script would be:\ndocker run --rm --name=passer -i --init --net=host --cap-add=net_raw activecm/passer -i eth0\n```\n\nIn order to stop passer run:\n\n```bash\ndocker stop passer\n```\n\n\n## Examples\n\n### Sniff live as root\n\n```bash\n/path/to/passer.py\n```\n\nThis sniffs from all network interfaces and sends all output\nlines to your console.\n\n### Sniff live as a non-root user\n\n```bash\nsudo /path/to/passer.py\n```\nor\n```bash\nsu - -c '/path/to/passer.py'\n```\n\n### Sniff live as root, but only from one interface\n\n```bash\n/path/to/passer.py -i IfaceName\n```\nRunning `route` should give some live interfaces you might use. \n\u003e :grey_exclamation: `-i` is incompatible with `-r`.\n\n### Read packets from a pcap file; no root privileges needed\n\n```bash\n/path/to/passer.py -r /path/to/packets.pcap\n```\n\n\u003e :grey_exclamation: `-r` is incompatible with `-i`.\n\n### Accept raw pcap data on stdin\n\n```bash\ncat packetdata.pcap | ./passer.py -r /proc/self/fd/0\nzcat packetdata.pcap.gz | ./passer.py -r /proc/self/fd/0\nbzcat packetdata.pcap.bz2 | ./passer.py -r /proc/self/fd/0\ntcpdump -i eth0 -qtnp -w - | ./passer.py -r /proc/self/fd/0\n# etc...\n```\n\nThis lets you capture packets with any tool that can save\npackets to a pcap file, and later process them with passer on a\ndifferent system.\n\n### Save output lines to a text file for later processing\n\n```bash\n/path/to/passer.py -l /path/to/networkinfo.txt\n```\n\n### Suppress warnings and other debugging info\n\n```bash\n/path/to/passer.py 2\u003e/dev/null\n```\n\n### Show help screen\n\n```bash\n/path/to/passer.py -h\n```\n\n### Save \"odd\"/unhandled packets to a pcap file\n\n```bash\n/path/to/passer.py -u /path/to/oddpackets.pcap\n```\n\nThis is generally intended for the development process; packets\nsaved to this file are ones that need to have signatures written.  If\nyou'd like to help improve the program, get in touch with the author,\nBill Stearns (william.l.stearns@gmail.com).  Contributions of odd packets,\ndescriptions of services, and patches to the program are gratefully\naccepted.\n\n### Apply a BPF filter to limit which packets are processed\n\nThis _should_ be as simple as placing the BPF filter in single\nquotes at the end of the command line.  As of version 1.16, the\nunderlying library does not appear to successfully use the supplied\nfilter, but there's a workaround.  Use tcpdump to do the filtering, and\nhand the pared-down set of packets to passer on stdin, like above:\n\n```bash\ntcpdump -r packets.pcap -w - 'icmp or arp' | ./passer.py -r /proc/self/fd/0\n```\n\nSee the \"Sample filters\" section, below, for some suggestions of\nfilters to use in either capturing packets in advance or live sniffing.\n\n## Troubleshooting\n\n```\nsocket.error: (1, 'Operation not permitted')\n```\nYou're probably trying to sniff live as a non-root user.  Either\nlog in as root, use sudo/su, or work with pcap files.\n\nIf passer crashes or won't work on your system, send me an email\n(Bill Stearns, william.l.stearns@gmail.com).  It would be very helpful if you\ncould include the error message, if any, and any details about your\noperating system.\n\n### Output format\n\nPasser's output goes to stdout, and if you give the command line\nparameter `-l /path/to/logfile`, to that file as well.  Here's the format:\n\nType | IPAddr | Proto        | State               | Optional description (may be empty)\n-----|--------|--------------|---------------------|--------------------\n'IP' | IPaddr | 'IP'         | dead or live        | p0f OS description\n'MA' | IPaddr | 'Ethernet'   | MacAddr             | ManufDescription\n'TC' | IPaddr | 'TCP_'Port   | closed or open      | client description\n'TS' | IPaddr | 'TCP_'Port   | closed or listening | server description\n'UC' | IPaddr | 'UDP_'Port   | open or closed      | udp client port description\n'US' | IPaddr | 'UDP_'Port   | open or closed      | udp server port description\n'DN' | IPaddr | 'A' or 'PTR' | hostname            | possible extra info\n'RO' | IPaddr | 'TTLEx'      | router              | possible extra info\n\n- Column 1: A 2 letter code for the record type\n- Column 2: The IP address being characterized.\n- Column 3: The protocol involved, or \"how do we know this?\"\n- Column 4: the state of the object being described\n- Column 5: additional information about the object\n\nLines are comma separated for easy loading into a spreadsheet or\nSQL import.  None of the fields should contain commas.  There is a\nsample output file at http://www.stearns.org/passer/passer-sample-log.txt .\n\nHere are some examples of how to get the data you want out of\nthese lines:\n\n1) Remove duplicate lines:\n```bash\ncat /var/tmp/passer-log | sort -u | less\n```\n\n2) Remove duplicate lines and group all records for a given IP together:\n```bash\ncat /var/tmp/passer-log | sort -t, -k2 -u | less\n```\n\n3) Grab just the DNS and Router records:\n```bash\ncat /var/tmp/passer-log | sort -u | egrep '(^DN|^RO)' | less\n```\n\n4) See all records for a particular IP address:\n```bash\ncat /var/tmp/passer-log | sort -u | grep ',192\\.168\\.0\\.17,' | less\n```\n\n5) See all records for a particular network:\n```bash\ncat /var/tmp/passer-log | sort -u | grep ',192\\.168\\.' | less\n```\n\n6) See all machines that are listing on TCP port 25 (smtp servers):\n```bash\ncat /var/tmp/passer-log | sort -u | grep ',TCP_25,listening,' | less\n```\n\n7) Don't display closed ports:\n```bash\ncat /var/tmp/passer-log | sort -u | grep -v ',closed,' | less\n```\n\n8) _Only_ display closed ports:\n```bash\ncat /var/tmp/passer-log | sort -u | grep ',closed,' | less\n```\n\n9) Show all DNS records in the \"google.com\" domains:\n```bash\ncat /var/tmp/passer-log | sort -u | grep -i 'google\\.com\\.,' | less\n```\n\n10) Grab all the DNS address records and create a hosts-like file:\n```bash\n/path/to/make-hosts /var/tmp/passer-log | /path/to/mergehosts.pl \u003e/var/tmp/passer-hosts\n```\n\"make-hosts\" and merge-hosts are separate shell and perl scripts\nat http://www.stearns.org/passer/make-hosts .\n\nThis is just a start!  Send in your favourite ways to extract\nitems of interest and I'll add them and give you credit.\n\n## BPF filters\n\nThe individual record types need certain types of packets to\ngive them their raw data.  If you want to include or exclude these, use\nthe accompanying filter.\n\n  `'IP',\tIPaddr,\t'IP',\t\tdead or live,\t\tp0f OS description`\n\nThis needs TCP SYN packets:\n```\n'tcp[13] \u0026 0x12 = 0x02'\n```\n\n  `'MA',\tIPaddr, 'Ethernet',\tMacAddr,\t\tManufDescription`\n\nThese come from arp replies(*1):\n```\n'arp'\n```\n\n  `'TC',\tIPaddr,\t'TCP_'Port,\tclosed or open,\t\tclient description`\n\nThese need TCP SYN/ACK's, FIN's and RST's(*2):\n```\n'tcp[13] \u0026 0x07 != 0'\n```\n\n  `'TS',\tIPaddr,\t'TCP_'Port,\tclosed or listening,\tserver description`\n\nWe need TCP SYN's, SYN/ACK's, and RST's to see if the port is\nopen or closed:\n```\n'tcp[13] \u0026 0x06 != 0'\n```\nTo come up with a server description string, we also need to see\nthe ACK packets that make up the bulk of the traffic on the wire:\n```\n'tcp[13] \u0026 0x17 = 0x10'\n```\nIf you want both, just grab all TCP traffic:\n```\n'tcp'\n```\n\n  `'UC',\tIPaddr,\t'UDP_'Port,\topen or closed,\t\tudp client port description`\n\nEasiest to just hand it all udp ports and ICMP port unreachables:\n```\n'udp or icmp[0:2] = 0x0303'\n```\n\n  `'US',\tIPaddr,\t'UDP_'Port,\topen or closed,\t\tudp server port description`\n\nSame as above:\n```\n'udp or icmp[0:2] = 0x0303'\n```\n\n  `'DN',\tIPaddr,\tA,AAAA,PTR,CNAME hostname,\t\tpossible extra info`\n\nUDP or TCP port 53 (*3):\n```\n'udp src port 53 or tcp src port 53'\n```\n\n  `'RO',\tIPaddr,\t'TTLEx',\trouter,\t\t\tpossible extra info`\n\nWe identify routers because they're sending\nTime-To-Live-Exceeded or unreachable messages:\n```\n'icmp[0:2] = 0x0B00 or icmp[0] = 0x03'\n```\n\n*1 This grabs arp requests too, but these are ignored.\n\n*2 The filter technically includes SYNs as well, but that's a small\namount of extra data\n\n*3 As of version 1.16, only _UDP_ port 53 answers are extracted.\n\n### Sample BPF filters\n\n1) To drastically reduce the number of packets to be parsed, losing only\nthe tcp server description strings, don't process ACK-only packets:\n```\n'not(tcp[13] \u0026 0x17 = 0x10)'\n```\nThis chops out 90+% of the number and volume of packets to be\nhandled, letting passer keep up with moderate bandwidth links.\n\n\n2) If you're not interested in DNS servers:\n```\n'not udp src port 53'\n```\nThere's quite a bit of work to extract dns records; this may\nalso be a good one to turn off if you're trying to keep up with a fast\nlink.\n\n\n3) If you want to focus on packets to or from a particular machine or\nnetwork:\n```\n'host 1.2.3.4'\n'net 1.2'\n```\n\n## More info\n\nQuestions?  Bug reports?  Issues?  Try william.l.stearns@gmail.com and\nplease include \"passer\" somewhere in the subject line.\n\n* Home site:\n  * http://www.stearns.org/passer/\n* Github repository:\n  * https://github.com/activecm/passer\n","funding_links":[],"categories":["Python","\u003ca id=\"7bf0f5839fb2827fdc1b93ae6ac7f53d\"\u003e\u003c/a\u003e工具","security"],"sub_categories":["\u003ca id=\"32739127f0c38d61b14448c66a797098\"\u003e\u003c/a\u003e嗅探\u0026\u0026Sniff"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Factivecm%2Fpasser","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Factivecm%2Fpasser","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Factivecm%2Fpasser/lists"}