Wifi

GitHub Repo
Slide Deck
MAC metadata lookup

Queries

TCP

Wireshark

!(ip.src == 172.16.42.1) && tcp

Splunk

index=* sourcetype=pcap:csv protocol=TCP src_ip!="172.16.42.1" src_ip!="127.0.0.1" dst_ip!=10.0.* | stats count by dst_ip

DNS

Wireshark

dns && !(ip.src==172.16.42.1) && !(ip.src==127.0.0.1) && !(dns.qry.name ~ facebook.com) && !(dns.qry.name ~ apple.com) && !(dns.qry.name ~ icloud.com) && !(dns.qry.name ~ spotify.com) && !(dns.qry.name ~ google.com) && !(dns.qry.name ~ fbcn.net) && !(dns.qry.name ~ apple.news) && !(dns.qry.name ~gstatic.com) && !(dns.qry.name ~ googleapis.com) && !(dns.qry.name ~ google-analytics.com) && !(dns.qry.name ~ youtube.com)

Splunk

index=* sourcetype=pcap:csv protocol="DNS" src_ip!="172.16.42.1" dst_ip!=10.0.* dst_ip!=127.0.0.1 info!="*.facebook.com" info!="*apple.com" info!="*facebook*" info!="*google*" info!="*icloud.com" info!="*.spotify.com" info!="ssl.gstatic.com" info!="*apple.news" info!="*instagram.com" info!="*fbcdn.net" info!="*.apple" info!="*.gstatic.com" | stats count by info

Multicast

Splunk

index=* sourcetype=pcap:csv protocol=MDNS info!="*spotify*" info!="*homelink*" info!="*homekit*" info!="*home-sharing*" info!="*airplay*" info!="*sleep-proxy*" info!="*googlecast*" info!="*companion-link*" | stats count by info | sort - count

P0f

Splunk

host="p0f" index="pineapple" os="???" | eval temp=split(srv,"/") | eval ip=mvindex(temp,0)| eval port=mvindex(temp,1) | stats count by raw_sig