def parse(self, raw): assert isinstance(raw, bytes) self.next = None # In case of unfinished parsing self.raw = raw dlen = len(raw) if dlen < ipv4.MIN_LEN: self.msg('warning IP packet data too short to parse header: data len %u' % (dlen,)) return (vhl, self.tos, self.iplen, self.id, self.frag, self.ttl, self.protocol, self.csum, self.srcip, self.dstip) \ = struct.unpack('!BBHHHBBHII', raw[:ipv4.MIN_LEN]) self.v = vhl >> 4 self.hl = vhl & 0x0f self.flags = self.frag >> 13 self.frag = self.frag & 0x1fff self.dstip = IPAddr(self.dstip) self.srcip = IPAddr(self.srcip) if self.v != ipv4.IPv4: self.msg('(ip parse) warning IP version %u not IPv4' % self.v) return elif self.hl < 5: self.msg('(ip parse) warning IP header %u longer than len %u' \ % (self.hl, self.iplen)) return elif self.iplen < ipv4.MIN_LEN: self.msg('(ip parse) warning invalid IP len %u' % self.iplen) return elif (self.hl * 4) >= self.iplen or (self.hl * 4) > dlen: self.msg('(ip parse) warning IP header %u longer than len %u' \ % (self.hl, self.iplen)) return # At this point, we are reasonably certain that we have an IP # packet self.parsed = True length = self.iplen if length > dlen: length = dlen # Clamp to what we've got if self.protocol == ipv4.UDP_PROTOCOL: self.next = udp(raw=raw[self.hl*4:length], prev=self) elif self.protocol == ipv4.TCP_PROTOCOL: self.next = tcp(raw=raw[self.hl*4:length], prev=self) elif self.protocol == ipv4.ICMP_PROTOCOL: self.next = icmp(raw=raw[self.hl*4:length], prev=self) elif self.protocol == ipv4.IGMP_PROTOCOL: self.next = igmp(raw=raw[self.hl*4:length], prev=self) elif dlen < self.iplen: self.msg('(ip parse) warning IP packet data shorter than IP len: %u < %u' % (dlen, self.iplen)) else: self.next = raw[self.hl*4:length] if isinstance(self.next, packet_base) and not self.next.parsed: self.next = raw[self.hl*4:length]
def parse(self, raw): assert isinstance(raw, bytes) self.raw = raw dlen = len(raw) if dlen < ipv4.MIN_LEN: self.msg('warning IP packet data too short to parse header: data len %u' % (dlen,)) return (vhl, self.tos, self.iplen, self.id, self.frag, self.ttl, self.protocol, self.csum, self.srcip, self.dstip) \ = struct.unpack('!BBHHHBBHII', raw[:ipv4.MIN_LEN]) self.v = vhl >> 4 self.hl = vhl & 0x0f self.flags = self.frag >> 13 self.frag = self.frag & 0x1fff if self.v != ipv4.IPv4: self.msg('ip parse) warning IP version %u not IPv4' % self.v) return elif self.hl < 5: self.msg('(ip parse) warning IP header %u longer than len %u' \ % (self.hl, self.iplen)) return elif self.iplen < ipv4.MIN_LEN: self.msg('(ip parse) warning invalid IP len %u' % self.iplen) return elif (self.hl * 4) >= self.iplen or (self.hl * 4) > dlen: self.msg('(ip parse) warning IP header %u longer than len %u' \ % (self.hl, self.iplen)) return self.dstip = IPAddr(self.dstip) self.srcip = IPAddr(self.srcip) # At this point, we are reasonably certain that we have an IP # packet self.parsed = True length = self.iplen if length > dlen: length = dlen # Clamp to what we've got if self.protocol == ipv4.UDP_PROTOCOL: self.next = udp(raw=raw[self.hl*4:length], prev=self) elif self.protocol == ipv4.TCP_PROTOCOL: self.next = tcp(raw=raw[self.hl*4:length], prev=self) elif self.protocol == ipv4.ICMP_PROTOCOL: self.next = icmp(raw=raw[self.hl*4:length], prev=self) elif dlen < self.iplen: self.msg('(ip parse) warning IP packet data shorter than IP len: %u < %u' % (dlen, self.iplen)) else: self.next = raw[self.hl*4:length] if isinstance(self.next, packet_base) and not self.next.parsed: self.next = raw[self.hl*4:length]
def parse(self): dlen = len(self.arr) if dlen < ipv4.MIN_LEN: self.msg( 'warning IP packet data too short to parse header: data len %u' % dlen) return (vhl, self.tos, self.iplen, self.id, self.frag, self.ttl, self.protocol, self.csum, self.srcip, self.dstip) \ = struct.unpack('!BBHHHBBHII', self.arr[:ipv4.MIN_LEN]) self.v = vhl >> 4 self.hl = vhl & 0x0f self.flags = self.frag >> 13 self.frag = self.frag & 0x1f if self.v != ipv4.IPv4: self.msg('ip parse) warning IP version %u not IPv4' % self.v) return elif self.hl < 5: self.msg('(ip parse) warning IP header %u longer than len %u' \ % (self.hl, self.iplen)) return elif self.iplen < ipv4.MIN_LEN: self.msg('(ip parse) warning invalid IP len %u' % self.iplen) return elif (self.hl * 4) >= self.iplen or (self.hl * 4) > dlen: self.msg('(ip parse) warning IP header %u longer than len %u' \ % (self.hl, self.iplen)) return # At this point, we are reasonably certain that we have an IP # packet self.parsed = True if self.protocol == ipv4.UDP_PROTOCOL: self.next = udp(arr=self.arr[self.hl * 4:], prev=self) elif self.protocol == ipv4.TCP_PROTOCOL: self.next = tcp(arr=self.arr[self.hl * 4:], prev=self) elif self.protocol == ipv4.ICMP_PROTOCOL: self.next = icmp(arr=self.arr[self.hl * 4:], prev=self) elif dlen < self.iplen: self.msg( '(ip parse) warning IP packet data shorter than IP len: %u < %u' % (dlen, self.iplen)) else: self.next = self.arr[self.hl * 4:].tostring() if isinstance(self.next, packet_base) and not self.next.parsed: self.next = self.arr[self.hl * 4:].tostring()
def parse(self): dlen = len(self.arr) if dlen < ipv4.MIN_LEN: self.msg('warning IP packet data too short to parse header: data len %u' % dlen) return (vhl, self.tos, self.iplen, self.id, self.frag, self.ttl, self.protocol, self.csum, self.srcip, self.dstip) \ = struct.unpack('!BBHHHBBHII', self.arr[:ipv4.MIN_LEN]) self.v = vhl >> 4 self.hl = vhl & 0x0f self.flags = self.frag >> 13 self.frag = self.frag & 0x1f if self.v != ipv4.IPv4: self.msg('ip parse) warning IP version %u not IPv4' % self.v) return elif self.hl < 5: self.msg('(ip parse) warning IP header %u longer than len %u' \ % (self.hl, self.iplen)) return elif self.iplen < ipv4.MIN_LEN: self.msg('(ip parse) warning invalid IP len %u' % self.iplen) return elif (self.hl * 4) >= self.iplen or (self.hl * 4) > dlen: self.msg('(ip parse) warning IP header %u longer than len %u' \ % (self.hl, self.iplen)) return # At this point, we are reasonably certain that we have an IP # packet self.parsed = True if self.protocol == ipv4.UDP_PROTOCOL: self.next = udp(arr=self.arr[self.hl*4:], prev=self) elif self.protocol == ipv4.TCP_PROTOCOL: self.next = tcp(arr=self.arr[self.hl*4:], prev=self) elif self.protocol == ipv4.ICMP_PROTOCOL: self.next = icmp(arr=self.arr[self.hl*4:], prev=self) elif dlen < self.iplen: self.msg('(ip parse) warning IP packet data shorter than IP len: %u < %u' % (dlen, self.iplen)) else: self.next = self.arr[self.hl*4:].tostring() if isinstance(self.next, packet_base) and not self.next.parsed: self.next = self.arr[self.hl*4:].tostring()
def udp(self, packet, extractedAttIndex, printKey): return udp(self, packet, extractedAttIndex, printKey)
def parse(self, raw): assert isinstance(raw, bytes) self.next = None # In case of unfinished parsing self.raw = raw dlen = len(raw) if dlen < ipv4.MIN_LEN: self.msg( 'warning IP packet data too short to parse header: data len %u' % (dlen, )) return (vhl, self.tos, self.iplen, self.id, self.frag, self.ttl, self.protocol, self.csum, self.srcip, self.dstip) \ = struct.unpack('!BBHHHBBHII', raw[:ipv4.MIN_LEN]) self.v = vhl >> 4 self.hl = vhl & 0x0f self.flags = self.frag >> 13 self.frag = self.frag & 0x1fff self.dstip = IPAddr(self.dstip) self.srcip = IPAddr(self.srcip) if self.v != ipv4.IPv4: self.msg('(ip parse) warning: IP version %u not IPv4' % self.v) return if self.hl < 5: self.msg('(ip parse) warning: IP header length shorter than MIN_LEN (IHL=%u => header len=%u)' \ % (self.hl, 4 * self.hl)) return if self.iplen < ipv4.MIN_LEN: self.msg('(ip parse) warning: Invalid IP len %u' % self.iplen) return if (self.hl * 4) > self.iplen: self.msg('(ip parse) warning: IP header longer than IP length including payload (%u vs %u)' \ % (self.hl, self.iplen)) return if (self.hl * 4) > dlen: self.msg('(ip parse) warning: IP header is truncated') return self.raw_options = raw[self.MIN_LEN:self.hl * 4] # At this point, we are reasonably certain that we have an IP # packet self.parsed = True length = self.iplen if length > dlen: length = dlen # Clamp to what we've got if self.frag != 0: # We can't parse payloads! self.next = raw[self.hl * 4:length] elif self.protocol == ipv4.UDP_PROTOCOL: self.next = udp(raw=raw[self.hl * 4:length], prev=self) elif self.protocol == ipv4.TCP_PROTOCOL: self.next = tcp(raw=raw[self.hl * 4:length], prev=self) elif self.protocol == ipv4.ICMP_PROTOCOL: self.next = icmp(raw=raw[self.hl * 4:length], prev=self) elif self.protocol == ipv4.IGMP_PROTOCOL: self.next = igmp(raw=raw[self.hl * 4:length], prev=self) elif self.protocol == ipv4.GRE_PROTOCOL: self.next = gre(raw=raw[self.hl * 4:length], prev=self) elif dlen < self.iplen: self.msg( '(ip parse) warning IP packet data shorter than IP len: %u < %u' % (dlen, self.iplen)) else: self.next = raw[self.hl * 4:length] if isinstance(self.next, packet_base) and not self.next.parsed: self.next = raw[self.hl * 4:length]
def parse (self, raw, offset=0): assert isinstance(raw, bytes) self.next = None # In case of unfinished parsing self.raw = raw if len(raw) < self.MIN_LEN: self.msg('warning IP packet data too short to parse header:' ' data len %u' % (len(raw),)) return (vtcfl, self.payload_length, nht, self.hop_limit) \ = struct.unpack('!IHBB', raw[offset:offset+8]) self.srcip = IPAddr6(raw[offset+8:offset+24], raw=True) self.dstip = IPAddr6(raw[offset+24:offset+40], raw=True) self.next_header_type = nht offset += 40 self.v = vtcfl >> 28 self.tc = (vtcfl >> 20) & 0xff self.flow = vtcfl & 0xfffff if self.v != 6: self.msg('ip parse) warning IP version %u not IPv6' % self.v) return length = self.payload_length if length > len(raw): length = len(raw) # Clamp to what we've got self.msg('(ipv6) warning IP packet data incomplete (%s of %s)' % (len(raw), self.payload_length)) while nht != ipv6.NO_NEXT_HEADER: c = _extension_headers.get(nht) if c: if length < 8: self.msg('(ipv6) warning, packet data incomplete') return try: offset,o = c.unpack_new(raw, offset, max_length = length) length -= len(o) except TruncatedException: self.msg('(ipv6) warning, packet data truncated') return self.extension_headers.append(o) nht = o.next_header_type else: break self.parsed = True #TODO: This should be done a better way (and shared with IPv4?). if nht == self.UDP_PROTOCOL: self.next = udp(raw=raw[offset:offset+length], prev=self) elif nht == self.TCP_PROTOCOL: self.next = tcp(raw=raw[offset:offset+length], prev=self) elif nht == self.ICMP6_PROTOCOL: self.next = icmpv6(raw=raw[offset:offset+length], prev=self) # elif nht == self.IGMP_PROTOCOL: # self.next = igmp(raw=raw[offset:offset+length], prev=self) elif nht == self.NO_NEXT_HEADER: self.next = None else: self.next = raw[offset:offset+length] if isinstance(self.next, packet_base) and not self.next.parsed: self.next = raw[offset:offset+length]
def parse(self, raw, offset=0): assert isinstance(raw, bytes) self.next = None # In case of unfinished parsing self.raw = raw if len(raw) < self.MIN_LEN: self.msg('warning IP packet data too short to parse header:' ' data len %u' % (len(raw), )) return (vtcfl, self.payload_length, nht, self.hop_limit) \ = struct.unpack('!IHBB', raw[offset:offset+8]) self.srcip = IPAddr6(raw[offset + 8:offset + 24], raw=True) self.dstip = IPAddr6(raw[offset + 24:offset + 40], raw=True) self.next_header_type = nht offset += 40 self.v = vtcfl >> 28 self.tc = (vtcfl >> 20) & 0xff self.flow = vtcfl & 0xfffff if self.v != 6: self.msg('ip parse) warning IP version %u not IPv6' % self.v) return length = self.payload_length if length > len(raw): length = len(raw) # Clamp to what we've got self.msg('(ipv6) warning IP packet data incomplete (%s of %s)' % (len(raw), self.payload_length)) while nht != ipv6.NO_NEXT_HEADER: c = _extension_headers.get(nht) if c: if length < 8: self.msg('(ipv6) warning, packet data incomplete') return try: offset, o = c.unpack_new(raw, offset, max_length=length) length -= len(o) except TruncatedException: self.msg('(ipv6) warning, packet data truncated') return self.extension_headers.append(o) nht = o.next_header_type else: break self.parsed = True #TODO: This should be done a better way (and shared with IPv4?). if nht == self.UDP_PROTOCOL: self.next = udp(raw=raw[offset:offset + length], prev=self) elif nht == self.TCP_PROTOCOL: self.next = tcp(raw=raw[offset:offset + length], prev=self) elif nht == self.ICMP6_PROTOCOL: self.next = icmpv6(raw=raw[offset:offset + length], prev=self) # elif nht == self.IGMP_PROTOCOL: # self.next = igmp(raw=raw[offset:offset+length], prev=self) elif nht == self.NO_NEXT_HEADER: self.next = None else: self.next = raw[offset:offset + length] if isinstance(self.next, packet_base) and not self.next.parsed: self.next = raw[offset:offset + length]
# create a raw socket and bind it to the public interface s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_IP) s.bind((HOST, 0)) # Include IP headers s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1) # receive all packages s.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON) data = recieveData(s) unpackedData = struct.unpack("!BBHHHBBH4s4s", data[:20]) protocol = unpackedData[6] ipobj = ip() udpobj = udp() icmpobj = icmp() tcpobj = tcp() # part for tcp protocol if (ipobj.getProtocol(protocol) == "Transmission Control Protocol"): tcpobj.parseTCP(data) payloadTCP = data[40:] # check payload if there is malicious signature appDetect.checkAppDetectTCP(str(payloadTCP)) #blackList.checkBlackListTCP(str(payloadTCP)) browserFirefox.checkbrowserFirefoxTCP(str(payloadTCP)) # part for udp protocol if (ipobj.getProtocol(protocol) == "User Datagram Protocol"): udpobj.parseUDP(data)