def dotransform(request, response): pkts = rdpcap(request.value) dns_names = [] tor_traffic = [] ip_convo = [] try: tmpfolder = request.fields['sniffMyPackets.outputfld'] except: pass for x in pkts: if x.haslayer(TCP) and x.haslayer(Raw): if 'www.' in x.getlayer(Raw).load: for s in re.finditer('www.\w*.\w*', str(x)): dnsrec = s.group() srcip = x.getlayer(IP).src dstip = x.getlayer(IP).dst sport = x.getlayer(TCP).sport dport = x.getlayer(TCP).dport ipaddr = srcip, dstip, sport, dport, dnsrec if sport or dport not in ip_convo: ip_convo.append(ipaddr) if dnsrec not in tor_traffic: tor_traffic.append(dnsrec) for pkt in pkts: if pkt.haslayer(DNS) and pkt.getlayer(DNS).qr == 0: x = pkt.getlayer(DNS).qd.qname if x not in dns_names: dns_names.append(x) for dnsrec in tor_traffic: for z in dns_names: if dnsrec == z: tor_traffic.remove(dnsrec) for srcip, dstip, sport, dport, dnsrec in ip_convo: if int(sport) != int(dport): for f in tor_traffic: if dnsrec == f: e = Host(dstip) e.hostsrc = srcip e.hostdst = dstip e.hostsport = sport e.hostdport = dport e += Field('pcapsrc', request.value, displayname='Original pcap File') e += Field('proto', 'tcp', displayname='Protocol') e += Field('sniffMyPackets.outputfld', tmpfolder, displayname='Folder Location') e.linklabel = dnsrec e.linkcolor = 0xCC33FF response += e return response
def dotransform(request, response): convo = [] target = request.value pcap = request.fields['pcapsrc'] pkts = rdpcap(pcap) for p in pkts: if p.haslayer(TCP) and p.getlayer(IP).src == target: srcip = p.getlayer(IP).src dstip = p.getlayer(IP).dst sport = p.getlayer(TCP).sport dport = p.getlayer(TCP).dport talker = srcip, dstip, sport, dport, pcap, 'tcp' if talker not in convo: convo.append(talker) if p.haslayer(IP) and p.haslayer(UDP) and p.getlayer(IP).src == target: srcip = p.getlayer(IP).src dstip = p.getlayer(IP).dst sport = p.getlayer(UDP).sport dport = p.getlayer(UDP).dport talker = srcip, dstip, sport, dport, pcap, 'udp' if talker not in convo: convo.append(talker) for src, dst, sport, dport, pcap, proto in convo: e = Host(dst) e.hostsrc = src e.hostdst = dst e.hostsport = sport e.hostdport = dport e.linklabel = proto + '\n' + str(sport) + ':' + str(dport) if proto == 'tcp': e.linkcolor = 0x2314CA if proto == 'udp': e.linkcolor = 0x0E7323 e += Field('pcapsrc', pcap, displayname='Original pcap File') e += Field('proto', proto, displayname='Protocol') response += e return response