def test_read_block_sectionheader_littleendian_with_options():
scanner = FileScanner(
io.BytesIO(
b"\x0a\x0d\x0d\x0a" # Magic number
b"\x60\x00\x00\x00" # Block size (96 bytes)
b"\x4d\x3c\x2b\x1a" # Magic number
b"\x01\x00\x00\x00" # Version
b"\xff\xff\xff\xff\xff\xff\xff\xff" # Undefined section length
# Options
b'\x01\x00\x0e\x00Just a comment\x00\x00'
b'\x02\x00\x0b\x00My Computer\x00'
b'\x03\x00\x05\x00My OS\x00\x00\x00'
b'\x04\x00\x0a\x00A fake app\x00\x00'
b"\x00\x00\x00\x00"
b"\x60\x00\x00\x00" # Block size (96 bytes)
))
blocks = list(scanner)
assert len(blocks) == 1
block = blocks[0]
assert isinstance(block, SectionHeader)
assert block.endianness == '<'
assert block.version == (1, 0)
assert block.length == -1
assert isinstance(block.options, Options)
assert len(block.options) == 4
assert block.options['opt_comment'] == 'Just a comment'
assert block.interfaces == {}
assert repr(block) == (
"<SectionHeader version=1.0 endianness='<' length=-1 options={0}>".
format(repr(block.options)))
def test_sample_test006_ntar(filename):
# Note: See the comment below this function
# test006.ntar is reporting an incorrect size, which causes the
# test to fail. Is this the expected behavior?
with open(filename, 'rb') as fp:
scanner = FileScanner(fp)
blocks = list(scanner)
# Section header, interface description, then what??
assert len(blocks) == 3
assert isinstance(blocks[0], SectionHeader)
assert blocks[0].endianness == '<'
assert blocks[0].version == (1, 0)
assert blocks[0].length == -1
assert len(blocks[0].options) == 0
assert len(blocks[0].interfaces) == 1
assert isinstance(blocks[1], InterfaceDescription)
assert blocks[1].link_type == 2
assert blocks[1].snaplen == 96
assert len(blocks[1].options) == 2
assert blocks[1].options['if_speed'] == (10**8) # 100Mbit
assert blocks[1].options['if_description'] == \
'Stupid ethernet interface\x00'
assert isinstance(blocks[2], Packet)
assert blocks[2].interface_id == 0
def test_sample_test005_ntar():
with open('test_data/test005.ntar', 'rb') as fp:
scanner = FileScanner(fp)
blocks = list(scanner)
# Section header, interface description
assert len(blocks) == 2
assert isinstance(blocks[0], SectionHeader)
assert blocks[0].endianness == '<'
assert blocks[0].version == (1, 0)
assert blocks[0].length == -1
assert len(blocks[0].options) == 0
assert len(blocks[0].interfaces) == 1
assert isinstance(blocks[1], InterfaceDescription)
assert blocks[1].link_type == 0x04d8 # ???
assert blocks[1].snaplen == 0x7c
assert len(blocks[1].options) == 2
assert blocks[1].options.get_raw(
'if_speed') == b'\x00\xe4\x0b\x54\x02\x00\x00\x00' # noqa
assert blocks[1].options['if_speed'] == 0x00000002540be400
assert blocks[1].options['if_speed'] == (10**10) # 10Gbit
assert blocks[1].options['if_description'] == \
'Stupid ethernet interface\x00'
def test_read_block_interface_nondefault_tsresol():
scanner = FileScanner(
io.BytesIO(
# ---------- Section header
b"\x0a\x0d\x0d\x0a" # Magic number
b"\x00\x00\x00\x20" # Block size (32 bytes)
b"\x1a\x2b\x3c\x4d" # Magic number
b"\x00\x01\x00\x00" # Version
b"\xff\xff\xff\xff\xff\xff\xff\xff" # Undefined section length
b"\x00\x00\x00\x00" # Empty options
b"\x00\x00\x00\x20" # Block size (32 bytes)
# ---------- Interface description
b'\x00\x00\x00\x01' # block magic
b'\x00\x00\x00\x20' # block syze (64 bytes)
b'\x00\x01' # link type
b'\x00\x00' # reserved block
b'\x00\x00\xff\xff' # size limit
b'\x00\x09\x00\x01'
b'\x0c\x00\x00\x00' # if_tsresol (+padding)
b'\x00\x00\x00\x00' # end of options
b'\x00\x00\x00\x20' # block syze (64 bytes)
))
blocks = list(scanner)
assert len(blocks) == 2
assert isinstance(blocks[1], InterfaceDescription)
assert blocks[1].options['if_tsresol'] == b'\x0c'
assert 'if_tsresol' in blocks[1].options
assert blocks[1].timestamp_resolution == 1e-12
def test_sample_test005_ntar():
with open("test_data/test005.ntar", "rb") as fp:
scanner = FileScanner(fp)
blocks = list(scanner)
# Section header, interface description
assert len(blocks) == 2
assert isinstance(blocks[0], SectionHeader)
assert blocks[0].endianness == "<"
assert blocks[0].version == (1, 0)
assert blocks[0].length == -1
assert len(blocks[0].options) == 0
assert len(blocks[0].interfaces) == 1
assert isinstance(blocks[1], InterfaceDescription)
assert blocks[1].link_type == 0x04D8 # ???
assert blocks[1].snaplen == 0x7C
assert len(blocks[1].options) == 2
assert (blocks[1].options.get_raw("if_speed") ==
b"\x00\xe4\x0b\x54\x02\x00\x00\x00") # noqa
assert blocks[1].options["if_speed"] == 0x00000002540BE400
assert blocks[1].options["if_speed"] == (10**10) # 10Gbit
assert blocks[1].options[
"if_description"] == "Stupid ethernet interface\x00"
def test_read_block_interface_unknown_link_type():
scanner = FileScanner(
io.BytesIO(
# ---------- Section header
b"\x0a\x0d\x0d\x0a" # Magic number
b"\x00\x00\x00\x20" # Block size (32 bytes)
b"\x1a\x2b\x3c\x4d" # Magic number
b"\x00\x01\x00\x00" # Version
b"\xff\xff\xff\xff\xff\xff\xff\xff" # Undefined section length
b"\x00\x00\x00\x00" # Empty options
b"\x00\x00\x00\x20" # Block size (32 bytes)
# ---------- Interface description
b'\x00\x00\x00\x01' # block magic
b'\x00\x00\x00\x18' # block syze
b'\xff\x01' # link type (unknown)
b'\x00\x00' # reserved block
b'\x00\x00\xff\xff' # size limit
b'\x00\x00\x00\x00' # end of options
b'\x00\x00\x00\x18' # block syze (64 bytes)
))
blocks = list(scanner)
assert len(blocks) == 2
assert isinstance(blocks[1], InterfaceDescription)
assert blocks[1].link_type == 0xff01
assert blocks[1].link_type_description == 'Unknown link type: 0xff01'
def test_sample_test006_ntar(filename):
# Note: See the comment below this function
# test006.ntar is reporting an incorrect size, which causes the
# test to fail. Is this the expected behavior?
with open(filename, "rb") as fp:
scanner = FileScanner(fp)
blocks = list(scanner)
# Section header, interface description, then what??
assert len(blocks) == 3
assert isinstance(blocks[0], SectionHeader)
assert blocks[0].endianness == "<"
assert blocks[0].version == (1, 0)
assert blocks[0].length == -1
assert len(blocks[0].options) == 0
assert len(blocks[0].interfaces) == 1
assert isinstance(blocks[1], InterfaceDescription)
assert blocks[1].link_type == 2
assert blocks[1].snaplen == 96
assert len(blocks[1].options) == 2
assert blocks[1].options["if_speed"] == (10**8) # 100Mbit
assert blocks[1].options[
"if_description"] == "Stupid ethernet interface\x00"
assert isinstance(blocks[2], ObsoletePacket)
assert blocks[2].interface_id == 0
assert blocks[2].options["pack_flags"].inout == "NA"
assert blocks[2].options["pack_flags"].casttype == "NA"
assert blocks[2].options["pack_flags"].fcslen == 0
assert blocks[2].options["pack_flags"].reserved == 0
assert blocks[2].options["pack_flags"].err_16 is False
assert blocks[2].options["pack_flags"].err_17 is False
assert blocks[2].options["pack_flags"].err_18 is False
assert blocks[2].options["pack_flags"].err_19 is False
assert blocks[2].options["pack_flags"].err_20 is False
assert blocks[2].options["pack_flags"].err_21 is False
assert blocks[2].options["pack_flags"].err_22 is False
assert blocks[2].options["pack_flags"].err_23 is False
assert blocks[2].options["pack_flags"].err_crc is False
assert blocks[2].options["pack_flags"].err_long is False
assert blocks[2].options["pack_flags"].err_short is False
assert blocks[2].options["pack_flags"].err_frame_gap is False
assert blocks[2].options["pack_flags"].err_frame_align is False
assert blocks[2].options["pack_flags"].err_frame_delim is False
assert blocks[2].options["pack_flags"].err_preamble is False
assert blocks[2].options["pack_flags"].err_symbol is False
def test_sample_test006_ntar(filename):
# Note: See the comment below this function
# test006.ntar is reporting an incorrect size, which causes the
# test to fail. Is this the expected behavior?
with open(filename, 'rb') as fp:
scanner = FileScanner(fp)
blocks = list(scanner)
# Section header, interface description, then what??
assert len(blocks) == 3
assert isinstance(blocks[0], SectionHeader)
assert blocks[0].endianness == '<'
assert blocks[0].version == (1, 0)
assert blocks[0].length == -1
assert len(blocks[0].options) == 0
assert len(blocks[0].interfaces) == 1
assert isinstance(blocks[1], InterfaceDescription)
assert blocks[1].link_type == 2
assert blocks[1].snaplen == 96
assert len(blocks[1].options) == 2
assert blocks[1].options['if_speed'] == (10**8) # 100Mbit
assert blocks[1].options['if_description'] == \
'Stupid ethernet interface\x00'
assert isinstance(blocks[2], ObsoletePacket)
assert blocks[2].interface_id == 0
assert blocks[2].options['pack_flags'].inout == 'NA'
assert blocks[2].options['pack_flags'].casttype == 'NA'
assert blocks[2].options['pack_flags'].fcslen == 0
assert blocks[2].options['pack_flags'].reserved == 0
assert blocks[2].options['pack_flags'].err_16 == False
assert blocks[2].options['pack_flags'].err_17 == False
assert blocks[2].options['pack_flags'].err_18 == False
assert blocks[2].options['pack_flags'].err_19 == False
assert blocks[2].options['pack_flags'].err_20 == False
assert blocks[2].options['pack_flags'].err_21 == False
assert blocks[2].options['pack_flags'].err_22 == False
assert blocks[2].options['pack_flags'].err_23 == False
assert blocks[2].options['pack_flags'].err_crc == False
assert blocks[2].options['pack_flags'].err_long == False
assert blocks[2].options['pack_flags'].err_short == False
assert blocks[2].options['pack_flags'].err_frame_gap == False
assert blocks[2].options['pack_flags'].err_frame_align == False
assert blocks[2].options['pack_flags'].err_frame_delim == False
assert blocks[2].options['pack_flags'].err_preamble == False
assert blocks[2].options['pack_flags'].err_symbol == False
def test_sample_test001_ntar():
with open('test_data/test001.ntar', 'rb') as fp:
scanner = FileScanner(fp)
blocks = list(scanner)
# There is just a section header
assert len(blocks) == 1
assert blocks[0].endianness == '<'
assert blocks[0].version == (1, 0)
assert blocks[0].length == -1
assert len(blocks[0].options) == 0
assert len(blocks[0].interfaces) == 0
def test_read_block_interface_bigendian():
scanner = FileScanner(
io.BytesIO(
# ---------- Section header
b"\x0a\x0d\x0d\x0a" # Magic number
b"\x00\x00\x00\x20" # Block size (32 bytes)
b"\x1a\x2b\x3c\x4d" # Magic number
b"\x00\x01\x00\x00" # Version
b"\xff\xff\xff\xff\xff\xff\xff\xff" # Undefined section length
b"\x00\x00\x00\x00" # Empty options
b"\x00\x00\x00\x20" # Block size (32 bytes)
# ---------- Interface description
b"\x00\x00\x00\x01" # block magic
b"\x00\x00\x00\x40" # block syze (64 bytes)
b"\x00\x01" # link type
b"\x00\x00" # reserved block
b"\x00\x00\xff\xff" # size limit
b"\x00\x02\x00\x04"
b"eth0" # if_name
b"\x00\x09\x00\x01"
b"\x06\x00\x00\x00" # if_tsresol (+padding)
b"\x00\x0c\x00\x13"
b"Linux 3.2.0-4-amd64\x00" # if_os
b"\x00\x00\x00\x00" # end of options
b"\x00\x00\x00\x40" # block syze (64 bytes)
)
)
blocks = list(scanner)
assert len(blocks) == 2
assert isinstance(blocks[0], SectionHeader)
assert blocks[0].endianness == ">"
assert blocks[0].interfaces == {0: blocks[1]}
assert isinstance(blocks[1], InterfaceDescription)
assert blocks[1].link_type == 0x01
assert blocks[1].link_type_description == "D/I/X and 802.3 Ethernet"
assert blocks[1].snaplen == 0xFFFF
assert blocks[1].options["if_name"] == "eth0"
assert blocks[1].options["if_tsresol"] == b"\x06"
assert blocks[1].timestamp_resolution == 1e-6
assert blocks[1].options["if_os"] == "Linux 3.2.0-4-amd64"
assert blocks[1].reserved == 0
assert repr(blocks[1]) == (
"<InterfaceDescription link_type=1 reserved={reserved} "
"snaplen=65535 options={options}>".format(
options=repr(blocks[1].options), reserved=repr(blocks[1].reserved)
)
)
def test_read_block_interface_bigendian():
scanner = FileScanner(
io.BytesIO(
# ---------- Section header
"\x0a\x0d\x0d\x0a" # Magic number
"\x00\x00\x00\x20" # Block size (32 bytes)
"\x1a\x2b\x3c\x4d" # Magic number
"\x00\x01\x00\x00" # Version
"\xff\xff\xff\xff\xff\xff\xff\xff" # Undefined section length
"\x00\x00\x00\x00" # Empty options
"\x00\x00\x00\x20" # Block size (32 bytes)
# ---------- Interface description
'\x00\x00\x00\x01' # block magic
'\x00\x00\x00\x40' # block syze (64 bytes)
'\x00\x01' # link type
'\x00\x00' # reserved block
'\x00\x00\xff\xff' # size limit
'\x00\x02\x00\x04'
'eth0' # if_name
'\x00\x09\x00\x01'
'\x06\x00\x00\x00' # if_tsresol (+padding)
'\x00\x0c\x00\x13'
'Linux 3.2.0-4-amd64\x00' # if_os
'\x00\x00\x00\x00' # end of options
'\x00\x00\x00\x40' # block syze (64 bytes)
))
blocks = list(scanner)
assert len(blocks) == 2
assert isinstance(blocks[0], SectionHeader)
assert blocks[0].endianness == '>'
assert blocks[0].interfaces == {0: blocks[1]}
assert isinstance(blocks[1], InterfaceDescription)
assert blocks[1].link_type == 0x01
assert blocks[1].link_type_description == 'D/I/X and 802.3 Ethernet'
assert blocks[1].snaplen == 0xffff
assert blocks[1].options['if_name'] == 'eth0'
assert blocks[1].options['if_tsresol'] == '\x06'
assert blocks[1].timestamp_resolution == 1e-6
assert blocks[1].options['if_os'] == 'Linux 3.2.0-4-amd64'
assert repr(blocks[1]) == (
"<InterfaceDescription link_type=1 reserved='\\x00\\x00' "
"snaplen=65535 options={options}>".format(
options=repr(blocks[1].options)))
def test_sample_test004_ntar():
with open("test_data/test004.ntar", "rb") as fp:
scanner = FileScanner(fp)
blocks = list(scanner)
# Section header
assert len(blocks) == 1
assert isinstance(blocks[0], SectionHeader)
assert blocks[0].endianness == "<"
assert blocks[0].version == (1, 0)
assert blocks[0].length == -1
assert len(blocks[0].options) == 2
assert blocks[0].options["shb_os"] == "Windows XP\x00" # (why NULL?)
assert blocks[0].options["shb_userappl"] == "Test004.exe\x00"
assert len(blocks[0].interfaces) == 0
def test_sample_test004_ntar():
with open('test_data/test004.ntar', 'rb') as fp:
scanner = FileScanner(fp)
blocks = list(scanner)
# Section header
assert len(blocks) == 1
assert isinstance(blocks[0], SectionHeader)
assert blocks[0].endianness == '<'
assert blocks[0].version == (1, 0)
assert blocks[0].length == -1
assert len(blocks[0].options) == 2
assert blocks[0].options['shb_os'] == 'Windows XP\x00' # (why NULL?)
assert blocks[0].options['shb_userappl'] == 'Test004.exe\x00'
assert len(blocks[0].interfaces) == 0
def test_sample_test002_ntar():
with open("test_data/test002.ntar", "rb") as fp:
scanner = FileScanner(fp)
blocks = list(scanner)
# Section header, interface description
assert len(blocks) == 2
assert isinstance(blocks[0], SectionHeader)
assert blocks[0].endianness == "<"
assert blocks[0].version == (1, 0)
assert blocks[0].length == -1
assert len(blocks[0].options) == 0
assert len(blocks[0].interfaces) == 1
assert isinstance(blocks[1], InterfaceDescription)
assert blocks[1].link_type == 0 # Unknown link type
assert blocks[1].snaplen == 0
assert len(blocks[1].options) == 0
def test_sample_test003_ntar():
with open('test_data/test003.ntar', 'rb') as fp:
scanner = FileScanner(fp)
blocks = list(scanner)
# Section header, interface description
assert len(blocks) == 2
assert isinstance(blocks[0], SectionHeader)
assert blocks[0].endianness == '<'
assert blocks[0].version == (1, 0)
assert blocks[0].length == -1
assert len(blocks[0].options) == 0
assert len(blocks[0].interfaces) == 1
assert isinstance(blocks[1], InterfaceDescription)
assert blocks[1].link_type == 0x04d8 # ???
assert blocks[1].snaplen == 0x7c
assert len(blocks[1].options) == 0
def test_read_block_sectionheader_bigendian_empty_options():
scanner = FileScanner(
io.BytesIO(
"\x0a\x0d\x0d\x0a" # Magic number
"\x00\x00\x00\x20" # Block size (32 bytes)
"\x1a\x2b\x3c\x4d" # Magic number
"\x00\x01\x00\x00" # Version
"\xff\xff\xff\xff\xff\xff\xff\xff" # Undefined section length
"\x00\x00\x00\x00" # Empty options
"\x00\x00\x00\x20" # Block size (32 bytes)
))
blocks = list(scanner)
assert len(blocks) == 1
block = blocks[0]
assert isinstance(block, SectionHeader)
assert block.endianness == '>'
assert block.version == (1, 0)
assert block.length == -1
assert isinstance(block.options, Options)
assert len(block.options) == 0
assert block.interfaces == {}
def test_read_block_sectionheader_littleendian_missing_options():
scanner = FileScanner(
io.BytesIO(
b"\x0a\x0d\x0d\x0a" # Magic number
b"\x1c\x00\x00\x00" # Block size (32 bytes)
b"\x4d\x3c\x2b\x1a" # Byte order
b"\x01\x00\x00\x00" # Version
b"\xff\xff\xff\xff\xff\xff\xff\xff" # Undefined section length
b"" # Missing options
b"\x1c\x00\x00\x00" # Block size (32 bytes)
))
blocks = list(scanner)
assert len(blocks) == 1
block = blocks[0]
assert isinstance(block, SectionHeader)
assert block.endianness == '<'
assert block.version == (1, 0)
assert block.length == -1
assert isinstance(block.options, Options)
assert len(block.options) == 0
assert block.interfaces == {}
def test_read_block_enhanced_packet_tsresol_bigendian(tsr_base, tsr_exp):
data = _generate_file_with_tsresol(tsr_base, tsr_exp)
scanner = FileScanner(io.BytesIO(data))
blocks = list(scanner)
assert len(blocks) == 3
assert isinstance(blocks[0], SectionHeader)
assert blocks[0].endianness == ">"
assert blocks[0].interfaces == {0: blocks[1]}
assert isinstance(blocks[1], InterfaceDescription)
assert len(blocks[1].options) == 1 # Just if_tsresol
assert blocks[1].options["if_tsresol"] == pack_timestamp_resolution(
tsr_base, tsr_exp)
assert isinstance(blocks[2], EnhancedPacket)
assert blocks[2].section == blocks[0]
assert blocks[2].interface_id == 0
assert blocks[2].interface == blocks[1]
resol = tsr_base**tsr_exp
assert blocks[2].timestamp_resolution == resol
assert blocks[2].timestamp == 1420070400.0
def test_read_block_interface_stats_bigendian():
scanner = FileScanner(
io.BytesIO(
# ---------- Section header
"\x0a\x0d\x0d\x0a" # Magic number
"\x00\x00\x00\x20" # Block size (32 bytes)
"\x1a\x2b\x3c\x4d" # Magic number
"\x00\x01\x00\x00" # Version
"\xff\xff\xff\xff\xff\xff\xff\xff" # Undefined section length
"\x00\x00\x00\x00" # Empty options
"\x00\x00\x00\x20" # Block size (32 bytes)
# ---------- Interface description
'\x00\x00\x00\x01' # block magic
'\x00\x00\x00\x40' # block syze (64 bytes)
'\x00\x01' # link type
'\x00\x00' # reserved block
'\x00\x00\xff\xff' # size limit
'\x00\x02\x00\x04'
'eth0' # if_name
'\x00\x09\x00\x01'
'\x06\x00\x00\x00' # if_tsresol (+padding)
'\x00\x0c\x00\x13'
'Linux 3.2.0-4-amd64\x00' # if_os
'\x00\x00\x00\x00' # End of options
'\x00\x00\x00\x40' # block syze (64 bytes)
# ---------- Interface statistics
'\x00\x00\x00\x05' # Magic number
'\x00\x00\x00\x80' # block size (128 bytes)
'\x00\x00\x00\x00' # interface id
'\x00\x05\x0b\x5f\x61\xf8\x14\x40' # Timestamp
'\x00\x01\x00\x0a'
'A comment\x00\x00\x00'
'\x00\x02\x00\x08'
'\x00\x05\x0b\x5f\x64\xa6\xb9\x80' # isb_starttime
'\x00\x03\x00\x08'
'\x00\x05\x0b\x5f\x6b\x44\x73\x40' # isb_endtime
'\x00\x04\x00\x08'
'\x00\x00\x00\x00\x00\x01\x23\x45' # isb_ifrecv
'\x00\x05\x00\x08'
'\x00\x00\x00\x00\x00\x00\x00\x20' # isb_drop
'\x00\x06\x00\x08'
'\x00\x00\x00\x00\x00\x00\x0a\xbc' # isb_filteraccept # noqa
'\x00\x07\x00\x08'
'\x00\x00\x00\x00\x00\x00\x00\x33' # isb_osdrop
'\x00\x08\x00\x08'
'\x00\x00\x00\x00\x00\x0a\xbc\xde' # isb_usrdeliv
'\x00\x00\x00\x00' # End of options
'\x00\x00\x00\x80' # block size (16 bytes)
))
blocks = list(scanner)
assert len(blocks) == 3
assert isinstance(blocks[0], SectionHeader)
assert blocks[0].endianness == '>'
assert blocks[0].interfaces == {0: blocks[1]}
assert isinstance(blocks[1], InterfaceDescription)
assert blocks[1].statistics is blocks[2]
assert isinstance(blocks[2], InterfaceStatistics)
assert blocks[2].timestamp == 0x050b5f61f81440 / 1e6
assert blocks[2].options['isb_starttime'] == 0x050b5f64a6b980 # no resol!
assert blocks[2].options['isb_endtime'] == 0x050b5f6b447340 # no resol!
assert blocks[2].options['isb_ifrecv'] == 0x12345
assert blocks[2].options['isb_ifdrop'] == 0x20
assert blocks[2].options['isb_filteraccept'] == 0xabc
assert blocks[2].options['isb_osdrop'] == 0x33
assert blocks[2].options['isb_usrdeliv'] == 0xabcde
def test_read_block_interface_stats_bigendian():
scanner = FileScanner(
io.BytesIO(
# ---------- Section header
b"\x0a\x0d\x0d\x0a" # Magic number
b"\x00\x00\x00\x20" # Block size (32 bytes)
b"\x1a\x2b\x3c\x4d" # Magic number
b"\x00\x01\x00\x00" # Version
b"\xff\xff\xff\xff\xff\xff\xff\xff" # Undefined section length
b"\x00\x00\x00\x00" # Empty options
b"\x00\x00\x00\x20" # Block size (32 bytes)
# ---------- Interface description
b"\x00\x00\x00\x01" # block magic
b"\x00\x00\x00\x40" # block syze (64 bytes)
b"\x00\x01" # link type
b"\x00\x00" # reserved block
b"\x00\x00\xff\xff" # size limit
b"\x00\x02\x00\x04"
b"eth0" # if_name
b"\x00\x09\x00\x01"
b"\x06\x00\x00\x00" # if_tsresol (+padding)
b"\x00\x0c\x00\x13"
b"Linux 3.2.0-4-amd64\x00" # if_os
b"\x00\x00\x00\x00" # End of options
b"\x00\x00\x00\x40" # block syze (64 bytes)
# ---------- Interface statistics
b"\x00\x00\x00\x05" # Magic number
b"\x00\x00\x00\x80" # block size (128 bytes)
b"\x00\x00\x00\x00" # interface id
b"\x00\x05\x0b\x5f\x61\xf8\x14\x40" # Timestamp
b"\x00\x01\x00\x0a"
b"A comment\x00\x00\x00"
b"\x00\x02\x00\x08"
b"\x00\x05\x0b\x5f\x64\xa6\xb9\x80" # isb_starttime # noqa
b"\x00\x03\x00\x08"
b"\x00\x05\x0b\x5f\x6b\x44\x73\x40" # isb_endtime
b"\x00\x04\x00\x08"
b"\x00\x00\x00\x00\x00\x01\x23\x45" # isb_ifrecv
b"\x00\x05\x00\x08"
b"\x00\x00\x00\x00\x00\x00\x00\x20" # isb_drop
b"\x00\x06\x00\x08"
b"\x00\x00\x00\x00\x00\x00\x0a\xbc" # isb_filteraccept # noqa
b"\x00\x07\x00\x08"
b"\x00\x00\x00\x00\x00\x00\x00\x33" # isb_osdrop
b"\x00\x08\x00\x08"
b"\x00\x00\x00\x00\x00\x0a\xbc\xde" # isb_usrdeliv
b"\x00\x00\x00\x00" # End of options
b"\x00\x00\x00\x80" # block size (16 bytes)
))
blocks = list(scanner)
assert len(blocks) == 3
assert isinstance(blocks[0], SectionHeader)
assert blocks[0].endianness == ">"
assert blocks[0].interfaces == {0: blocks[1]}
assert isinstance(blocks[1], InterfaceDescription)
assert blocks[1].statistics is blocks[2]
assert isinstance(blocks[2], InterfaceStatistics)
assert blocks[2].timestamp == 0x050B5F61F81440 / 1e6
assert blocks[2].options["isb_starttime"] == 0x050B5F64A6B980 # no resol!
assert blocks[2].options["isb_endtime"] == 0x050B5F6B447340 # no resol!
assert blocks[2].options["isb_ifrecv"] == 0x12345
assert blocks[2].options["isb_ifdrop"] == 0x20
assert blocks[2].options["isb_filteraccept"] == 0xABC
assert blocks[2].options["isb_osdrop"] == 0x33
assert blocks[2].options["isb_usrdeliv"] == 0xABCDE
def test_sample_test010_ntar():
with open('test_data/test010.ntar', 'rb') as fp:
scanner = FileScanner(fp)
for entry in scanner:
pass
def test_read_block_enhanced_packet_bigendian():
scanner = FileScanner(
io.BytesIO(
# ---------- Section header
b"\x0a\x0d\x0d\x0a" # Magic number
b"\x00\x00\x00\x20" # Block size (32 bytes)
b"\x1a\x2b\x3c\x4d" # Magic number
b"\x00\x01\x00\x00" # Version
b"\xff\xff\xff\xff\xff\xff\xff\xff" # Undefined section length
b"\x00\x00\x00\x00" # Empty options
b"\x00\x00\x00\x20" # Block size (32 bytes)
# ---------- Interface description
b"\x00\x00\x00\x01" # block magic
b"\x00\x00\x00\x40" # block syze (64 bytes)
b"\x00\x01" # link type
b"\x00\x00" # reserved block
b"\x00\x00\xff\xff" # size limit
b"\x00\x02\x00\x04"
b"eth0" # if_name
b"\x00\x09\x00\x01"
b"\x06\x00\x00\x00" # if_tsresol (+padding)
b"\x00\x0c\x00\x13"
b"Linux 3.2.0-4-amd64\x00" # if_os
b"\x00\x00\x00\x00" # end of options
b"\x00\x00\x00\x40" # block syze (64 bytes)
# ---------- Enhanced packet
b"\x00\x00\x00\x06" # block magic
b"\x00\x00\x00\x78" # block syze (120 bytes)
b"\x00\x00\x00\x00" # interface id (first one, eth0)
b"\x00\x04\xf8\x1e"
b"\x3c\x3e\xd5\xa9" # timestamp (microseconds)
b"\x00\x00\x00\x51" # Captured length
b"\x00\x00\x00\x51" # Original length
# Packet data (81 bytes)
b"\x00\x02\x157\xa2D\x00\xae\xf3R\xaa\xd1\x08\x00" # Ethernet
b"E\x00\x00C\x00\x01\x00\x00@\x06x<\xc0\xa8\x05\x15B#\xfa\x97" # IP
b"\x00\x14\x00P\x00\x00\x00\x00\x00\x00\x00\x00P\x02 " # TCP
b"\x00\xbb9\x00\x00" # TCP(cont)
b"GET /index.html HTTP/1.0 \n\n" # HTTP
b"\x00\x00\x00" # Padding
# todo: add options?
b"\x00\x00\x00\x00" # Empty options
b"\x00\x00\x00\x78" # block syze (120 bytes)
))
blocks = list(scanner)
assert len(blocks) == 3
assert isinstance(blocks[0], SectionHeader)
assert blocks[0].endianness == ">"
assert blocks[0].interfaces == {0: blocks[1]}
assert isinstance(blocks[1], InterfaceDescription)
assert blocks[1].section == blocks[0]
assert blocks[1].link_type == 0x01
assert blocks[1].snaplen == 0xFFFF
assert blocks[1].options["if_name"] == "eth0"
assert blocks[1].options["if_tsresol"] == b"\x06"
assert isinstance(blocks[2], EnhancedPacket)
assert blocks[2].section == blocks[0]
assert blocks[2].interface_id == 0
assert blocks[2].interface == blocks[1]
assert blocks[2].timestamp_high == 0x0004F81E
assert blocks[2].timestamp_low == 0x3C3ED5A9
assert blocks[2].timestamp_resolution == 1e-6
assert blocks[2].timestamp == 1398708650.3008409
assert blocks[2].captured_len == 0x51
assert blocks[2].packet_len == 0x51
assert blocks[2].packet_data == (
b"\x00\x02\x157\xa2D\x00\xae\xf3R\xaa\xd1\x08\x00" # Ethernet
b"E\x00\x00C\x00\x01\x00\x00@\x06x<\xc0\xa8\x05\x15B#\xfa\x97" # IP
b"\x00\x14\x00P\x00\x00\x00\x00\x00\x00\x00\x00P\x02 " # TCP
b"\x00\xbb9\x00\x00" # TCP(cont)
b"GET /index.html HTTP/1.0 \n\n") # HTTP
assert len(blocks[2].options) == 0
import sys
import os
if len(sys.argv) < 2:
print("use as %s <path-to-pcap-file>" % sys.argv[0])
exit(0)
sys.path.append(
os.path.dirname(os.path.dirname(os.path.realpath(__file__))))
from pcapng.scanner import FileScanner
from pcapng.blocks import EnhancedPacket
from kaitai.hytera_dmr_application_protocol import HyteraDmrApplicationProtocol
from kaitai.hytera_radio_network_protocol import HyteraRadioNetworkProtocol
from kaitai.hytera_simple_transport_reliability_protocol import (
HyteraSimpleTransportReliabilityProtocol, )
from kaitai.ip_site_connect_protocol import IpSiteConnectProtocol
from kaitai.ip_site_connect_heartbeat import IpSiteConnectHeartbeat
from kaitai.real_time_transport_protocol import RealTimeTransportProtocol
from tests.prettyprint import _prettyprint
import kamene.packet
with open(sys.argv[1], "rb") as testfile:
scanner = FileScanner(testfile)
counter = 0
for block in scanner:
if isinstance(block, EnhancedPacket):
counter += 1
pprint_enhanced_packet(block)
print("{0} packets worked through".format(counter))
def test_read_block_enhanced_packet_bigendian():
scanner = FileScanner(
io.BytesIO(
# ---------- Section header
"\x0a\x0d\x0d\x0a" # Magic number
"\x00\x00\x00\x20" # Block size (32 bytes)
"\x1a\x2b\x3c\x4d" # Magic number
"\x00\x01\x00\x00" # Version
"\xff\xff\xff\xff\xff\xff\xff\xff" # Undefined section length
"\x00\x00\x00\x00" # Empty options
"\x00\x00\x00\x20" # Block size (32 bytes)
# ---------- Interface description
'\x00\x00\x00\x01' # block magic
'\x00\x00\x00\x40' # block syze (64 bytes)
'\x00\x01' # link type
'\x00\x00' # reserved block
'\x00\x00\xff\xff' # size limit
'\x00\x02\x00\x04'
'eth0' # if_name
'\x00\x09\x00\x01'
'\x06\x00\x00\x00' # if_tsresol (+padding)
'\x00\x0c\x00\x13'
'Linux 3.2.0-4-amd64\x00' # if_os
'\x00\x00\x00\x00' # end of options
'\x00\x00\x00\x40' # block syze (64 bytes)
# ---------- Enhanced packet
'\x00\x00\x00\x06' # block magic
'\x00\x00\x00\x78' # block syze (120 bytes)
'\x00\x00\x00\x00' # interface id (first one, eth0)
'\x00\x04\xf8\x1e'
'\x3c\x3e\xd5\xa9' # timestamp (microseconds)
'\x00\x00\x00\x51' # Captured length
'\x00\x00\x00\x51' # Original length
# Packet data (81 bytes)
'\x00\x02\x157\xa2D\x00\xae\xf3R\xaa\xd1\x08\x00' # Ethernet
'E\x00\x00C\x00\x01\x00\x00@\x06x<\xc0\xa8\x05\x15B#\xfa\x97' # IP
'\x00\x14\x00P\x00\x00\x00\x00\x00\x00\x00\x00P\x02 ' # TCP
'\x00\xbb9\x00\x00' # TCP(cont)
'GET /index.html HTTP/1.0 \n\n' # HTTP
'\x00\x00\x00' # Padding
# todo: add options?
'\x00\x00\x00\x00' # Empty options
'\x00\x00\x00\x78' # block syze (120 bytes)
))
blocks = list(scanner)
assert len(blocks) == 3
assert isinstance(blocks[0], SectionHeader)
assert blocks[0].endianness == '>'
assert blocks[0].interfaces == {0: blocks[1]}
assert isinstance(blocks[1], InterfaceDescription)
assert blocks[1].section == blocks[0]
assert blocks[1].link_type == 0x01
assert blocks[1].snaplen == 0xffff
assert blocks[1].options['if_name'] == 'eth0'
assert blocks[1].options['if_tsresol'] == '\x06'
assert isinstance(blocks[2], EnhancedPacket)
assert blocks[2].section == blocks[0]
assert blocks[2].interface_id == 0
assert blocks[2].interface == blocks[1]
assert blocks[2].timestamp_high == 0x0004f81e
assert blocks[2].timestamp_low == 0x3c3ed5a9
assert blocks[2].timestamp_resolution == 1e-6
assert blocks[2].timestamp == 1398708650.3008409
assert blocks[2].captured_len == 0x51
assert blocks[2].packet_len == 0x51
assert blocks[2].packet_data == (
'\x00\x02\x157\xa2D\x00\xae\xf3R\xaa\xd1\x08\x00' # Ethernet
'E\x00\x00C\x00\x01\x00\x00@\x06x<\xc0\xa8\x05\x15B#\xfa\x97' # IP
'\x00\x14\x00P\x00\x00\x00\x00\x00\x00\x00\x00P\x02 ' # TCP
'\x00\xbb9\x00\x00' # TCP(cont)
'GET /index.html HTTP/1.0 \n\n') # HTTP
assert len(blocks[2].options) == 0
def test_sample_test010_ntar():
with open("test_data/test010.ntar", "rb") as fp:
scanner = FileScanner(fp)
for entry in scanner:
pass
