def generate_pcap(size):
""" This function generates a PCAP file with frames containing
random MAC addresses
:param size: Number of frames to generate
:type size: int
"""
packets = []
for i in range(0, size):
pkt = Ether(
dst=mactools.getRandomMAC(),
src=mactools.getRandomMAC()
) / IP(
)
packets.append(pkt)
wrpcap("mac_flooding.pcap", packets)
def format(self, p):
# prepare an input buffer, containing the content of the template
f = open(path.join(XMLFormatter.TemplateDir, 'template.xml'))
i = StringIO(f.read())
f.close()
# prepare an output buffer to write the generated XML to
o = StringIO()
sgml = SGMLTemplate({ 'report': self.report, 'asset_path': path.basename(p + '_files') }, ouf=o)
# use the SGMLTemplate to generate the formatted report
sgml.xcopy(i)
o.reset()
# write the contents of the output buffer to file, using ui.write_file()
# to allow the output path to be dynamically changed
self.write_file(p, o.read())
# create a directory to write the various assets and linked files to
self.create_directory(p + '_files')
# copy any static assets into the output directory
for asset in XMLFormatter.Assets:
self.copy_file(path.join(XMLFormatter.TemplateDir, asset), path.join(p + '_files', asset))
# write the logs and pcap data for each result to file
for suite in self.report.results():
for result in suite.results():
self.create_directory(path.join(p + '_files', str(id(result))))
# write the test case log file
self.write_file(path.join(p + '_files', str(id(result)), "veripy.log"), result.outcome.log)
# write the network pcap data into a log file
for (link, pcap) in result.outcome.network_dumps:
if len(pcap) > 0:
wrpcap(path.join(p + '_files', str(id(result)), "link-%s.pcap" % link), pcap)
def main():
args = command_parser()
interface = args.interface
target_ip = args.target_ip
gateway_ip = args.gateway_ip
packet_count = int(args.packet_count)
# scapy conf
conf.iface = interface
conf.verb = 0
# ARP init
gateway_mac = get_mac(gateway_ip)
if gateway_mac is None:
print("[!!!] Failed to get gateway MAC. Exiting.")
sys.exit(0)
else:
print("[*] Gateway {} is at {}".format(gateway_ip, gateway_mac))
target_mac = get_mac(target_ip)
if target_mac is None:
print("[!!!] Failed to get target MAC. Exiting.")
sys.exit(0)
else:
print("[*] Target {} is at {}".format(target_ip, target_mac))
arp_target = ARPTarget()
arp_target.gateway_ip = gateway_ip
arp_target.gateway_mac = gateway_mac
arp_target.target_ip = target_ip
arp_target.target_mac = target_mac
# start poison thread
poison_thread = threading.Thread(target=arp_target.poison_target)
poison_thread.start()
try:
# sniff
print("[*] Starting sniffer for {} packets".format(packet_count))
bpf_filter = "ip host {}".format(target_ip)
packets = sniff(count=packet_count, filter=bpf_filter, iface=interface)
except KeyboardInterrupt:
pass
finally:
# save packets and restore target
print("[*] Writing packets to arp.pcap")
wrpcap('arp.pcap', packets)
arp_target.poisoning = False
time.sleep(2)
arp_target.restore_target()
sys.exit(0)
def pcap_output():
""" write a libpcap formatted .pcap file containing the compiler output """
global ARGS
global COMPILER_OUTPUT
if (len(COMPILER_OUTPUT) == 0):
compiler_bailout("No output to write to disk.")
if (ARGS.output_file == ""):
raise SynTerminalError("No output file provided.")
wrpcap(ARGS.output_file, COMPILER_OUTPUT)
def start(idunivoco):
'riceve un idunivoco di fruizione e comincia lo sniff'
from scapy.all import wrpcap, sniff
rlocal.set(idunivoco+"_status",'running')
i = 0
while True:
p= sniff(filter='tcp port 80', iface='eth0', timeout=30)
i=i+1
filepcap = idunivoco+"_"+str(i)+'.pcap'
wrpcap(filepcap,p)
rlocal.lpush(idunivoco+"_files",filepcap)
if rlocal.get(idunivoco+"_status") == 'stop':
break
def post_test(self):
'''
Store the pcap.
'''
filename = os.path.join(self._path, 'test_%s.pcap' % self.test_number)
packets = self._packets[:]
if len(packets):
wrpcap(filename, packets)
else:
self.logger.debug('No packets to write')
self._packets = None
self.report.add('pcap file', filename)
super(NetworkMonitor, self).post_test()
def sniffer(output, iface='all', filter=None, timeout=10):
"""Method executes traffic sniffer
Args:
output (str): filename to store packets in PCAP format
iface (str): interface where traffic will be sniffed, default all interfaces
filter (str): traffic filter, see scapy doc
timeout (int): time to stop sniffer
Returns:
void
Raises:
event: inet_before_sniff
event: inet_after_sniff
"""
try:
from scapy.all import sniff, wrpcap
mh.demsg('htk_on_debug_info', mh._trn.msg('htk_inet_sniffer_started', output, iface, filter, timeout),
mh.fromhere())
ev = event.Event('inet_before_sniff', output, iface, filter, timeout)
if (mh.fire_event(ev) > 0):
output = ev.argv(0)
iface = ev.argv(1)
filter = ev.argv(2)
timeout = ev.argv(3)
if (ev.will_run_default()):
if (iface == 'all'):
packets = sniff(filter=filter, timeout=timeout)
else:
packets = sniff(iface=iface, filter=filter, timeout=timeout)
if (len(packets) > 0):
wrpcap(output, packets)
mh.demsg('htk_on_debug_info', mh._trn.msg(
'htk_inet_sniffer_stopped'), mh.fromhere())
ev = event.Event('inet_after_sniff')
mh.fire_event(ev)
except (Scapy_Exception, error) as ex:
mh.demsg('htk_on_error', ex, mh.fromhere())
def rawhandle(pkt):
if sniff_pkts:
scapy.wrpcap(random_filename+"arpy.pcap",pkt)
counter = 0
while counter < 1:
counter += 1
layer = pkt.getlayer(counter)
if layer.haslayer(scapy.Raw) and layer.haslayer(scapy.IP):
print(bcolours.OKBLUE + '\n[Info] Found the following (' + layer.name + ' layer): ' + layer.src + " -> " + layer.dst + bcolours.ENDC)
tcpdata = layer.getlayer(scapy.Raw).load
if not opts.verbose:
print tcpdata
else:
print layer.show()
else:
break
def splitStreams(tracefile, streamdir):
packets=rdpcap(tracefile)
streams={}
for packet in packets:
id=streamId(packet)
if id:
if id in streams.keys():
streams[id].append(packet)
else:
streams[id]=[packet]
for id in streams.keys():
streamfile=streamdir+'/'+id+'.pcap'
wrpcap(streamfile, streams[id])
def main():
"Send packets with specific seq nbs"
packet_list = [IP(src='0.0.0.1',
dst='1.0.0.1')/TCP(dport=10001,sport=10002,
flags="S",ack=0, seq=0)]
packet_list.append(IP(src='1.0.0.1',
dst='0.0.0.1')/TCP(dport=10002,sport=10001,
flags="SA",ack=1, seq=0))
packet_list.append(IP(src='0.0.0.1',
dst='1.0.0.1')/TCP(dport=10001,sport=10002,
flags="A",ack=1, seq=1))
for nb, size in zip(SEQ_NBS, SIZES):
packet_list.append(IP(src='0.0.0.1',
dst='1.0.0.1')/TCP(dport=10001,sport=10002,
flags="A",ack=1,
seq=nb+1)/('X' * size))
wrpcap("packet_list.dmp", packet_list)
def processpacket(self, packet):
# packet.show()
#
# packet.summary()
# print type(packet)
# packet.show()
self.queue.put(packet)
packtdocument = connection.PacketDocument()
#print(packtdocument)
packtdocument['srcip'] = packet.sprintf('%IP.src%')
packtdocument['destip'] = packet.sprintf('%IP.dst%')
packtdocument['summary'] = packet.summary()
packtdocument['detail'] = packet.command()
packtdocument.save()
#print(packtdocument)
if self.outfile:
wrpcap(self.outfile, packet, append=True)
def write_ipv6_pcap_file(input_file_path, output_file_path):
"""Write a pcap file of traffic converted to IPv6.
Limitations:
- Currently non Ethernet frames are skipped.
- Layers may go missing if you encapsulate IPv4 in IPv6
"""
ipv6_pkts = []
pkts = rdpcap(input_file_path)
for pkt in pkts:
# Ignore Non Ethernet for the moment
if type(pkt) != Ether:
print ("Skipping non Ethernet packet")
continue
# If IPv6 just add packet to to list
if pkt.type == ETH_P_IPV6:
print "Packet is alread IPv6"
ipv6_pkts.append(pkt)
continue
iplayer = pkt.getlayer(IP)
if iplayer != None:
ip6layer = IPv6()
ip6layer.dst = ip4Toip6(iplayer.dst)
ip6layer.src = ip4Toip6(iplayer.src)
ip6layer.payload = iplayer.payload
pkt.type = ETH_P_IPV6
pkt.payload = ip6layer
# Recalulate the checksums of layers
# and add missing fields http://stackoverflow.com/a/11648093/620304
del ip6layer.payload.chksum
ipv6_pkts.append(pkt)
else:
print ("Skipping packet\n" + ls(pkt))
# Write the new pcap
wrpcap(output_file_path, ipv6_pkts)
print ("Packets written to " + output_file_path)
def finish():
pkts = ()
ignored = []
from hwRegLib import get_bad_reads
bad_reads = get_bad_reads()
error_count = 0
if not os.path.isdir(pcap_dir):
os.mkdir(pcap_dir)
for iface in ifaceArray:
openSockets[iface].close()
# close capture threads, record packets
pkts = captureThreads[iface].finish()
# filter packets
packets[iface]['Matched'] = pkts[0]
packets[iface]['Unexpected'] = pkts[1]
packets[iface]['Expected'] = pkts[2]
filter(packets[iface]['Matched'], ignored)
filter(packets[iface]['Unexpected'], ignored)
filter(packets[iface]['Expected'], ignored)
# show differences between packets
error_count += compare(packets[iface]['Expected'],
packets[iface]['Unexpected'])
# write pcap files - TO IMPLEMENT: write to tmp dir
if packets[iface]['Matched'].__len__() > 0:
scapy.wrpcap(pcap_dir + iface+"_matched.pcap", packets[iface]['Matched'])
if packets[iface]['Expected'].__len__() > 0:
scapy.wrpcap(pcap_dir + iface+"_expected.pcap", packets[iface]['Expected'])
if packets[iface]['Unexpected'].__len__() > 0:
scapy.wrpcap(pcap_dir + iface+"_extra.pcap", packets[iface]['Unexpected'])
if ignored.__len__() > 0:
scapy.wrpcap(pcap_dir + iface + "_ignored.pcap", ignored)
# check for bad regread_expect
try:
num_bad_reads = bad_reads[iface].__len__()
error_count += num_bad_reads
except(KeyError):
pass
error_count += barrier_timeouts
return error_count
runconf['range'] = rs
else:
assert False, "unhandled option"
return runconf
if __name__ == '__main__':
runconf=get_runtime_options()
pcapackets=rdpcap(runconf['input'])
plist=[]
count=0
for p in pcapackets:
if not 'UDP' in p: continue
vpd=False
for r in runconf['range']:
if p['UDP'].dport >= r[0] and p['UDP'].dport <= r[1]:
vpd=True
break
if not vpd: continue
d=[]
for i in range(6): d.append("%02x" % ord(p['Raw'].load[i]))
dst=":".join(d)
d=[]
for i in range(6): d.append("%02x" % ord(p['Raw'].load[i+6]))
src=":".join(d)
pro=ord(p['Raw'].load[12])*0x100 + ord(p['Raw'].load[13])
np=Ether(dst=dst, src=src, type=pro)/Raw(load=p['Raw'].load[14:])
np.time=p.time
plist.append(np)
if runconf['output']:
wrpcap(runconf['output'], plist)
out the packet data captures, and use scapy to write a pcap
to file. The outputed filename is the timestamp in the packet.
"""
try:
fHandle = open(filename, 'r')
except IOError, e:
self.__logger.error(str(e))
return EvePcapError('could not open file: %s' % (filename))
data = fHandle.read()
lines = data.split('\n')
# Remove trailing empty array position
if len(lines[-1]) == 0:
lines = lines[:-1]
# Loop through all the lines in the json document
lineNumber = 0
for line in lines:
lineNumber += 1
# Get the pcap and timestamp of this event logging
try:
resultingPcap, timestamp = self.parseLine(line, lineNumber)
if resultingPcap != None:
wrpcap("%s.pcap" % (timestamp), resultingPcap)
except EvePcapError, e:
self.__logger.debug(str(e))
if len(sys.argv) > 1:
if len(sys.argv[1]) > 3 and sys.argv[1][-4:] == ".cap":
packets = scapy.rdpcap(sys.argv[1])
capture_session = 'captures/temp'
else:
scan_time = int(sys.argv[1])
packets = scapy.sniff(timeout=scan_time)
else:
scan_time = 20
packets = scapy.sniff(timeout=scan_time)
if capture_session == 'captures/temp' and (not 'temp' in os.listdir('./captures/')):
os.makedirs(capture_session)
scapy.wrpcap("{}/dump.cap".format(capture_session), packets)
f = open('{}/data.csv'.format(capture_session),'w')
f.write('protocol, hwsrc, hwdst, ipsrc, ipdst, whois\n')
protocols = defaultdict(int)
arp_mac_src = defaultdict(int)
arp_mac_dst = defaultdict(int)
arp_ip_src = defaultdict(int)
arp_ip_dst = defaultdict(int)
conn_ip = defaultdict(lambda: defaultdict(int))
conn_hw = defaultdict(lambda: defaultdict(int))
connections_ip = nx.Graph()
connections_hw = nx.Graph()
if args.max_running_time <= 0:
args.max_running_time = None
if args.max_captured_packets <= 0:
args.max_captured_packets = None
# Print capture status
print '''capturing packets with parameters:
max_running_time=%s, max_captured_packets=%s
output_testname=%s, overwrite=%s
filter_protocol=%s
verbose=%s'''%(
args.max_running_time, args.max_captured_packets, args.output_testname,
args.overwrite_output_file, args.filter_protocol, args.verbose)
# Sniff
from scapy.all import sniff,wrpcap
if not args.verbose:
pkts = sniff(count=args.max_captured_packets, timeout=args.max_running_time,
filter=args.filter_protocol, offline=args.output_testname)
else:
pkts = sniff(count=args.max_captured_packets, timeout=args.max_running_time,
filter=args.filter_protocol, prn=sniff_callback, offline=args.output_testname)
# Save sniffing output
if pkts == []:
print "sorry, no packets captured :(\ntry with a higher running time"
else:
wrpcap(outputfile,pkts)
print 'output saved in file {}'.format(outputfile)
if len(argv) == 2:
logging.info("Reading packets from "+ argv[1])
try:
packets = rdpcap(argv[1])
logging.info("%s Packets" % len(packets))
for packet in packets:
s.addpacket(packet)
except Exception, err:
logging.error(err)
exit(1)
elif len(argv) == 1:
try:
logging.info("Sniffing on port 80")
sniff(filter="tcp and port 80", prn=s.addpacket)
# capture infinitely, handle each packet in StreamSorting class
except socket.error, err:
logging.error("Sniffing requires root privileges, try ``sudo %s''" % argv[0])
logging.error("Exit.")
except KeyboardInterrupt:
logging.error("Had %s packets sniffed when called for exit" % len(s.packets))
fname = strftime('%Y%m%d_%H-%M') + '.cap'
logging.error("Writing to %s" % fname)
wrpcap(fname, s.packets)
exit(1)
else:
usage()
if dnssec_ratio == 1 or all_count * dnssec_ratio > dnssec_count:
msg.arcount = 1
msg.ar = DNSRR(rrname='.', type=41, rclass=4096, ttl=0x8000)
dnssec_count += 1
# Add optional ECS.
if ecs_ratio == 1 or all_count * ecs_ratio > ecs_count:
# If EDNS for DNSSEC was not already added, add OPT RR.
if msg.arcount != 1:
msg.arcount = 1
msg.ar = DNSRR(rrname='.', type=41, rclass=4096, ttl=0x0000)
msg.ar.rdata = random.choice(ecs_list)
ecs_count += 1
add_query(msg, rnd, target[all_count % modulo],
macs[all_count % modulo])
except Exception as er:
print(er)
print("Case was {}".format(str(l)))
continue
all_count += 1
fd.close()
# Dump to pcap
if len(PKTS) > 0:
# Shuffle packets to randomize server responses
random.shuffle(PKTS)
wrpcap(pcap_out, PKTS)
print("done")
def save_to_pcap(pkts, filename):
for pkt in pkts:
wrpcap(filename, pkt, append=True)
if gateway_mac is None:
print("[!!!] Failed to get gateway MAC. Exiting.")
sys.exit(0)
else:
print("[*] Gateway %s is at %s" % (gateway_ip,gateway_mac))
target_mac = get_mac(target_ip)
if target_mac is None:
print("[!!!] Failed to get target MAC. Exiting.")
sys.exit(0)
else:
print("[*] Target %s is at %s" % (target_ip,target_mac))
# start poison thread
poison_thread = threading.Thread(target = poison_target, args = (gateway_ip, gateway_mac,target_ip,target_mac))
poison_thread.start()
try:
print("[*] Starting sniffer for %d packets" % packet_count)
bpf_filter = "ip host %s" % target_ip
packets = sniff(count=packet_count,filter=bpf_filter,iface=interface)
wrpcap("arper.pcap",packets)
restore_target(gateway_ip,gateway_mac,target_ip,target_mac)
except KeyboardInterrupt:
restore_target(gateway_ip,gateway_mac,target_ip,target_mac)
sys.exit(0)
def capture(interface,database_output_file,redraw_frequency,arp_resolve,
dns_resolve,sender_lists,target_lists,color_profile,
output_columns,display_false,pcap_output_file,force_sender,
*args,**kwargs):
dbfile = database_output_file
osigint = signal.signal(signal.SIGINT,signal.SIG_IGN)
pool = Pool(3)
signal.signal(signal.SIGINT, osigint)
try:
# ==============
# START SNIFFING
# ==============
'''
The sniffer is started in a distinct process because Scapy
will block forever when scapy.all.sniff is called. This allows
us to interrupt execution of the sniffer by terminating the
process.
TODO: It may be easier to use threading. Pool methods were fresh
to me at the time of original development.
'''
ptable = None
pcount = 0
# Handle new database file. When verbose, alert user that a new
# capture must occur prior to printing results.
arp_resolution = ('disabled','enabled')[arp_resolve]
dns_resolution = ('disabled','enabled')[dns_resolve]
print('\x1b[2J\x1b[H\33[F')
print(logo+'\n')
print(f'Capture interface: {interface}')
print(f'ARP resolution: {arp_resolution}')
print(f'DNS resolution: {dns_resolution}')
sess = create_db(dbfile)
# ======================================
# CREATE AN IP FOR THE CURRENT INTERFACE
# ======================================
iface_mac, iface_ips = get_interfaces()[interface]
for ip in iface_ips:
ip = get_or_create_ip(ip,
sess,
mac_address=iface_mac)
if not Path(dbfile).exists():
print('- Initializing capture\n- This may take time depending '\
'on network traffic and filter configurations')
else:
print(f'Requests analyzed: {pcount}\n')
ptable = get_output_table(
sess,
sender_lists=sender_lists,
target_lists=target_lists,
dns_resolve=dns_resolve,
color_profile=color_profile,
arp_resolve=arp_resolve,
columns=output_columns,
display_false=display_false,
force_sender=force_sender)
print(ptable)
# Cache packets that will be written to output file
pkts = []
sniff_result = None
arp_resolve_result, dns_resolve_result = None, None
# Loop eternally
while True:
# Handle sniff results
if sniff_result and sniff_result.ready():
packets = sniff_result.get()
sniff_result = None
# Capture packets for the output file
if pcap_output_file and packets: pkts += packets
if packets: pcount += packets.__len__()
# Clear the previous table from the screen using
# escape sequences screen
# https://stackoverflow.com/questions/5290994/remove-and-replace-printed-items/5291044#5291044
if ptable:
lcount = ptable.split('\n').__len__()+2
stdout.write('\033[F\033[K'*lcount)
ptable = get_output_table(
sess,
sender_lists=sender_lists,
target_lists=target_lists,
dns_resolve=dns_resolve,
color_profile=color_profile,
arp_resolve=arp_resolve,
columns=output_columns,
display_false=display_false,
force_sender=force_sender)
print(f'Requests analyzed: {pcount}\n')
print(ptable)
# Do sniffing
elif not sniff_result:
sniff_result = pool.apply_async(
async_sniff,
(
interface,
redraw_frequency,
sender_lists,
target_lists,
database_output_file,
)
)
# ==================
# DNS/ARP RESOLUTION
# ==================
# Do reverse resolution
if dns_resolve:
# Reset dns resolution results
if not dns_resolve_result or dns_resolve_result.ready():
to_resolve = sess.query(IP) \
.filter(IP.reverse_dns_attempted != True) \
.count()
if to_resolve:
dns_resolve_result = pool.apply_async(
reverse_dns_resolve_ips,
(database_output_file,)
)
# Do ARP resolution
if arp_resolve:
if not arp_resolve_result or arp_resolve_result.ready():
to_resolve = sess.query(IP) \
.filter(IP.arp_resolve_attempted != True) \
.count()
if to_resolve:
arp_resolve_result = pool.apply_async(
arp_resolve_ips,
(interface, database_output_file,)
)
sleep(.2)
except KeyboardInterrupt:
print('\n- CTRL^C Caught...')
sess.close()
finally:
# ===================
# HANDLE OUTPUT FILES
# ===================
if pcap_output_file: wrpcap(pcap_output_file,pkts)
# =====================
# CLOSE CHILD PROCESSES
# =====================
try:
pool.close()
if sniff_result:
print('- Waiting for the sniffer process...',end='')
sniff_result.wait(5)
print('done')
if dns_resolve_result:
print('- Waiting for the DNS resolver process...',end='')
dns_resolve_result.wait(5)
print('done')
if arp_resolve_result:
print('- Waiting for the ARP resolver ocess...',end='')
arp_resolve_result.wait(5)
print('done')
except KeyboardInterrupt:
pool.terminate()
pool.join()
sys.stdout.write(":")
sys.stdout.flush()
for dump in dumps:
if dump.get(serial_packet):
del dump[serial_packet]
found_packet = True
if not diff_only_right and not found_packet:
if not be_quite:
print " <<< " + packet.summary()
diff_packets.append(packet)
if not diff_only_left:
for dump in dumps:
if len(dump.values()) > 0:
diff_packets.extend(dump.values())
if not be_quite:
for packet in dump.values():
print " >>> " + packet.summary()
if not be_quite:
print "\nFound " + str(len(diff_packets)) + " different packets\n"
# Write pcap diff file?
if output_file:
if not be_quite:
print "Writing " + output_file
wrpcap(output_file, diff_packets)
from scapy.all import sniff
from scapy.all import wrpcap
from scapy.arch.windows import show_interfaces
import os
import livepredict
import pyshark
# cap = pyshark.LiveCapture(interface='ethernet',output_file='data.pcap')
# cap.set_debug()
# cap.sniff(timeout=20)
# show_interfaces()
pkts = sniff(timeout=15,iface="Npcap Loopback Adapter")
# pkts = sniff(timeout=15,iface="Realtek PCIe GbE Family Controller")
os.chdir(os.getcwd()+'/livepcap')
wrpcap('data.pcap',pkts)
os.chdir('..')
os.chdir('C:/Users/user/Desktop/prj/cicflowmeter-4/CICFlowMeter-4.0/bin')
os.system("cfm.bat \"C:/Users/user/Desktop/prj/livepcap\" \"C:/Users/user/Desktop/prj/livedata\"")
os.chdir('C:/Users/user/Desktop/prj')
livepredict.predict()
def examine_flow(self):
"""
@summary: This method examines packets collected by sniffer thread
The method compares TCP payloads of the packets one by one (assuming all
payloads are consecutive integers), and the losses if found - are treated
as disruptions in Dataplane forwarding. All disruptions are saved to
self.lost_packets dictionary, in format:
disrupt_start_id = (missing_packets_count, disrupt_time,
disrupt_start_timestamp, disrupt_stop_timestamp)
"""
examine_start = datetime.datetime.now()
logger.info("Packet flow examine started {}".format(
str(examine_start)))
if not self.all_packets:
logger.error("self.all_packets not defined.")
return None
# Filter out packets:
filtered_packets = [
pkt for pkt in self.all_packets
if scapyall.TCP in pkt and not scapyall.ICMP in pkt
and pkt[scapyall.TCP].sport == 1234 and pkt[scapyall.TCP].dport ==
TCP_DST_PORT and self.check_tcp_payload(pkt) and (
pkt[scapyall.Ether].dst == self.sent_pkt_dst_mac
or pkt[scapyall.Ether].src in self.received_pkt_src_mac)
]
logger.info("Number of filtered packets captured: {}".format(
len(filtered_packets)))
if not filtered_packets or len(filtered_packets) == 0:
logger.error("Sniffer failed to capture any traffic")
return
server_to_packet_map = defaultdict(list)
# Split packets into separate lists based on server IP
for packet in filtered_packets:
if self.traffic_generator == self.generate_from_t1_to_server:
server_addr = packet[scapyall.IP].dst
elif self.traffic_generator == self.generate_from_server_to_t1:
server_addr = packet[scapyall.IP].src
server_to_packet_map[server_addr].append(packet)
# For each server's packet list, sort by payload then timestamp
# (in case of duplicates)
for server in server_to_packet_map.keys():
server_to_packet_map[server].sort(key=lambda packet: (int(
str(packet[scapyall.TCP].payload).replace('X', '')), packet.
time))
logger.info("Measuring traffic disruptions...")
for server_ip, packet_list in server_to_packet_map.items():
filename = '/tmp/capture_filtered_{}.pcap'.format(server_ip)
scapyall.wrpcap(filename, packet_list)
logger.info("Filtered pcap dumped to {}".format(filename))
self.test_results = {}
for server_ip in natsorted(server_to_packet_map.keys()):
result = self.examine_each_packet(server_to_packet_map[server_ip])
logger.info("Server {} results:\n{}".format(
server_ip, json.dumps(result, indent=4)))
self.test_results[server_ip] = result
def save_pcap(self, filename, packet):
if self.capture == 1:
wrpcap(filename, packet, append=True)
def send(self, pkt, count=1):
if self._pcap_filename:
wrpcap(self._pcap_filename, pkt, append=True)
sendp(pkt, iface=self._iface, count=count, verbose=False)
def save(self):
filename = self.out_dir + "/" + self._get_filename()
wrpcap(filename, self.packets)
def WritePcap(self, matchMap, file, outputFilename=None):
'''WritePcap(matchMap, file, outputFilename=None
Writes the matched pcap sessions in matchMap found in file to separate pcap files.
matchMap: The output from MatchPcap.
file: The pcap file you matched on previously.
outputFilename: Allows you to specify the prefix on the output pcaps.
'''
try:
if not matchMap.keys():
self.debug('matchMap is empty! No matches from greppcap?')
raise
except:
self.debug('Not a valid matchMap.')
raise
try:
pcap = PcapReader(file)
if not outputFilename:
# There's probably some python fu way to do this. I have the regex fu.
try:
filename = re.findall(r'^(?is)[./]?(?:[^/]+/)*([^/]+)(?:\.[^\./]+)$', file)[0]
except:
# base filename was too crazy to figure out, go with a default one
filename = 'greppcap'
else:
filename = outputFilename
except:
self.error('Not a valid pcap file: %s' % file)
raise
self.debug('matchMap: %s' % matchMap)
self.debug('Writing pcaps...')
# Open file handle on a pcap and append the packet to the right pcap.
while pcap:
try:
packet = pcap.read_packet()
writePacket = False
for id in matchMap.keys():
try:
if (packet['IP'].src,packet[2].sport) in (matchMap[id]['host1'],matchMap[id]['host2']):
if (packet['IP'].dst,packet[2].dport) in (matchMap[id]['host1'],matchMap[id]['host2']):
writePacket = True
except AttributeError:
if matchMap[id]['proto'] == packet['IP'].proto:
if packet['IP'].src in (matchMap[id]['host1'], matchMap[id]['host2']):
if packet['IP'].dst in (matchMap[id]['host1'], matchMap[id]['host2']):
writePacket = True
except IndexError:
continue # not IP
if writePacket:
# Create/append the packet to a pcap file and close the handler.
# Doing it this way avoids hitting any open file handler limit (resource.getrlimit(resource.RLIMIT_NOFILE))
try:
wrpcap('%s_match%d.pcap' % (filename,id),packet,append=True,sync=True)
except IOError as e:
self.error('OS limitation prevented completion of %s_match%d.pcap. Error: %s' % (filename,id,e))
break
except TypeError:
break # end of pcap
# Now nicely announce the completion of pcaps.
for id in matchMap.keys():
matchMap[id]['pcap'] = '%s_match%d.pcap' % (filename,id)
try:
self.info('Wrote IP proto %d %s:%d <> %s:%d into %s' % (matchMap[id]['proto'],matchMap[id]['host1'][0],matchMap[id]['host1'][1],matchMap[id]['host2'][0],matchMap[id]['host2'][1],matchMap[id]['pcap']))
except:
self.info('Wrote IP proto %d %s <> %s into %s' % (matchMap[id]['proto'],matchMap[id]['host1'],matchMap[id]['host2'],matchMap[id]['pcap']))
return matchMap
def write_to_file(file_name, raw_packet):
sc.wrpcap(file_name, raw_packet, append=True)
def sniff(self, interface, timeout=5, output_file=None):
self.packets = scp.sniff(iface=interface, timeout=timeout)
if output_file:
scp.wrpcap(output_file, self.packets)
if len(sys.argv) not in (3, 4):
raise SystemExit("Usage: " + sys.argv[0]
+ " input.pcap output.pcap [vlan-id]")
VLAN_ID = 42
if len(sys.argv) == 4:
try:
VLAN_ID = int(sys.argv[3])
except:
raise SystemExit("'" + sys.argv[3]
+ "' is not a valid VLAN identifier")
packets = []
for packet in rdpcap(sys.argv[1]):
layer = packet.firstlayer()
while not isinstance(layer, NoPayload):
if type(layer) is Ether:
# adjust ether type
layer.type = 0x8100
# add 802.1q layer between Ether and IP
dot1q = Dot1Q(vlan=VLAN_ID)
dot1q.add_payload(layer.payload)
layer.remove_payload()
layer.add_payload(dot1q)
layer = dot1q
layer = layer.payload
packets.append(packet)
wrpcap(sys.argv[2], packets)
def end(self):
self.finished=True
if len(self.packets)>0:
wrpcap(self.ofile, self.packets)
else:
print('No packets captured!')
limit.''')
if args.max_running_time <= 0:
args.max_running_time = None
if args.max_captured_packets <= 0:
args.max_captured_packets = None
# Print capture status
print '''capturing packets with parameters:
max_running_time=%s, max_captured_packets=%s
output_testname=%s, overwrite=%s
filter_protocol=%s
verbose=%s'''%(
args.max_running_time, args.max_captured_packets, args.output_testname,
args.overwrite_output_file, args.filter_protocol, args.verbose)
# Sniff
from scapy.all import sniff,wrpcap
if not args.verbose:
pkts = sniff(count=args.max_captured_packets, timeout=args.max_running_time,
filter=args.filter_protocol)
else:
pkts = sniff(count=args.max_captured_packets, timeout=args.max_running_time,
filter=args.filter_protocol, prn=sniff_callback)
# Save sniffing output
if pkts == []:
print "sorry, no packets captured :(\ntry with a higher running time"
else:
wrpcap(args.output_testname,pkts)
print 'output saved in file {}'.format(args.output_testname)
def record_packet(packet):
wrpcap('vnf.pcap', packet, append=True)
packet[UDP].chksum = None ## Need to set chksum to None before starting recalc
packetchk = IP(raw(packet)) # Build packet (automatically done when sending)
checksum_scapy = packet[UDP].chksum
packet_raw = raw(packetchk)
udp_raw = packet_raw[20:]
# in4_chksum is used to automatically build a pseudo-header
chksum = in4_chksum(socket.IPPROTO_UDP, packetchk[IP], udp_raw) # For more infos, call "help(in4_chksum)"
# Set the new checksum in the packet
packet[UDP].chksum = checksum_scapy # <<<< Make sure you use the variable in checksum_scapy
# needed below to test layers before printing newts/newsourcesync etc to console
if pl[pkt].haslayer(UDP):
newts = RTP(pl[pkt][UDP].payload).timestamp
newsourcesync = RTP(pl[pkt][UDP].payload).sourcesync
else:
newts = 999
newsourcesync = 999
print("Changing packet {0} of {3} to new timestamp {1} SSRC {2} Old UDP chksum {4} >> New UDP chksum ???").format(pkt+1,newts,newsourcesync,numberofpckts,hex(checksum_scapy_original))
else:
print "Probably Not a UDP / RTP Packet# {0}".format(pkt)
# Write out new capture file
wrpcap(outfile, pl)
print '[!!!] Failed to get gateway MAC. Exiting.'
sys.exit(0)
else:
print '[*] Gateway {} is at {}'.format(gateway_ip, gateway_mac)
target_mac = get_mac(target_ip)
if not target_mac:
print '[!!!] Failed to get target MAC. Exiting.'
sys.exit(0)
else:
print '[*] Target {} is at {}'.format(target_ip, target_mac)
poison_thread = threading.Thread(target=poison_target,
args=(gateway_ip, gateway_mac, target_ip,
target_mac))
poison_thread.start()
try:
print '[*] Starting sniffer for {} packets'.format(packet_count)
bpf_filter = 'ip host {}'.format(target_ip)
packets = sniff(count=packet_count, filter=bpf_filter, iface=interface)
wrpcap('arper.pcap', packets)
restore_target(gateway_ip, gateway_mac, target_ip, target_mac)
except KeyboardInterrupt:
restore_target(gateway_ip, gateway_mac, target_ip, target_mac)
sys.exit(0)
def doSaveFile(self):
try:
filename = raw_input("Output filename:")
scapy.wrpcap(filename, self.data)
except:
self.gom.echo(sys.exc_info()[1])
if (len(packetsMap)>10000):
packetsMap={}
if (len(packetsMap2)>20000):
packetsMap2={}
timestamp+=1;
toSend=readFile(f,timestamp)
if (nextRoundPacket[0]<0 and len(toSend)==0):
break;
print('read '+str(len(toSend))+','+str(time()-t));
t=time();
for ip,size in toSend:
size=int(size/scale);
if (size>10 and matchFilters(ip,srcFiltersZip)):
totalSize+=size;
sendPerSecondc(timestamp+timestampShift,convertIP(ip),size,mac,tempPackets);
# tempPackets.sort(key=attrgetter('time'))
print('packetize '+str(len(tempPackets))+','+str(time()-t));
t=time();
#packets.extend(tempPackets);
if (len(tempPackets)>0):
wrpcap(outputFile+'_'+str(fileNum),tempPackets,append=append);
# sendpfast(tempPackets,iface='eth0')
append=True;
print('write '+str(time()-t));
t=time();
del tempPackets[:];
if (totalSize>sizePerFile):
append=False
totalSize=0;
fileNum+=1;
#sniffing on a given interface. then store the 10 packets into a cap file
#change the iface to your interface.
print "Sniffing started."
#sniff(iface="eth0", store=10)
#wrpcap("temp.cap",pkts)
#runs packet capture over a set period of time.
from scapy.all import sniff
pkts_list = sniff(timeout=600)
pkts_list
#saves capture as a pcap file.
from scapy.all import wrpcap
wrpcap('filename.pcap', pkts)
def printPacketCapture()
#print the file back.
rdpcap("LOCATION/temp.cap")
#Asking the user what to do on initial launch
def whatToDo():
print("What would you like to do? /n")
option = raw_input("1: To scan open ports. /n 2: Run the NIDS /n")
if option = 1:
quickPortScan()
def doSaveFile(self):
try:
filename = raw_input("Output filename:")
scapy.wrpcap(filename, self.data)
except:
print sys.exc_info()[1]
if target_mac is None:
print('[!!!] Failed to get target MAC. Exiting')
sys.exit(0)
else:
print('[*] Target %s is at %s' % (target_ip, target_mac))
# Start poison thread
poison_thread = threading.Thread(target=poison_target,
args=(gateway_ip, gateway_mac, target_ip,
target_mac))
poison_thread.start()
try:
print('[*] Starting sniffer for %d packets' % packet_count)
bpf_filter = 'ip host %s' % target_ip
packets = scapy.sniff(count=packet_count,
filter=bpf_filter,
iface=interface)
# Write out the captured packets
scapy.wrpcap('arper.pcap', packets)
# Restore the network
restore_target(gateway_ip, gateway_mac, target_ip, target_mac)
except KeyboardInterrupt:
# Restore the network
restore_target(gateway_ip, gateway_mac, target_ip, target_mac)
sys.exit(0)
sys.stdout.write(":")
sys.stdout.flush()
for dump in dumps:
if dump.get(serial_packet):
del dump[serial_packet]
found_packet = True
if not diff_only_right and not found_packet:
if not be_quite:
print " <<< " + packet.summary()
diff_packets.append(packet)
if not diff_only_left:
for dump in dumps:
if len(dump.values()) > 0:
diff_packets.extend(dump.values())
if not be_quite:
for packet in dump.values():
print " >>> " + packet.summary()
if not be_quite:
print "\nFound " + str(len(diff_packets)) + " different packets\n"
# Write pcap diff file?
if output_file:
if not be_quite:
print "Writing " + output_file
wrpcap(output_file, diff_packets)
def write_packet_to_pcap(pcap):
packets = sniff(filter='tcp port 21')
file = wrpcap(pcap, packets)
{err}'.format(err=e)
if len(self.packets) >= self.packetsIndexLimit:
del self.packets[:self.data['packetsBuffer']]
# savepcap
elif args['command'] == 'savepcap':
response['type'] = 'savepcap reply'
try:
filePath = '{pcap_path}/{user}[{epoch_time}].pcap'.format(
pcap_path=self.pcapPath,
user=self.user,
epoch_time=str(time()).replace('.', '|'))
wrpcap(filePath, [Ether(p['packet_str']) for p in self.packets])
response = filePath
except Exception, e:
response['status']['success'] = False
response['status']['message'] = 'error: {err}'.format(err=e)
else:
response['status']['success'] = False
response['status']['message'] = 'except'
return response
client_device = Device(address)
client_key = xor(key, bytes([client_secret]))
if clients.index(client) == 784:
user = "******"
password = "******"
else:
user = random.choice(users)
password = passwords[users.index(user)]
stream = TCPStream(client_device, server_device, 3000)
stream.handshake()
stream.server_send(struct.pack("<B", len(client_key)))
stream.server_send(client_key)
stream.server_send(b"\n")
server = SecureTransport(TCPStreamTransport(stream.server_send),
client_key)
client = SecureTransport(TCPStreamTransport(stream.client_send),
client_key)
client.write(b"LOGIN %s %s" % (user.encode(), password.encode()))
server.write(b"Authentication successful")
client.write(b"TOKEN admin.local")
server.write(generate_token("admin.local", user, token_sign_key))
stream.fin()
packets.extend(stream.packets)
wrpcap("capture.pcap", packets)
#!/usr/bin/env python
# encoding: utf-8
from scapy.all import rdpcap,wrpcap
from sys import argv
if len(argv) < 4:
print argv[0], "<inputCap>", "<N>", "<OutputCap>"
exit(-1)
wrpcap(argv[3],rdpcap(filename=argv[1],count=int(argv[2])))
pkts_udp.append(pkt)
else:
pkt = (Ether(src='ff:22:33:44:55:66', dst='77:88:99:aa:bb:cc') /
IP(src=src_ip_addr, dst=dst_ip_addr) /
UDP(sport=ip_sport_no, dport=ip_dport_no) / payload_data)
pkt.time = i * (1e-8)
pkt.tuser_sport = no_port
pkts_udp.append(pkt)
pkts = []
#Select packet type for axi stream data generation
if (args.packet_type == 'ARP' or args.packet_type == 'arp'): pkts = pkts_arp
elif (args.packet_type == 'TCP' or args.packet_type == 'tcp'): pkts = pkts_tcp
elif (args.packet_type == 'UDP' or args.packet_type == 'udp'): pkts = pkts_udp
else:
pkts = pkts_tcp
#TODO Selecting type by input options.
#Dump packet data in axi stream formats.
with open(
os.path.join(script_dir,
'packet_stim_%s_%x.axi' % (args.txrx, int(args.port_no))),
'w') as f:
axitools.axis_dump(pkts, f, axi_width, 1e-9)
wrpcap(
os.path.join(script_dir,
'packet_stim_%s_%x.pcap' % (args.txrx, int(args.port_no))),
pkts)
print 'Finish packet generation!'
@panda.cb_virt_mem_after_read(procname="wget")
def virt_mem_after_read(cpustate, pc, addr, size, buf):
curbuf = ffi.cast("char*", buf)
current = panda.get_current_process(cpustate)
if current != ffi.NULL:
if size >= 5:
buf_addr = hex(int(ffi.cast("uint64_t", buf)))
buf_str = ffi.string(ffi.cast("char*",
buf)).decode(errors='ignore')
print("Read buf: %s, size: %x, at pc: %x %s" %
(buf_addr[2:], size, addr, buf_str))
return 0
packets = []
@panda.cb_replay_handle_packet(procname="wget")
def handle_packet(cpustate, buf, size, direction, old_buf_addr):
buf_uint8 = ffi.cast("uint8_t*", buf)
packets.append(Ether([buf_uint8[i] for i in range(size)]))
return 0
panda.enable_memcb()
panda.run_replay(recording_name)
wrpcap(pcap_path, packets)
for f in [recording_name + "-rr-nondet.log", recording_name + "-rr-snp"]:
if path.isfile(f): remove(f)
#!/usr/bin/python
"""
(C) Copyright 2016 Holger Hans Peter Freyther
GNU AGPLv3+
"""
from scapy.all import rdpcap, Ether, IP, SCTP, SCTPChunkData, wrpcap
import sys
pcap = rdpcap(sys.argv[1])
pkts = []
i = 0
seq = 0
for pkt in pcap:
ip = pkt['IP']
layer = ip.payload
while layer.name != 'NoPayload':
if layer.name == 'SCTPChunkData':
print("Pkt {} has data chunk".format(i))
# re-create the chunkdata as I don't find the routine to just have this data...
pkts.append(Ether()/IP()/SCTP(sport=2905,dport=2905,tag=0x84a5f973)/SCTPChunkData(reserved=0, delay_sack=0, unordered=0, beginning=1, ending=1, stream_id=0x1, proto_id=0x3, stream_seq=layer.stream_seq, tsn=layer.tsn, data=layer.data))
seq = seq + 1
layer = layer.payload
i = i + 1
wrpcap('flattened.pcap', pkts)