def threaded_sniff():
q = Queue()
sniffer = Thread(target = threaded_sniff_target, args = (q,))
sniffer.daemon = True
sniffer.start()
time.sleep(1)
t = Terminal()
pkt_type = ""
ip_src = None
while True:
try:
pkt = q.get(timeout = 1)
if pkt.haslayer(Ether):
ethsrc = pkt.getlayer(Ether).src
ethdst = pkt.getlayer(Ether).dst
else:
# Skip non-Ethernet packets
pass
if pkt.haslayer(IP):
ipsrc = pkt.getlayer(IP).src
ipdst = pkt.getlayer(IP).dst
ttl = pkt.getlayer(IP).ttl
else:
# Skip non-IP packets
pass
if pkt.haslayer(TCP):
sport = pkt.getlayer(TCP).sport
dport = pkt.getlayer(TCP).dport
pkt_type = "TCP"
elif pkt.haslayer(UDP):
sport = pkt.getlayer(UDP).sport
dport = pkt.getlayer(UDP).dport
pkt_type = "UDP"
if pkt.haslayer(DNS):
pkt_type = "DNS"
if pkt.haslayer(NTP):
pkt_type = "NTP"
if pkt.haslayer(ICMP):
pkt_type = "ICMP"
if pkt.haslayer(http.HTTP):
pkt_type = "HTTP"
if pkt.haslayer(TLS):
pkt_type = "TLS"
if not dbconn.isipaddrindb(ipsrc):
# OS detection based on TTL
ret_ttl = getttl(ttl)
if ret_ttl is None:
if pkt.haslayer(TCP) or pkt.haslayer(UDP):
print "T", t.blue("%s" % datetime.datetime.now().strftime('%H:%M:%S')), t.bold_magenta("{:>4}".format(pkt_type)), "MAC src addr", t.cyan("%s" % ethsrc), "MAC dst addr", t.cyan("%s" % ethdst), "TTL", t.red("{:>7}".format(ttl)), "IP src addr", t.green("{:>15}".format(ipsrc)), "IP dst addr", t.green("{:>15}".format(ipdst)), "src port", t.yellow("{:>5}".format(sport)), "dst port", t.yellow("{:>5}".format(dport))
elif pkt.haslayer(ICMP):
print "T", t.blue("%s" % datetime.datetime.now().strftime('%H:%M:%S')), t.bold_magenta("{:>4}".format(pkt_type)), "MAC src addr", t.cyan("%s" % ethsrc), "MAC dst addr", t.cyan("%s" % ethdst), "TTL", t.red("{:>7}".format(ttl)), "IP src addr", t.green("{:>15}".format(ipsrc)), "IP dst addr", t.green("{:>15}".format(ipdst))
if pkt.getlayer(ICMP).type == 0x08:
print t.move_right, t.move_right, t.move_right, t.move_right, "ICMP Message type", t.green("Echo request"), "Sequence number", t.cyan("%s" % pkt.getlayer(ICMP).seq)
elif pkt.getlayer(ICMP).type == 0x00:
print t.move_right, t.move_right,t.move_right, t.move_right, "ICMP Message type", t.green("Echo response"), "Sequence number", t.cyan("%s" % pkt.getlayer(ICMP).seq)
else:
if pkt.haslayer(TCP) or pkt.haslayer(UDP):
print "T", t.blue("%s" % datetime.datetime.now().strftime('%H:%M:%S')), t.bold_magenta("{:>4}".format(pkt_type)), "MAC src addr", t.cyan("%s" % ethsrc), "MAC dst addr", t.cyan("%s" % ethdst), "OSv", t.red("%s" % ret_ttl), "IP src addr", t.green("{:>15}".format(ipsrc)), "IP dst addr", t.green("{:>15}".format(ipdst)), "src port", t.yellow("{:>5}".format(sport)), "dst port", t.yellow("{:>5}".format(dport))
elif pkt.haslayer(ICMP):
print "T", t.blue("%s" % datetime.datetime.now().strftime('%H:%M:%S')), t.bold_magenta("{:>4}".format(pkt_type)), "MAC src addr", t.cyan("%s" % ethsrc), "MAC dst addr", t.cyan("%s" % ethdst), "OSv", t.red("%s" % ret_ttl), "IP src addr", t.green("{:>15}".format(ipsrc)), "IP dst addr", t.green("{:>15}".format(ipdst))
if pkt.getlayer(ICMP).type == 0x08:
print t.move_right, t.move_right,t.move_right, t.move_right, "ICMP Message type", t.green("Echo request"), "Sequence number", t.cyan("%s" % pkt.getlayer(ICMP).seq)
elif pkt.getlayer(ICMP).type == 0x00:
print t.move_right, t.move_right,t.move_right, t.move_right, "ICMP Message type", t.green("Echo response"), "Sequence number", t.cyan("%s" % pkt.getlayer(ICMP).seq)
# Print out additional information if the packet contains HTTP requests or responses
if pkt.haslayer(DNS):
dns_layer = pkt.getlayer(DNS)
if 'an' in dns_layer.fields:
if dns_layer.fields['an'] is not None:
if dns_layer.fields['an'].fields['type'] == 0x01:
print t.move_right, t.move_right, "DNS response", t.yellow("A"), "record for hostname", t.cyan("%s" % dns_layer.fields['an'].fields['rrname'][:-1]), "has IP address", t.green("%s" % str(dns_layer.fields['an'].fields['rdata']))
elif 'qd' in dns_layer.fields:
if dns_layer.fields['qd'].fields['qtype'] == 0x01:
print t.move_right, t.move_right, "DNS request", t.yellow("A"), "record for hostname", t.cyan("%s" % dns_layer.fields['qd'].fields['qname'][:-1])
# Print out additional information if the packet contains HTTP requests or responses
if pkt.haslayer(http.HTTPRequest):
http_pkt = pkt.getlayer(http.HTTPRequest)
print t.move_right, t.move_right, "HTTP Method", t.yellow("%s" % http_pkt.fields['Method']), "Host", t.cyan("%s" % http_pkt.fields['Host']), "Path", t.green("%s" % http_pkt.fields['Path']),"User-Agent", t.blue("%s" % http_pkt.fields['User-Agent'])
elif pkt.haslayer(http.HTTPResponse):
http_pkt = pkt.getlayer(http.HTTPResponse)
try:
print t.move_right, t.move_right, "HTTP Response from", t.green("%s" % http_pkt.fields['Server']), "Date", t.yellow("%s" % http_pkt.fields['Date'])
except:
pass
# Print out additional information if the packet is part of a TLS connection
if pkt.haslayer(TLS):
try:
tls_packet = pkt.getlayer(TLS)
tls_record = tls_packet.fields['records'][0]
tls_record_type = tls_packet.fields['records'][0].fields['content_type']
if tls_record_type == 0x17:
try:
tls_version = tls_record['TLS Record'].fields['version']
if tls_version == 0x303:
print t.move_right, t.move_right,t.move_right, t.move_right, "Application Data from TLS version", t.yellow("v1.2")
elif tls_version == 0x302:
print t.move_right, t.move_right,t.move_right, t.move_right, "Application Data from TLS version", t.yellow("v1.1")
elif tls_version == 0x301:
print t.move_right, t.move_right,t.move_right, t.move_right, "Application Data from TLS version", t.yellow("v1.0")
elif tls_version == 0x300:
print t.move_right, t.move_right,t.move_right, t.move_right, "Application Data from SSL version", t.yellow("v3.0")
except:
pass
elif tls_record_type == 0x16:
for rec in tls_packet.fields['records']:
try:
# ClientHello
if rec['TLS Handshake'].fields['type'] == 1:
#print rec['TLS Client Hello'].fields['version']
tls_clienthello_version = tls_record['TLS Client Hello'].fields['version']
if tls_clienthello_version == 0x303:
print t.move_right, t.move_right, "Client Hello version", t.yellow("v1.2")
elif tls_clienthello_version == 0x302:
print t.move_right, t.move_right, "Client Hello version", t.yellow("v1.1")
elif tls_clienthello_version == 0x301:
print t.move_right, t.move_right, "Client Hello version", t.yellow("v1.0")
elif tls_clienthello_version == 0x300:
print t.move_right, t.move_right, "Client Hello version", t.yellow("v3.0")
# ServerHello
elif rec['TLS Handshake'].fields['type'] == 2:
#print rec['TLS Server Hello'].fields['version']
tls_serverhello_version = tls_record['TLS Server Hello'].fields['version']
if tls_serverhello_version == 0x303:
print t.move_right, t.move_right, "Server Hello version", t.yellow("v1.2")
elif tls_serverhello_version == 0x302:
print t.move_right, t.move_right, "Server Hello version", t.yellow("v1.1")
elif tls_serverhello_version == 0x301:
print t.move_right, t.move_right, "Server Hello version", t.yellow("v1.0")
elif tls_serverhello_version == 0x300:
print t.move_right, t.move_right, "Server Hello version", t.yellow("v3.0")
except:
pass
except:
pass
else:
dbconn.refreshtimestamp(ethsrc)
except Empty:
pass
