Ejemplo n.º 1
0
def check_validity(flags, i, r, c, l):
    global pcap_obj, file, pcap_file
    if flags['i']:
        if flags['c']:
            if c < 0:
                print 'Count must be at least 0.'
                return False
        if flags['r']:
            print 'Read and interface flags must be used exclusively.'
            return False
        if flags['l']:
            try:
                file = open(l, 'w')
            except:
                print 'Invalid logfile.'
                return False
        return True
    elif flags['r']:
        try:
            if flags['l']:
                try:
                    file = open(l, 'w')
                except:
                    print 'Invalid logfile.'
                    return False
            pcap_file = open(r, 'r')
            pcap_obj = pcap.Reader(pcap_file)
            return True
        except:
            print 'Invalid pcap file.'
            raise
            return False
    else:
        print 'Interface or read flag required.'
        return False
Ejemplo n.º 2
0
def merge_cap_files(pcap_file_list, out_filename, delete_src=False):

    out_pkts = []
    if not all([os.path.exists(f) for f in pcap_file_list]):
        print "failed to merge cap file list...\nnot all files exist\n"
        return

    # read all packets to a list
    for src in pcap_file_list:
        f = open(src, 'r')
        reader = pcap.Reader(f)
        pkts = reader.readpkts()
        out_pkts += pkts
        f.close()
        if delete_src:
            os.unlink(src)

    # sort by the timestamp
    out_pkts = sorted(out_pkts, key=itemgetter(0))

    out = open(out_filename, 'w')
    out_writer = pcap.Writer(out)

    for ts, pkt in out_pkts:
        out_writer.writepkt(pkt, ts)

    out.close()
    def __pcap_to_df(pcap_file: str) -> pd.DataFrame:
        with open(pcap_file, "rb") as f:
            _pcap = pcap.Reader(f)

            ref_time = None

            data = []

            for ts, buf in _pcap:
                eth = ethernet.Ethernet(buf)
                ip = eth.data
                tcp = ip.data

                if ref_time is None:
                    ref_time = ts

                direction = 1 if tcp.sport == 22 else -1

                data.append({
                    "time": (ts - ref_time) * 1000,
                    "size": direction * ip.len
                })

            if len(data) == 0:
                data.append({"time": 0, "size": 0})

            return pd.DataFrame(data, columns=["time", "size"])
Ejemplo n.º 4
0
    def compare_caps (self, cap1, cap2, max_diff_sec = 0.01):
        f1 = open(cap1, 'r')
        reader1 = pcap.Reader(f1)
        pkts1 = reader1.readpkts()

        f2 = open(cap2, 'r')
        reader2 = pcap.Reader(f2)
        pkts2 = reader2.readpkts()

        assert_equal(len(pkts1), len(pkts2))
        
        for pkt1, pkt2, i in zip(pkts1, pkts2, xrange(1, len(pkts1))):
            ts1 = pkt1[0]
            ts2 = pkt2[0]
            if abs(ts1-ts2) > 0.000005: # 5 nsec 
                raise AssertionError("TS error: cap files '{0}', '{1}' differ in cap #{2} - '{3}' vs. '{4}'".format(cap1, cap2, i, ts1, ts2))

            if pkt1[1] != pkt2[1]:
                raise AssertionError("RAW error: cap files '{0}', '{1}' differ in cap #{2}".format(cap1, cap2, i))
Ejemplo n.º 5
0
 def start(self, callback):
     # read pcap file
     filePath = self.config.get('Reader', 'input_file')
     fileContents = open(filePath)
     pcapFile = pcap.Reader(fileContents)
     # parse all lines of pcap file
     for timestamp, data in pcapFile:
         callback(data)
         if self.pause:
             raw_input("Press Enter to continue...")
     print 'End of input file reached'
Ejemplo n.º 6
0
def read_pcap(filepath):

    with open(filepath, "rb") as pcap_file:
        filename, file_extension = os.path.splitext(filepath)

        if file_extension == ".pcap":
            pcap_data = pcap.Reader(pcap_file)
        elif file_extension == ".pcapng":
            pcap_data = pcapng.Reader(pcap_file)
        else:
            raise ValueError("pcap and pcapng is supported!")

        for ts, buf in pcap_data:
            eth = Ethernet(buf)
            ip = eth.data
            tcp = ip.data
Ejemplo n.º 7
0
def parse_pcaps():
    """
    Iterates over all pcap files, registers all ports that are contacted before
    target port is reached, per file.
    """

    # get pcap files from directory
    ports = {}
    pcap_file_names = get_pcap_files()
    for pcap_file_name in pcap_file_names:
        #        print("reading %s" % pcap_file_name)
        f = open(pcap_file_name)
        pcap_file = pcap.Reader(f)

        # iterate over all packets inside pcap
        for ts, buf in pcap_file:
            eth = ethernet.Ethernet(buf)
            ip = eth.data

            # only process TCP packets
            if (type(ip.data) is tcp.TCP and ip.data.flags == 2):
                tcp_packet = ip.data
                port = tcp_packet.dport

                # stop iteration if target port is found
                if (port in [80]):
                    break

                # otherwise, increment counter
                else:
                    if port in ports:
                        ports[port] += 1
                    else:
                        ports[port] = 1
        f.close()

    # convert dict to list of tuples so it can be sorted
    ports_list = []
    for port in ports:
        port_tuple = (port, ports[port])
        ports_list.append(port_tuple)

    # sort list
    return sorted(ports_list, key=lambda x: x[1], reverse=True)
Ejemplo n.º 8
0
def read_pcap(path):
    data = []

    try:
        with open(path, 'rb') as f:
            src = pcap.Reader(f)

            for index, [ts, buf] in enumerate(src):
                # List of dictionaries
                data.append({
                    'index': index + 1,  # to correlate with Wireshark indexing
                    'ts': ts,
                    'buf': buf
                })

            f.close()
            return data

    except IOError:
        print('Unable to read file')
        exit(1)
Ejemplo n.º 9
0
def parse_pcaps():
    """
    Iterate over all pcap files and check whether target ports were opened or closed
    Returns a tuple of (<total_scans>, <open_ports_count>)
    """

    # get pcap files from directory
    pcap_file_names = get_pcap_files()
    total_scans = 0
    open_target_ports = 0

    # iterate over pcap file
    for pcap_file_name in pcap_file_names:
        f = open(pcap_file_name)
        pcap_file = pcap.Reader(f)
        total_scans += 1

        # iterate over all packets inside pcap
        for ts, buf in pcap_file:
            eth = ethernet.Ethernet(buf)
            ip = eth.data

            # only process TCP packets
            try:
                if (type(ip.data) is tcp.TCP
                        and ip.data.sport in target_ports):

                    # SYN,ACK flag indicates that port is open
                    if (ip.data.flags == 18):
                        open_target_ports += 1
                        print("Found open port %d with flag %d" %
                              (ip.data.sport, ip.data.flags))
                    break
            except:
                pass
        f.close()

    return (total_scans, open_target_ports)
Ejemplo n.º 10
0
from dpkt import pcap,ethernet,UnpackError,tcp,ip
from sys import argv

def parseIP(hexstring):
    attackip = []
    for i in range(0, len(hexstring), 2):
        attackip.append(str(int(hexstring[i:i + 2], 16)))
    print attackip[0] + '.' + attackip[1] + '.' + attackip[2] + '.' + attackip[3]

f=open(argv[1],"rb")
pcap = pcap.Reader(f)
dict = {}

for ts, buf in pcap:
    try:
        eth = ethernet.Ethernet(buf)
    except UnpackError:
        continue

    if eth.type != ethernet.ETH_TYPE_IP: continue
    ip = eth.data

    if ip.p == 6:
        packet = ip.data
        if packet.flags & tcp.TH_SYN != 0:
            if ip.src not in dict: dict[ip.src] = {'SYN': 0, 'SYN+ACK': 0}
            if ip.dst not in dict: dict[ip.dst] = {'SYN': 0, 'SYN+ACK': 0}

            if packet.flags & tcp.TH_ACK != 0:
                dict[ip.dst]['SYN+ACK'] += 1
            else:
Ejemplo n.º 11
0
    csv_header = ['connection']
    for i in xrange(1, _PRECEDING_PACKETS_NUM + 1):
        csv_header.append('packet ' + str(i) + ' size')
    csv_header.append('packet count A')
    csv_header.append('packet count B')
    csv_header.append('packet count A+B')
    csv_header.append('byte count A')
    csv_header.append('byte count B')
    csv_header.append('byte count A+B')
    csv_header.append('dport')
    csv_header.append('sport')
    csv_header.append('label')
    fo_writer.writerow(csv_header)

    # Prepare PCAP reader
    pcapin = pcap.Reader(fi)
    cons = {}  # set of connections
    features = {}  # set of features

    for ts, buf in pcapin:
        try:
            pkt = mpkt.Packet(buf)
        except mpkt.PacketError:
            continue

        name = pkt.get5tuple().toString()
        name_rev = pkt.get5tuple().reversal().toString()
        # Append to connections list if this is a SYN-SENT, or reset it
        if name not in cons and pkt.isFlags('SYN'):
            cons[name] = mpkt.Connection.from5tuple(ts, pkt.get5tuple())
            features[name] = Feature.from5tuple(pkt.get5tuple())
    def _filter_pcap(self, output_pcap):
        """Using a provided file with XML flow summaries, create a
        new PCAP file with the flows in the XML file.

        :param output_pcap: Path for the new PCAP file.
        """
        try:
            print("Opening file: {0}".format(self._pcap))
            f = open(self._pcap)
            raw_pcap = pcap.Reader(f)
            pckt_num = 0
            for ts, buf in raw_pcap:
                pckt_num += 1
                if not pckt_num % 1000:
                    # Print every thousandth packets, just to monitor
                    # progress.
                    print("\tProcessing packet #{0}".format(pckt_num))
                # Loop through packets in PCAP file
                eth = ethernet.Ethernet(buf)
                if eth.type != ETH_TYPE_IP:
                    # We are only interested in IP packets
                    continue
                ip = eth.data
                ip_src = socket.inet_ntop(socket.AF_INET, ip.src)
                ip_dst = socket.inet_ntop(socket.AF_INET, ip.dst)
                ip_proto = ip.p
                match = False
                for flow in self._raw_data:
                    # Does this packet match a flow in the raw data?
                    if ((ip_src == flow["source"]
                         and ip_dst == flow["destination"])
                            or (ip_src == flow["destination"]
                                and ip_dst == flow["source"])):
                        if ip_proto == IP_PROTO_TCP and flow[
                                "protocolName"] == "tcp_ip":
                            tcp = ip.data
                            if self._check_port_num(tcp.sport, tcp.dport,
                                                    flow["sourcePort"],
                                                    flow["destinationPort"]):
                                if self._check_timestamp(
                                        ts, flow["startDateTime"],
                                        flow["stopDateTime"]):
                                    # We have found a match, stop looping
                                    match = True
                                    break
                        elif ip_proto == IP_PROTO_UDP and flow[
                                "protocolName"] == "udp_ip":
                            udp = ip.data
                            if self._check_port_num(udp.sport, udp.dport,
                                                    flow["sourcePort"],
                                                    flow["destinationPort"]):
                                if self._check_timestamp(
                                        ts, flow["startDateTime"],
                                        flow["stopDateTime"]):
                                    # We have found a match, stop looping
                                    match = True
                                    break
                        elif ip_proto == IP_PROTO_ICMP and flow[
                                "protocolName"] == "icmp_ip":
                            if self._check_timestamp(ts, flow["startDateTime"],
                                                     flow["stopDateTime"]):
                                # We have found a match, stop looping
                                break
                                match = True
                        elif ip_proto == IP_PROTO_IGMP and flow[
                                "protocolName"] == "igmp":
                            if self._check_timestamp(ts, flow["startDateTime"],
                                                     flow["stopDateTime"]):
                                # We have found a match, stop looping
                                match = True
                                break
                if match:
                    # The packet matches the flow. Append the packet data
                    # to the new PCAP file and move onto the next packet.
                    try:
                        print(
                            "\tWrting packet to file: {0}".format(output_pcap))
                        f_out = open(output_pcap, "ab")
                        pcap_out = pcap.Writer(f_out)
                        pcap_out.writepkt(buf, ts=ts)
                    except:
                        exc_type, exc_value, exc_traceback = sys.exc_info()
                        print("ERROR writing to file: {0}.\n\t"
                              "Exception: {1}, {2}, {3}".format(
                                  output_pcap, exc_type, exc_value,
                                  exc_traceback))
                        sys.exit(1)
                    finally:
                        f_out.close
        except:
            exc_type, exc_value, exc_traceback = sys.exc_info()
            print("ERROR reading from file: {0}.\n\tException: {1}, "
                  "{2}, {3}".format(self._pcap, exc_type, exc_value,
                                    exc_traceback))
            sys.exit(1)
        finally:
            f.close()