def decodeLayer2(self, header, payload):
def formatMacAddress(arrayMac):
return ":".join("{0:0>2}".format(hex(b)[2:])
for b in arrayMac.tolist())
if self.datalink == pcapy.DLT_EN10MB:
l2Decoder = Decoders.EthDecoder()
l2Proto = "Ethernet"
layer2 = l2Decoder.decode(payload)
l2SrcAddr = formatMacAddress(layer2.get_ether_shost())
l2DstAddr = formatMacAddress(layer2.get_ether_dhost())
l2Payload = payload[layer2.get_header_size():]
etherType = layer2.get_ether_type()
elif self.datalink == pcapy.DLT_LINUX_SLL:
l2Decoder = Decoders.LinuxSLLDecoder()
l2Proto = "Linux SLL"
layer2 = l2Decoder.decode(payload)
l2SrcAddr = layer2.get_addr()
l2DstAddr = None
l2Payload = payload[layer2.get_header_size():]
etherType = layer2.get_ether_type()
elif self.datalink == PCAPImporter.PROTOCOL201:
l2Proto = "Protocol 201"
hdr = payload.encode('hex')[0:8]
if hdr[6:] == "01":
l2SrcAddr = "Received"
else:
l2SrcAddr = "Sent"
l2DstAddr = None
l2Payload = payload[8:]
etherType = payload[4:6]
return (l2Proto, l2SrcAddr, l2DstAddr, l2Payload, etherType)
def parse_packet(self, header, frame):
decoder = ImpactDecoder.LinuxSLLDecoder()
ether = decoder.decode(frame)
ready_indices = []
if ether.get_ether_type() == ImpactPacket.IP.ethertype:
self.lock.acquire()
for i in range(0, len(self.connection_list)):
buffered_packets = self.connection_list[i]
if buffered_packets.add_frame(
ether): #if there's an existing flow
self.lock.release()
if len(ready_indices) > 0:
self.move_ready_packets(ready_indices)
return
if buffered_packets.ready:
ready_indices.append(i)
buffered_packets = BufferedPackets(ether)
self.connection_list.append(buffered_packets)
self.lock.release()
if len(ready_indices) > 0:
self.move_ready_packets(ready_indices)
def pcap_to_object(pcap_file, obj_file):
"""Create a Python serialized graph object.
Read the pcap file given in parameter, extracts source and destination IP
and write a serialized graph object.
"""
reader = pcapy.open_offline(pcap_file)
print reader.datalink()
print pcapy.DLT_LINUX_SLL
eth_decoder = Decoders.EthDecoder()
sll_decoder = Decoders.LinuxSLLDecoder()
ip_decoder = Decoders.IPDecoder()
dic_ip = ip_dict()
tts_min = 1000
tts_max = 2000
if options.verbose:
print "Reading pcap file..."
while True:
try:
(header, payload) = reader.next()
if True: #tts_min <= header.getts()[0] <= tts_max:
#ethernet = eth_decoder.decode(payload)
sll = sll_decoder.decode(payload)
if sll.get_ether_type() == Packets.IP.ethertype:
#ip = ip_decoder.decode(payload[ethernet.get_header_size():])
ip_src = sll.child().get_ip_src()
ip_dst = sll.child().get_ip_dst()
dic_ip[ip_src][ip_dst] += 1
except Packets.ImpactPacketException, e:
print e
except:
def parse_packet(self, header, frame): # pcap语法分析
datalink = self.pcap.datalink()
if datalink == pcapy.DLT_EN10MB:
decoder = ImpactDecoder.EthDecoder()
elif datalink == pcapy.DLT_LINUX_SLL:
decoder = ImpactDecoder.LinuxSLLDecoder()
else:
raise Exception("Datalink not supported")
ether = decoder.decode(frame) # 每个数据包的数据
ts = float(str(header.getts()[0]) + "." +
str(header.getts()[1])) # packet的时间戳
self.last_timestamp = ts
if ether.get_ether_type() == ImpactPacket.IP.ethertype:
(id, tcp_tuple) = generate_id(ether)
if id == False:
return
(rev_id, tcp_tuple) = generate_reverse_id(ether)
# print("Buffer", self.tcp_buffer)
# print(threading.current_thread().name + "in",)
self.acquire_lock("parse")
# print(threading.current_thread().name + "out")
if id in self.tcp_buffer:
tcp_stream = self.tcp_buffer[id]
to_server = True
# print("[fwd] ID: " + id + ";" + str(ts))
elif rev_id in self.tcp_buffer:
tcp_stream = self.tcp_buffer[rev_id]
to_server = False
# print("[rev] ID: " + id + ";" + str(ts))
else: # 读到的数据包属于新的一个流
# a new stream has appeared
tcp_stream = TcpStream(id, ts, self)
self.tcp_buffer[id] = tcp_stream
to_server = True
packet = ether.child()
segment = packet.child()
tcp_stream.start()
# print("[new] ID: " + id + ";" + str(ts))
tcp_stream.add_packet(ts, to_server, ether) # 数据包加到tcp流中
# if tcp_stream.state in end_states:
# tcp_stream.finish()
# self.move_stream(tcp_stream.id)
self.packet_counter += 1
self.release_lock("parse")
def decodeLayer2(self, header, payload):
def formatMacAddress(arrayMac):
return ":".join("{0:0>2}".format(
hex(b)[2:]) for b in arrayMac.tolist())
if self.datalink == pcapy.DLT_EN10MB:
l2Decoder = Decoders.EthDecoder()
l2Proto = "Ethernet"
layer2 = l2Decoder.decode(payload)
l2SrcAddr = formatMacAddress(layer2.get_ether_shost())
l2DstAddr = formatMacAddress(layer2.get_ether_dhost())
elif self.datalink == pcapy.DLT_LINUX_SLL:
l2Decoder = Decoders.LinuxSLLDecoder()
l2Proto = "Linux SLL"
layer2 = l2Decoder.decode(payload)
l2SrcAddr = layer2.get_addr()
l2DstAddr = None
l2Payload = payload[layer2.get_header_size():]
etherType = layer2.get_ether_type()
return (l2Proto, l2SrcAddr, l2DstAddr, l2Payload, etherType)
def parse_packet(self, cur, dumper, header, packet):
try:
decoder = ImpactDecoder.LinuxSLLDecoder()
ether = decoder.decode(packet)
except IndexError:
dumper["unknown"].dump(header, packet)
return
except ImpactPacket.ImpactPacketException:
dumper["unknown"].dump(header, packet)
return
ts = int(
round(float(str(header.getts()[0]) + "." +
str(header.getts()[1]))))
# print str(ether.get_ether_type()) + " " + str(ImpactPacket.IP.ethertype)
if ether.get_ether_type() == ImpactPacket.IP.ethertype:
iphdr = ether.child()
transporthdr = iphdr.child()
s_addr = iphdr.get_ip_src()
d_addr = iphdr.get_ip_dst()
if isinstance(transporthdr, ImpactPacket.TCP):
s_port = transporthdr.get_th_sport()
d_port = transporthdr.get_th_dport()
seq_num = transporthdr.get_th_seq()
d_length = len(transporthdr.get_data_as_string())
protocol = "tcp"
elif isinstance(transporthdr, ImpactPacket.UDP):
s_port = transporthdr.get_uh_sport()
d_port = transporthdr.get_uh_dport()
seq_num = 0
d_length = transporthdr.get_uh_ulen()
protocol = "udp"
elif isinstance(transporthdr, ImpactPacket.ICMP):
s_port = 0
d_port = 0
seq_num = 0
d_length = 0
protocol = "icmp"
elif isinstance(transporthdr, ImpactPacket.IGMP):
s_port = 0
d_port = 0
seq_num = 0
d_length = 0
protocol = "igmp"
else:
s_port = 0
d_port = 0
seq_num = 0
d_length = -1
protocol = transporthdr.__class__
if mode == "batch":
rows = self.filter_row(s_addr, s_port, d_addr, d_port, ts, cur)
# print(s_addr, s_port, d_addr, d_port, ts)
# packet lies in between start and stop time
if rows is not None:
#row = rows[0]
if rows[5] == 0:
dumper["normal"].dump(header, packet)
return
else:
attack_type = rows[4].strip()
if attack_type == "Backdoor":
attack_type = "Backdoors"
dumper[attack_type].dump(header, packet)
return
else:
rows = self.filter_row(d_addr, d_port, s_addr, s_port, ts,
cur)
if rows is not None:
#row = rows[0]
#print(row)
if rows[5] == 0:
dumper["normal"].dump(header, packet)
return
else:
attack_type = rows[4].strip()
if attack_type == "Backdoor":
attack_type = "Backdoors"
dumper[attack_type].dump(header, packet)
return
else:
dumper["unknown"].dump(header, packet)
elif mode == "step":
# This part hasn't been tested YET
cur.execute(
"select * from records where srcip=%s and sport=%s and dstip=%s and dsport=%s and start_time-1<=%s and end_time+1>=%s",
(s_addr, s_port, d_addr, d_port, ts, ts))
rows = cur.fetchmany()
if len(rows) >= 0:
row = self.show_option(s_addr, s_port, d_addr, d_port, ts,
rows)
if row is None:
dumper["unknown"].dump(header, packet)
elif row[48].values == 0:
dumper["normal"].dump(header, packet)
return
else:
type = row[47].values[0].strip()
dumper[type].dump(header, packet)
return
else:
dumper["unknown"].dump(header, packet)
print "WindowsPhone"''' (hdr, data) = pcap.next() so_times = [] while (hdr and data is not None ): try: #figure out wich datalink type datalink = pcap.datalink() if datalink == pcapy.DLT_EN10MB: decoder = ImpactDecoder.EthDecoder() elif datalink == pcapy.DLT_LINUX_SLL: decoder = ImpactDecoder.LinuxSLLDecoder() #start decoding layer2 = decoder.decode(data) #Dissect layers #IP ip = layer2.child() ipsrc = ip.get_ip_src() #TCP tcp = ip.child() dport = tcp.get_th_dport() #WA
def pcap_reader(pcap_file, state_already, parser=None, priv_net=None):
"Looks for WA traffic (user and control) in a pcap file"
if flagSP_testing == 1: printChosenParser(parser)
nouser_counter = 0
flagAlreadyPaused = 0
#lists to store signalization traffic info
wa_state_list = []
wa_state_vol_list = []
#list to store volume traffic info
wa_vol_list = []
#Regex to check if it is control traffic
st_packet_re = re.compile("^WA.*(Android|iPhone|WP)")
try:
#Create a 'Reader' Object
pcap = open_offline(pcap_file)
#Decode the first packet
(hdr, data) = pcap.next()
while (hdr and data is not None):
try:
#figure out wich datalink type
datalink = pcap.datalink()
if datalink == pcapy.DLT_EN10MB:
decoder = ImpactDecoder.EthDecoder()
elif datalink == pcapy.DLT_LINUX_SLL:
decoder = ImpactDecoder.LinuxSLLDecoder()
#start decoding
layer2 = decoder.decode(data)
#Dissect layers
#IP
ip = layer2.child()
ipsrc = ip.get_ip_src()
#TCP
tcp = ip.child()
dport = tcp.get_th_dport()
#WA
wapp = tcp.child()
#figure out if it's control packet or volume packet
if st_packet_re.search(wapp.get_buffer_as_string()):
if state_already == 0:
if dport == 443 and tcp.get_size() > 0:
pkt_info = 'SSL'
elif (dport == 5222 or dport == 5223) and tcp.get_size() > 0:
pkt_info = ('XMPP')
logging.info('[Parse] Es un paquete de estado de WhatsApp: %s', pkt_info)
#Receives an UserStateEvent object
wa_user_info = state_packet_parser(tcp, ipsrc, hdr, parser)
#Check if parser_method is correctly chosen
if wa_user_info.anonym_user_id is None:
nouser_counter = nouser_counter + 1
if nouser_counter > 2 and flagAlreadyPaused == 0:
print "Too many user ids not identified. May the parsing method is not correctly chosen according to the StatePacket Version."
answer = raw_input("Do you really want to continue? (y/n): ")
if answer is "y":
flagAlreadyPaused = 1
elif answer is "n":
print("Exiting program")
logging.critical("Too many user id not identified. Exiting program...")
sys.exit(1)
else:
#if any other caracter is pressed, I let the program turn another packet.
pass
#Append last info
wa_state_list.append(wa_user_info)
#create volume-class object and append it
wa_state_vol_info = vol_packet_parser(ip,hdr,priv_net)
wa_state_vol_list.append(wa_state_vol_info)
else:
#process here for only volume packets
if priv_net:
wa_vol_info = vol_packet_parser(ip,hdr,priv_net)
wa_vol_list.append(wa_vol_info)
####Decode the following packet
(hdr, data) = pcap.next()
except pcapy.PcapError as pcap_error:
logging.debug("[Loop] .pcap file end %s", str(pcap_error))
(hdr, data) = (None, None)
except IOError as err:
print('[Pcap-parser] File error: '+str(err))
logging.error("[Pcap-parser] File error: %s", str(err))
sys.exit(1)
return (wa_state_list, wa_state_vol_list, wa_vol_list)
