def PacketHandler(pkt): global streams global rtmp_port global out_mode global quit_first if pkt.haslayer(TCP) and pkt.haslayer(Raw): #Skipping if the rtmp_port is defined and is different from the packet dest port if rtmp_port != 0 and pkt[TCP].dport != rtmp_port: return sport = pkt[TCP].sport #hexdump(pkt.load) """ The easiest way to follow the TCP streams is to use the source port as distinction element. So i will consider each packet with the same source port as part of the same TCP stream """ if sport not in streams: stream = Stream(pkt.load) streams[sport] = stream else: streams[sport].appendData(pkt.load) if streams[sport].dontScanAgain: return #This is the mininium size that an RTMP stream must have to contains interesting data... if streams[sport].size > 0x600*2: logger.debug("Dissecting stream: %s" % sport) rtmp = rtmpParser() try: amfCmds = rtmp.rtmpParseStream(streams[sport]) #If I have 2 AMF commands (play and connect), I can print the results if amfCmds.count() == 2: logger.info("\n* RTMP Stream found!") amfCmds.printOut(out_mode) streams[sport].dontScanAgain = True if quit_first: sys.exit(0) else: streams[sport].offset = 0 except StreamNoMoreBytes: logger.debug("No more bytes to read from the stream!") except Exception as e: logger.error("Error parsing the RTMP stream: %s" % e)
def PacketHandler(pkt): global streams global rtmp_port global out_mode global quit_first if pkt.haslayer(TCP) and pkt.haslayer(Raw): #Skipping if the rtmp_port is defined and is different from the packet dest port if rtmp_port != 0 and pkt[TCP].dport != rtmp_port: return sport = pkt[TCP].sport #hexdump(pkt.load) """ The easiest way to follow the TCP streams is to use the source port as distinction element. So i will consider each packet with the same source port as part of the same TCP stream """ if sport not in streams: stream = Stream(pkt.load) streams[sport] = stream else: streams[sport].appendData(pkt.load) if streams[sport].dontScanAgain: return #This is the mininium size that an RTMP stream must have to contains interesting data... if streams[sport].size > 0x600 * 2: logger.debug("Dissecting stream: %s" % sport) rtmp = rtmpParser() try: amfCmds = rtmp.rtmpParseStream(streams[sport]) #If I have 2 AMF commands (play and connect), I can print the results if amfCmds.count() == 2: logger.info("\n* RTMP Stream found!") amfCmds.printOut(out_mode) streams[sport].dontScanAgain = True if quit_first: sys.exit(0) else: streams[sport].offset = 0 except StreamNoMoreBytes: logger.debug("No more bytes to read from the stream!") except Exception as e: logger.error("Error parsing the RTMP stream: %s" % e)
#MAIN if __name__ == "__main__": args = setupArgParser() if args.debug: logger.DEBUG = True if args.quiet: logger.QUIET = True rtmp_port = args.port out_mode = args.out_mode quit_first = args.quit_first logger.info("rtmpSnoop v0.1 - The RTMP Sniffer!") logger.info("Andrea Fabrizi - [email protected]\n") streams = dict() #Not sniffing, reading from dump file if args.pcapfile: logger.info("Reading packets from dump file '%s'..." % args.pcapfile) sniff(offline=args.pcapfile, filter="tcp", prn = PacketHandler) #Sniffing on the specified device elif args.device: logger.info("Starting sniffing on %s..." % args.device) try: sniff(iface=args.device, prn = PacketHandler) except socket.error as e:
#MAIN if __name__ == "__main__": args = setupArgParser() if args.debug: logger.DEBUG = True if args.quiet: logger.QUIET = True rtmp_port = args.port out_mode = args.out_mode quit_first = args.quit_first logger.info("rtmpSnoop v%s - The RTMP Sniffer!" % VERSION) logger.info("Andrea Fabrizi - [email protected]\n") streams = dict() #Not sniffing, reading from dump file if args.pcapfile: logger.info("Reading packets from dump file '%s'..." % args.pcapfile) sniff(offline=args.pcapfile, filter="tcp", prn=PacketHandler) #Sniffing on the specified device elif args.device: logger.info("Starting sniffing on %s..." % args.device) try: sniff(iface=args.device, prn=PacketHandler, store=0) except socket.error as e:
def printBar(self): logger.info("*************************************")