def pcap_to_object(pcap_file, obj_file): """Create a Python serialized graph object. Read the pcap file given in parameter, extracts source and destination IP and write a serialized graph object. """ dic_ip = ip_dict() reader = ppcap.Reader(filename=pcap_file) if options.verbose: print("Reading pcap file...") for ts, buf in reader: eth = ethernet.Ethernet(buf) if eth[ip.IP] is not None: # print("%d: %s:%s -> %s:%s" % (ts, eth[ip.IP].src_s, # eth[tcp.TCP].sport, eth[ip.IP].dst_s, # eth[tcp.TCP].dport)) dic_ip[eth[ip.IP].src_s][eth[ip.IP].dst_s] += 1 if options.verbose: print("Serialization...") dic_obj = open(obj_file, "wb") pickle.dump(dic_ip, dic_obj) dic_obj.close()
def gen_samples(pcap_name, mac, window=25, step=1, is_time_slice=True): pcap = ppcap.Reader(pcap_name, lowest_layer=radiotap.Radiotap) if is_time_slice: return time_slice_pcap(pcap, window, step) else: return pkt_slice_pcap(pcap, window, step)
def map_pcap(f, pcap_name, lowest_layer=None, pktfilter=None): pcap = ppcap.Reader(pcap_name, lowest_layer=lowest_layer, pktfilter=pktfilter) xs, ys = [], [] bt = None for ts, buf in pcap: if bt is None: bt = ts xs.append((ts - bt)/(60 * 10**9)) ys.append(f(buf)) return xs, ys
def readndump_capfile(infile_name="bugpackets.pcap"): outfile_name = infile_name + "_buggyagain.pcap" #print("will store bug-packets to: %s" % outfile_name) pcap_in = ppcap.Reader(filename=infile_name) pcap_out = ppcap.Writer(filename=outfile_name) for ts, bts in pcap_in: pass_or_dump(bts, pcap_out) pcap_in.close() pcap_out.close()
def get_pcap(fname, cnt=1000): """ Read cnt packets from a pcap file, default: 1000 """ packet_bytes = [] pcap = ppcap.Reader(fname) for ts, buf in pcap: packet_bytes.append(buf) cnt -= 1 if cnt <= 0: break pcap.close() return packet_bytes
def show_pcap(fname, cnt=1000): """ Read cnt packets from a pcap file, default: 1000 """ f = open(fname, "rb") pcap = ppcap.Reader(f) cnt = 0 for ts, buf in pcap: cnt += 1 """ if cnt > 1: continue """ print(">>> read packet %d" % cnt) rt = radiotap.Radiotap(buf) print("%r" % rt) print("%r" % rt.ieee80211) try: print("%r" % rt.ieee80211.dataframe) except: try: print("%r" % rt.ieee80211.assocreq) except: try: print("%r" % rt.ieee80211.beacon) except: try: print("%r" % rt.ieee80211.proberesp) except: try: print("%r" % rt.ieee80211.probereq) except: print("%r" % rt.ieee80211.assocresp) f.close()
Usage: %(app)s pcap_file src_ip src_port dst_ip dst_port Ex: %(app)s test.pcap 192.168.1.1 10000 192.168.1.2 20000 """ % {"app": app}) if len(sys.argv) != 6: usage(sys.argv[0]) sys.exit(1) app, pcap_file, src_ip, src_port, dst_ip, dst_port = sys.argv src_port = int(src_port) dst_port = int(dst_port) #print(pcap_file) preader = ppcap.Reader(filename=pcap_file) #print(dir(preader)) def handle_packet(o, src_ip, src_port, dst_ip, dst_port): if not (o[ip.IP].src_s == src_ip and o[udp.UDP].sport == src_port and o[ip.IP].dst_s == dst_ip and o[udp.UDP].dport == dst_port): return r = rtp.RTP(o[udp.UDP].body_bytes) print("%d: pt=%s ts=%s seqnum=%s" % (ts, r.pt, r.ts, r.seq)) sys.stdout.write("payload: ") for b in r.body_bytes: sys.stdout.write(hex(b) + " ")
from pypacker import ppcap from pypacker.layer12 import ethernet from pypacker.layer3 import ip from pypacker.layer4 import tcp import struct def u32(x): return struct.unpack('<I', x)[0] preader = ppcap.Reader(filename="HideInSSL.pcap") npic = 0 data = {} response = {} keys = [] need_to_add = False for ts, buf in preader: eth = ethernet.Ethernet(buf) try: if eth[ethernet.Ethernet, ip.IP, tcp.TCP] is not None: if eth[tcp.TCP].dport == 443 and eth.ip.dst_s == "192.168.0.128": for record in eth.ip.tcp.ssl.records: if record.type == 22: x = len("\x01\x00\x00\xab\x03\x03[\x1e\x7f\\") body_len = len(eth.ip.tcp.ssl.records[0].body_bytes) length = u32(record.body_bytes[x:x + 4])
def main(): #override some warning settings in pypacker. May need to change this to .CRITICAL in the future, but for now we're trying .ERROR #without this when parsing http for example we get "WARNINGS" when packets aren't quite right in the header. logger = pypacker.logging.getLogger("pypacker") pypacker.logger.setLevel(pypacker.logging.ERROR) counter = 0 startTime = time.time() tcpCheck = False dhcpCheck = False httpCheck = False icmpCheck = False #not enabled in lower code at this point due to tracking features I'm not willing to code at this time. smbCheck = False #read in fingerprints [sExactList, saExactList, sPartialList, saPartialList] = satoriTCP.BuildTCPFingerprintFiles() [ DiscoverOptionsExactList, DiscoverOptionsPartialList, RequestOptionsExactList, RequestOptionsPartialList, ReleaseOptionsExactList, ReleaseOptionsPartialList, ACKOptionsExactList, ACKOptionsPartialList, AnyOptionsExactList, AnyOptionsPartialList, InformOptionsExactList, InformOptionsPartialList, DiscoverOption55ExactList, DiscoverOption55PartialList, RequestOption55ExactList, RequestOption55PartialList, ReleaseOption55ExactList, ReleaseOption55PartialList, ACKOption55ExactList, ACKOption55PartialList, AnyOption55ExactList, AnyOption55PartialList, InformOption55ExactList, InformOption55PartialList, DiscoverVendorCodeExactList, DiscoverVendorCodePartialList, RequestVendorCodeExactList, RequestVendorCodePartialList, ReleaseVendorCodeExactList, ReleaseVendorCodePartialList, ACKVendorCodeExactList, ACKVendorCodePartialList, AnyVendorCodeExactList, AnyVendorCodePartialList, InformVendorCodeExactList, InformVendorCodePartialList, DiscoverTTLExactList, DiscoverTTLPartialList, RequestTTLExactList, RequestTTLPartialList, ReleaseTTLExactList, ACKTTLExactList, AnyTTLExactList, InformTTLExactList, ACKTTLPartialList, AnyTTLPartialList, InformTTLPartialList, NAKOptionsPartialList, NAKOptionsExactList, NAKOption55PartialList, NAKOption55ExactList, NAKVendorCodePartialList, NAKVendorCodeExactList, NAKTTLPartialList, NAKTTLExactList, OfferOptionsPartialList, OfferOptionsExactList, OfferOption55PartialList, OfferOption55ExactList, OfferVendorCodePartialList, OfferVendorCodeExactList, OfferTTLPartialList, OfferTTLExactList, DeclineOptionsPartialList, DeclineOptionsExactList, DeclineOption55PartialList, DeclineOption55ExactList, DeclineVendorCodePartialList, DeclineVendorCodeExactList, DeclineTTLPartialList, DeclineTTLExactList ] = satoriDHCP.BuildDHCPFingerprintFiles() [useragentExactList, useragentPartialList] = satoriHTTP.BuildHTTPUserAgentFingerprintFiles() [serverExactList, serverPartialList] = satoriHTTP.BuildHTTPServerFingerprintFiles() #[icmpExactList, icmpDataExactList, icmpPartialList, icmpDataPartialList] = satoriICMP.BuildICMPFingerprintFiles() [nativeExactList, lanmanExactList, nativePartialList, lanmanPartialList] = satoriSMB.BuildSMBTCPFingerprintFiles() [browserExactList, browserPartialList] = satoriSMB.BuildSMBUDPFingerprintFiles() if len(modules) == 0: #no preference so we'll run all modules we have tcpCheck = True dhcpCheck = True httpCheck = True icmpCheck = True smbCheck = True else: #requested a specific one, so lets only enable what was asked for mod = modules.split(',') for i in range(len(mod)): if (mod[i].lower() == 'tcp'): tcpCheck = True elif (mod[i].lower() == 'dhcp'): dhcpCheck = True elif (mod[i].lower() == 'http'): httpCheck = True elif (mod[i].lower() == 'icmp'): icmpCheck = True elif (mod[i].lower() == 'smb'): smbCheck = True if ( directory != '' ): #probably a better way to do this and dupe most of the below code from preader section, but DHCP passing parameters into a procedure sucks. onlyfiles = [ f for f in os.listdir(directory) if os.path.isfile(os.path.join(directory, f)) ] for f in onlyfiles: #print(f, end='\n', flush=True) try: preader = ppcap.Reader(filename=directory + '/' + f) for ts, buf in preader: try: counter = counter + 1 ts = ts / 1000000000 (pkt, layer, tcpPacket, dhcpPacket, httpPacket, udpPacket) = packetType(buf) if tcpPacket and tcpCheck: satoriTCP.tcpProcess(pkt, layer, ts, sExactList, saExactList, sPartialList, saPartialList) if dhcpPacket and dhcpCheck: satoriDHCP.dhcpProcess( pkt, layer, ts, DiscoverOptionsExactList, DiscoverOptionsPartialList, RequestOptionsExactList, RequestOptionsPartialList, ReleaseOptionsExactList, ReleaseOptionsPartialList, ACKOptionsExactList, ACKOptionsPartialList, AnyOptionsExactList, AnyOptionsPartialList, InformOptionsExactList, InformOptionsPartialList, DiscoverOption55ExactList, DiscoverOption55PartialList, RequestOption55ExactList, RequestOption55PartialList, ReleaseOption55ExactList, ReleaseOption55PartialList, ACKOption55ExactList, ACKOption55PartialList, AnyOption55ExactList, AnyOption55PartialList, InformOption55ExactList, InformOption55PartialList, DiscoverVendorCodeExactList, DiscoverVendorCodePartialList, RequestVendorCodeExactList, RequestVendorCodePartialList, ReleaseVendorCodeExactList, ReleaseVendorCodePartialList, ACKVendorCodeExactList, ACKVendorCodePartialList, AnyVendorCodeExactList, AnyVendorCodePartialList, InformVendorCodeExactList, InformVendorCodePartialList, DiscoverTTLExactList, DiscoverTTLPartialList, RequestTTLExactList, RequestTTLPartialList, ReleaseTTLExactList, ACKTTLExactList, AnyTTLExactList, InformTTLExactList, ACKTTLPartialList, AnyTTLPartialList, InformTTLPartialList, NAKOptionsPartialList, NAKOptionsExactList, NAKOption55PartialList, NAKOption55ExactList, NAKVendorCodePartialList, NAKVendorCodeExactList, NAKTTLPartialList, NAKTTLExactList, OfferOptionsPartialList, OfferOptionsExactList, OfferOption55PartialList, OfferOption55ExactList, OfferVendorCodePartialList, OfferVendorCodeExactList, OfferTTLPartialList, OfferTTLExactList, DeclineOptionsPartialList, DeclineOptionsExactList, DeclineOption55PartialList, DeclineOption55ExactList, DeclineVendorCodePartialList, DeclineVendorCodeExactList, DeclineTTLPartialList, DeclineTTLExactList) if httpPacket and httpCheck: satoriHTTP.httpUserAgentProcess( pkt, layer, ts, useragentExactList, useragentPartialList) satoriHTTP.httpServerProcess( pkt, layer, ts, serverExactList, serverPartialList) # if (eth[ethernet.Ethernet, ip.IP, icmp.ICMP] is not None) and icmpCheck: # satoriICMP.icmpProcess(eth, ts, icmpExactList, icmpDataExactList, icmpPartialList, icmpDataPartialList) if tcpPacket and smbCheck: satoriSMB.smbTCPProcess(pkt, layer, ts, nativeExactList, lanmanExactList, nativePartialList, lanmanPartialList) if udpPacket and smbCheck: satoriSMB.smbUDPProcess(pkt, layer, ts, browserExactList, browserPartialList) except (KeyboardInterrupt, SystemExit): raise except: pass except: pass # print('File was not pcap format') # sys.exit(1) elif (readpcap != ''): try: preader = ppcap.Reader(filename=readpcap) except: print('File was not pcap format', end='\n', flush=True) sys.exit(1) for ts, buf in preader: try: counter = counter + 1 ts = ts / 1000000000 (pkt, layer, tcpPacket, dhcpPacket, httpPacket, udpPacket) = packetType(buf) if tcpPacket and tcpCheck: satoriTCP.tcpProcess(pkt, layer, ts, sExactList, saExactList, sPartialList, saPartialList) if dhcpPacket and dhcpCheck: satoriDHCP.dhcpProcess( pkt, layer, ts, DiscoverOptionsExactList, DiscoverOptionsPartialList, RequestOptionsExactList, RequestOptionsPartialList, ReleaseOptionsExactList, ReleaseOptionsPartialList, ACKOptionsExactList, ACKOptionsPartialList, AnyOptionsExactList, AnyOptionsPartialList, InformOptionsExactList, InformOptionsPartialList, DiscoverOption55ExactList, DiscoverOption55PartialList, RequestOption55ExactList, RequestOption55PartialList, ReleaseOption55ExactList, ReleaseOption55PartialList, ACKOption55ExactList, ACKOption55PartialList, AnyOption55ExactList, AnyOption55PartialList, InformOption55ExactList, InformOption55PartialList, DiscoverVendorCodeExactList, DiscoverVendorCodePartialList, RequestVendorCodeExactList, RequestVendorCodePartialList, ReleaseVendorCodeExactList, ReleaseVendorCodePartialList, ACKVendorCodeExactList, ACKVendorCodePartialList, AnyVendorCodeExactList, AnyVendorCodePartialList, InformVendorCodeExactList, InformVendorCodePartialList, DiscoverTTLExactList, DiscoverTTLPartialList, RequestTTLExactList, RequestTTLPartialList, ReleaseTTLExactList, ACKTTLExactList, AnyTTLExactList, InformTTLExactList, ACKTTLPartialList, AnyTTLPartialList, InformTTLPartialList, NAKOptionsPartialList, NAKOptionsExactList, NAKOption55PartialList, NAKOption55ExactList, NAKVendorCodePartialList, NAKVendorCodeExactList, NAKTTLPartialList, NAKTTLExactList, OfferOptionsPartialList, OfferOptionsExactList, OfferOption55PartialList, OfferOption55ExactList, OfferVendorCodePartialList, OfferVendorCodeExactList, OfferTTLPartialList, OfferTTLExactList, DeclineOptionsPartialList, DeclineOptionsExactList, DeclineOption55PartialList, DeclineOption55ExactList, DeclineVendorCodePartialList, DeclineVendorCodeExactList, DeclineTTLPartialList, DeclineTTLExactList) if httpPacket and httpCheck: satoriHTTP.httpUserAgentProcess(pkt, layer, ts, useragentExactList, useragentPartialList) satoriHTTP.httpServerProcess(pkt, layer, ts, serverExactList, serverPartialList) # if (eth[ethernet.Ethernet, ip.IP, icmp.ICMP] is not None) and icmpCheck: # satoriICMP.icmpProcess(eth, ts, icmpExactList, icmpDataExactList, icmpPartialList, icmpDataPartialList) if tcpPacket and smbCheck: satoriSMB.smbTCPProcess(pkt, layer, ts, nativeExactList, lanmanExactList, nativePartialList, lanmanPartialList) if udpPacket and smbCheck: satoriSMB.smbUDPProcess(pkt, layer, ts, browserExactList, browserPartialList) except (KeyboardInterrupt, SystemExit): raise except: pass elif interface != '': try: preader = pcapy.open_live(interface, 65536, False, 1) #highly recommended to add something like this for a bpf filter on a high throughput connection (4 Gb/s link script sorta died on me in testing) #assuming only doing -m http #preader.setfilter('tcp port 80 or tcp port 8080') except Exception as e: print(e, end='\n', flush=True) sys.exit(1) while True: try: counter = counter + 1 (header, buf) = preader.next() ts = header.getts()[0] (pkt, layer, tcpPacket, dhcpPacket, httpPacket, udpPacket) = packetType(buf) if tcpPacket and tcpCheck: satoriTCP.tcpProcess(pkt, layer, ts, sExactList, saExactList, sPartialList, saPartialList) if dhcpPacket and dhcpCheck: satoriDHCP.dhcpProcess( pkt, layer, ts, DiscoverOptionsExactList, DiscoverOptionsPartialList, RequestOptionsExactList, RequestOptionsPartialList, ReleaseOptionsExactList, ReleaseOptionsPartialList, ACKOptionsExactList, ACKOptionsPartialList, AnyOptionsExactList, AnyOptionsPartialList, InformOptionsExactList, InformOptionsPartialList, DiscoverOption55ExactList, DiscoverOption55PartialList, RequestOption55ExactList, RequestOption55PartialList, ReleaseOption55ExactList, ReleaseOption55PartialList, ACKOption55ExactList, ACKOption55PartialList, AnyOption55ExactList, AnyOption55PartialList, InformOption55ExactList, InformOption55PartialList, DiscoverVendorCodeExactList, DiscoverVendorCodePartialList, RequestVendorCodeExactList, RequestVendorCodePartialList, ReleaseVendorCodeExactList, ReleaseVendorCodePartialList, ACKVendorCodeExactList, ACKVendorCodePartialList, AnyVendorCodeExactList, AnyVendorCodePartialList, InformVendorCodeExactList, InformVendorCodePartialList, DiscoverTTLExactList, DiscoverTTLPartialList, RequestTTLExactList, RequestTTLPartialList, ReleaseTTLExactList, ACKTTLExactList, AnyTTLExactList, InformTTLExactList, ACKTTLPartialList, AnyTTLPartialList, InformTTLPartialList, NAKOptionsPartialList, NAKOptionsExactList, NAKOption55PartialList, NAKOption55ExactList, NAKVendorCodePartialList, NAKVendorCodeExactList, NAKTTLPartialList, NAKTTLExactList, OfferOptionsPartialList, OfferOptionsExactList, OfferOption55PartialList, OfferOption55ExactList, OfferVendorCodePartialList, OfferVendorCodeExactList, OfferTTLPartialList, OfferTTLExactList, DeclineOptionsPartialList, DeclineOptionsExactList, DeclineOption55PartialList, DeclineOption55ExactList, DeclineVendorCodePartialList, DeclineVendorCodeExactList, DeclineTTLPartialList, DeclineTTLExactList) if httpPacket and httpCheck: satoriHTTP.httpUserAgentProcess(pkt, layer, ts, useragentExactList, useragentPartialList) satoriHTTP.httpServerProcess(pkt, layer, ts, serverExactList, serverPartialList) # if (eth[ethernet.Ethernet, ip.IP, icmp.ICMP] is not None) and icmpCheck: # satoriICMP.icmpProcess(eth, ts, icmpExactList, icmpDataExactList, icmpPartialList, icmpDataPartialList) if tcpPacket and smbCheck: satoriSMB.smbTCPProcess(pkt, layer, ts, nativeExactList, lanmanExactList, nativePartialList, lanmanPartialList) if udpPacket and smbCheck: satoriSMB.smbUDPProcess(pkt, layer, ts, browserExactList, browserPartialList) except (KeyboardInterrupt, SystemExit): raise except: pass else: #we should never get here with "proceed" check, but just in case print("Not sure how we got here", end='\n', flush=True) endTime = time.time() totalTime = endTime - startTime if verbose: print('Total Time: %s, Total Packets: %s, Packets/s: %s' % (totalTime, counter, counter / totalTime))
import socket import pypacker.pypacker as pypacker from pypacker.pypacker import Packet from pypacker import ppcap from pypacker import psocket from pypacker.layer12 import arp, ethernet, ieee80211, prism from pypacker.layer3 import ip, icmp from pypacker.layer4 import udp, tcp from pypacker.layer567 import radius #import dpkt from pypacker import pcapng #pcap_file = ppcap.Reader(filename="TEST_Radius.pcap") #pcap_file = pcapng.Reader(filename="TEST_Radius.pcap") pcap_file = ppcap.Reader(filename="TEST_Radius.pcap") cnt = 1 for ts, buf in pcap_file: if (cnt == 3): break print(cnt) cnt += 1 eth = ethernet.Ethernet(buf) eth2 = ethernet.Ethernet(buf) print("Packet :%s " % eth2) u = udp.UDP if eth[u] is not None: print("(%s):%s:%s->(%s)%s:%s" % (eth.src_s, eth[ip.IP].src_s, eth[u].sport, eth.dst_s, eth[ip.IP].dst_s, eth[u].dport)) if (eth[radius.Radius] is not None): print("RADIUS")
parser.add_argument('file', help='the pcap file to process') parser.add_argument('-c', '--config', help='configuration file') parser.add_argument('-a', '--available-properties', dest='availableproperties', help='list the available properties from the file', action='store_true') args = parser.parse_args() requestedattributes = [] if args.config is not None: with open(args.config) as c: for line in c: requestedattributes.append(line.rstrip()) pcap = ppcap.Reader(filename=args.file) def isproperty(member): if inspect.ismethod(member): return False if inspect.isfunction(member): return False return True printedattribues = [] generatingattribues = args.availableproperties def traversePackets(prop, parentstring, packet):
icmp.ICMP(type=8) +\ icmp.ICMP.Echo(id=1, ts=123456789, body_bytes=b"12345678901234567890") print(packet1) print(packet1.direction) if packet1.is_direction(packet2, Packet.DIR_SAME): print("same direction for packet 1/2") elif packet1.is_direction(packet2, Packet.DIR_REV): print("reverse direction for packet 1/2") else: print("unknown direction for packet 1/2, type: %d" % dir) # # read packets from pcap-file using pypacker-reader # pcap = ppcap.Reader(filename="packets_ether.pcap") cnt = 0 for ts, buf in pcap: cnt += 1 eth = ethernet.Ethernet(buf) if eth[tcp.TCP] is not None: print("%d: %s:%s -> %s:%s" % (ts, eth[ip.IP].src_s, eth[tcp.TCP].sport, eth[ip.IP].dst_s, eth[tcp.TCP].dport)) pcap.close() # # send/receive packets to/from network using raw sockets # try: psock = psocket.SocketHndl(timeout=10)