class pcap_write(gr.sync_block):
def __init__(self,f,append=True):
gr.sync_block.__init__(self,"pcap_write",[],[])
self.message_port_register_in(pmt.intern("pdus"));
self.set_msg_handler(pmt.intern("pdus"), self.handler);
self.f = f
self.append = append
def start(self):
self.pcap = PcapWriter(self.f, append=self.append, sync=True)
def stop(self):
pass
def handler(self, pdu):
meta = pmt.to_python(pmt.car(pdu))
x = pmt.to_python(pmt.cdr(pdu))
z = l2.Raw(x.tostring())
if(meta.has_key("timestamp")):
t = meta['timestamp']
if( type(t) == tuple ):
t = t[0]+t[1]
else :
t = t
z.time = t
self.pcap.write(z);
def work(self, input_items, output_items):
pass
def create_pcap_file_from_frames(self, file_name, frames):
writer = PcapWriter(file_name, append=False)
for frame in frames:
writer.write(frame)
writer.close()
def sanitize(
filepath_in,
filepath_out=None,
sequential=True,
ipv4_mask=0,
ipv6_mask=0,
mac_mask=0,
start_ipv4="10.0.0.1",
start_ipv6="2001:aa::1",
start_mac="00:aa:00:00:00:00",
):
if not filepath_out:
timestamp = datetime.datetime.now().strftime("%y%m%d-%H%m%S")
filepath_out = os.path.splitext(filepath_in)[0] + "_sanitized_" + timestamp + os.path.splitext(filepath_in)[1]
mac_gen = MACGenerator(sequential=sequential, mask=mac_mask, start_mac=start_mac)
ip4_gen = IPv4Generator(sequential=sequential, mask=ipv4_mask, start_ip=start_ipv4)
ip6_gen = IPv6Generator(sequential=sequential, mask=ipv6_mask, start_ip=start_ipv6)
with open(filepath_in) as capfile:
# open cap file with pcapfile
cap = savefile.load_savefile(capfile, verbose=False)
# use scapy's pcapwriter
pktwriter = PcapWriter(filepath_out, append=True)
try:
for pkt in cap.packets:
# create scapy packet from pcapfile packet raw output
pkt = Ether(pkt.raw())
# MAC addresses
pkt.src = mac_gen.get_mac(pkt.src)
pkt.dst = mac_gen.get_mac(pkt.dst)
# IP Address
try:
pkt["IP"].src = ip4_gen.get_ip(pkt["IP"].src)
pkt["IP"].dst = ip4_gen.get_ip(pkt["IP"].dst)
except IndexError:
pkt["IPv6"].src = ip6_gen.get_ip(pkt["IPv6"].src)
pkt["IPv6"].dst = ip6_gen.get_ip(pkt["IPv6"].dst)
pktwriter.write(pkt)
finally:
pktwriter.close()
return filepath_out.split("/")[-1]
class WrpcapSink(Sink):
"""Packets received on low input are written to PCA file
+----------+
>>-| |->>
| |
>-|--[pcap] |->
+----------+
"""
def __init__(self, fname):
self.f = PcapWriter(fname)
def stop(self):
self.f.flush()
def push(self, msg):
self.f.write(msg)
def downstream_fragmentation(self):
self.m_finished = False
self.packet_error = False
self.comment = "\n IPv4_PACKET_FRAGMENTED_BY_BR"
q = Queue()
v6_cap_filter = 'dst {}'.format(self.ipv6_source_address)
sniffer = Thread(target=self.v6sniffer, args=(q, v6_cap_filter, 1))
sniffer.daemon = True
sniffer.start()
while not self.m_finished:
ip = IP(src=self.ipv4_source_address, dst=self.ipv4_destination_address)
udp = UDP(sport=self.ipv4_udp_or_tcp_source_port, dport=self.ipv4_udp_or_tcp_destination_port)
payload = "a" * 1453
send(ip / udp / payload, iface=self.ipv4_interface, verbose=False)
if not q.empty():
file_name = self.comment.lower() + ".pcap"
pktdump = PcapWriter(file_name, append=True, sync=True)
count = 0
while not q.empty():
pkt = q.get()
# print(pkt.show())
# file_name = self.comment.lower()+".pcap"
# wrpcap(file_name, pkt)
pktdump.write(pkt)
try:
pkt
except NameError:
self.comment += "\n Fragments not received"
return
print "IPv4 Fragmentation by BR:: FAIL"
if count == 0:
self.v6_address_check(pkt)
self.v6_port_check(pkt)
if pkt[0][1].nh != 44:
self.comment += "\n No Fragment Header found"
if count == 1: # Second Fragment
self.v6_address_check(pkt)
count += 1
if count != 2:
self.comment += "\n Both fragments not received"
if self.packet_error:
fh = open("test_results.txt", "a")
fh.write(self.comment)
fh.close()
print "IPv4 Fragmentation by BR:: FAIL"
if not self.packet_error:
print "IPv4 Fragmentation by BR: PASS"
def downstream_ttl_expired(self):
self.m_finished = False
self.packet_error = False
self.comment = "\n IPv4_TTL_EXPIRED"
q = Queue()
v4_cap_filter = 'icmp and dst {}'.format(self.ipv4_source_address)
sniffer = Thread(target=self.v4sniffer, args=(q, v4_cap_filter, 1))
sniffer.daemon = True
sniffer.start()
while not self.m_finished:
ip = IP(src=self.ipv4_source_address, dst=self.ipv4_destination_address, ttl=2)
udp = UDP(sport=self.ipv4_udp_or_tcp_source_port, dport=self.ipv4_udp_or_tcp_destination_port)
payload = "a" * 82
send(ip / udp / payload, iface=self.ipv4_interface, verbose=False)
if not q.empty():
file_name = self.comment.lower() + ".pcap"
pktdump = PcapWriter(file_name, append=True, sync=True)
while not q.empty():
pkt = q.get()
# print(pkt.show())
# file_name = self.comment.lower()+".pcap"
# wrpcap(file_name, pkt)
pktdump.write(pkt)
try:
pkt
except NameError:
self.comment += "\n ICMPv6 Packets Not Received"
fh = open("test_results.txt", "a")
fh.write(self.comment)
fh.close()
return
if pkt[0][1].proto != 1:
self.comment += "\n Packet Type is not ICMP (Proto 1)"
self.packet_error = True
if pkt[0][2].type != 11:
self.comment += "\n Incorrect Type Number"
self.packet_error = True
if pkt[0][2].code != 0:
self.comment += "\n Incorrect Code Number"
self.packet_error = True
if self.packet_error:
fh = open("test_results.txt", "a")
fh.write(self.comment)
fh.close()
print "TTL Expired: FAIL"
if not self.packet_error:
print "TTL Expired: PASS"
class WrpcapSink(Sink):
"""Packets received on low input are written to PCA file
+----------+
>>-| |->>
| |
>-|--[pcap] |->
+----------+
"""
def __init__(self, fname, name=None):
Sink.__init__(self, name=name)
self.f = PcapWriter(fname)
def stop(self):
self.f.flush()
def push(self, msg):
self.f.write(msg)
def gen_traffic(self, output_filename,
dst_ip_addr, dst_mac, src_mac="00:00:00:00:00:01",
ip_num=10000, packet_num=500000, payload="Normal Traffic pkts"):
print("PAcket Number: %d" % packet_num)
if not output_filename.endswith(".pcap"):
print("Invalid PCAP filename! Exiting...")
return
self.pcap_filename = output_filename
self.ip_hc_filename = str.join(".", output_filename.split(".")[:-1]) + "_ip_hc.txt"
self.ip_fake_ttl_filename = str.join(".", output_filename.split(".")[:-1]) + "_fake_ttl.txt"
# show modify request
request = "Generating " + output_filename + " with\n"
if src_mac is not None:
request += " src mac:" + src_mac + "\n"
if dst_mac is not None:
request += " dst mac:" + dst_mac + "\n"
if dst_ip_addr is not None:
request += " dst ip addr:" + dst_ip_addr + "\n"
print(request + "\n")
pcap_writer = PcapWriter(output_filename)
src_ips = []
src_hosts_with_ttl = {}
for i in range(packet_num):
if len(self.src_hosts) < ip_num:
# pick a random src ip
src_ip = self.__generate_ip()
# pick a random hc
ttl = self.__generate_rand_ttl()
else:
src_ip = src_ips[random.randint(0, len(src_ips) - 1)]
ttl = src_hosts_with_ttl[src_ip]
# calculate ttl according to hc
pkt = Ether(src=src_mac, dst=dst_mac)/IP(src=self.__ip_int2str(src_ip), dst=dst_ip_addr, ttl=ttl)/TCP(flags=0x10)/payload
pcap_writer.write(pkt)
if src_ip not in src_ips:
src_ips.append(src_ip)
src_hosts_with_ttl[src_ip] = ttl
self.src_hosts[src_ip] = self.__ttl2hc(ttl)
if i % 10000 == 0:
print("%d packets have been produced\n" % i)
print(str(len(self.src_hosts)) + " source hosts produced")
print("Writing ip,hc dict into " + self.ip_hc_filename + "...")
with open(self.ip_hc_filename, "w") as f:
json.dump(self.src_hosts, f)
f.close()
pcap_writer.flush()
pcap_writer.close()
def __spawn_sniffer(self):
"""
Saves pcaps to a file. Should be run as a thread.
Ends when the stop_sniffing_flag is set. Should not be called by user
"""
self.packet_dumper = PcapWriter(self.location, append=True, sync=True)
while (self.stop_sniffing_flag == False):
sniff(stop_filter=self.__packet_callback, timeout=1)
def __init__(self,
iface='',
newiface='mon0',
filename='',
outputmode=1,
savingPkt=0,
savingPcap=0,
filtermode='',
iHost=[]):
self.iface = iface #old interface
self.newiface = newiface #a new interface in monitor mode
self.sign = ['—', '\\', '|', '/'] #stupid thing :)
self.filename = filename #local pcap filename
self.sfilename = str(int(time.time()))
self.outputmode = outputmode #0->don't output, 1->output
self.savingPkt = savingPkt #0->don't save, 1->save
self.savingPcap = savingPcap
self.filtermode = '( tcp[13:1]==24 )' #'tcp[13:1]==24' -> only sniff tcp
self.iHost = iHost
if filtermode: self.filtermode += ' and ( %s )' % filtermode #
if self.savingPkt: InitPktsFile(self.sfilename)
if savingPcap:
self.pktdump = PcapWriter("./Pcaps/%s.pcap" % (self.sfilename),
append=True,
sync=True)
if self.iface == '' and filename:
print(putColor('[!]Offline Mode!', 'green'))
print(' [-]Filter:', putColor(self.filtermode, 'green'))
print(' [-]', end='')
ClearLine()
pkt = sniff(offline='./Pcaps/' + filename,
prn=self.Collector,
filter=self.filtermode,
store=0) #DO NOT USING store = 1!!!
#Or you'll see your memory BOOM
print()
else:
self.Init()
self.Exit()
def downstream_udp_packet_translation(self):
self.m_finished = False
self.packet_error = False
self.comment = "\n IPv4_PACKET_NORMAL_TRANSLATION"
q = Queue()
v6_cap_filter = 'src {}'.format(self.ipv6_destination_address)
sniffer = Thread(target=self.v6sniffer, args=(q, v6_cap_filter, 1))
sniffer.daemon = True
sniffer.start()
while not self.m_finished:
ip = IP(src=self.ipv4_source_address, dst=self.ipv4_destination_address)
udp = UDP(sport=self.ipv4_udp_or_tcp_source_port, dport=self.ipv4_udp_or_tcp_destination_port)
payload = "a" * 82
send(ip / udp / payload, iface=self.ipv4_interface, verbose=False)
if not q.empty():
file_name = self.comment.lower() + ".pcap"
pktdump = PcapWriter(file_name, append=True, sync=True)
while not q.empty():
pkt = q.get()
# print(pkt.show())
# file_name = self.comment.lower()+".pcap"
# wrpcap(file_name, pkt)
pktdump.write(pkt)
try:
pkt
except NameError:
self.comment += "\n IPv6 UDP Packet Not Received"
fh = open("test_results.txt", "a")
fh.write(self.comment)
fh.close()
return
self.v6_address_check(pkt)
self.v6_port_check(pkt)
if pkt[0][1].nh == 44:
self.v6_address_check(pkt)
self.v6_port_check(pkt)
self.packet_error = True
self.comment += "\n Fragment Header added"
if self.packet_error:
fh = open("test_results.txt", "a")
fh.write(self.comment)
fh.close()
print "Downstream UDP Packet: FAIL"
if not self.packet_error:
print "Downstream UDP Packet: PASS"
def echo_reply(self):
self.m_finished = False
self.packet_error = False
self.comment = "\n ICMPv6_ECHO_REPLY"
q = Queue()
v4_cap_filter = 'icmp and dst {}'.format(self.ipv4_source_address)
sniffer = Thread(target=self.v6sniffer, args=(q, v4_cap_filter, 1))
sniffer.daemon = True
sniffer.start()
while not self.m_finished:
ip = IPv6(src=self.ipv6_source_address, dst=self.ipv6_destination_address)
icmp = ICMPv6EchoReply()
icmp.id = self.ipv6_udp_or_tcp_source_port
payload = "H" * 10
send(ip / icmp / payload, iface=self.ipv6_interface, verbose=False)
if not q.empty():
file_name = self.comment.lower() + ".pcap"
pktdump = PcapWriter(file_name, append=True, sync=True)
while not q.empty():
pkt = q.get()
# print(pkt.show())
pktdump.write(pkt)
try:
pkt
except NameError:
self.comment += "\n ICMPv4 Packet not received"
print "Upstream Reply Respone: FAIL"
return
self.v4_address_check(pkt)
if pkt[0][1].proto != 1:
self.comment += "\n ICMPv6 not received"
self.packet_error = True
if pkt[0][2].type != 0:
self.comment += "\n Incorrect Type Number"
self.packet_error = True
if pkt[0][2].code != 0:
self.comment += "\n Incorrect Code Number"
self.packet_error = True
if self.packet_error:
fh = open("test_results.txt", "a")
fh.write(self.comment)
fh.close()
print "Upstream Reply Respone: FAIL"
if not self.packet_error:
print "Upstream Reply Respone: PASS"
def upstream_mss_clamping(self):
self.m_finished = False
self.packet_error = False
self.comment = "\n IPv6_MSS_CLAMPING"
q = Queue()
v4_cap_filter = 'tcp and dst {}'.format(self.ipv4_source_address)
sniffer = Thread(target=self.v4sniffer, args=(q, v4_cap_filter, 1))
sniffer.daemon = True
sniffer.start()
while not self.m_finished:
ip = IPv6(src=self.ipv6_source_address, dst=self.ipv6_destination_address)
tcp = TCP(sport=self.ipv6_udp_or_tcp_source_port, dport=self.ipv6_udp_or_tcp_destination_port, flags="S",
seq=1001, options=[('MSS', 2000)])
payload = "a" * 82
send(ip / tcp / payload, iface=self.ipv6_interface, verbose=False)
if not q.empty():
file_name = self.comment.lower() + ".pcap"
pktdump = PcapWriter(file_name, append=True, sync=True)
while not q.empty():
pkt = q.get()
# print(pkt.show())
# file_name = self.comment.lower()+".pcap"
# wrpcap(file_name, pkt)
pktdump.write(pkt)
try:
pkt
except NameError:
self.comment += "\n IPv4 TCP Packet not received"
fh = open("test_results.txt", "a")
fh.write(self.comment)
fh.close()
return
self.v4_address_check(pkt)
self.v4_port_check(pkt)
if pkt[0][2].options[0][1] != 1432:
self.comment += "\n MSS not clamped to 1432 - clamped to " + pkt[0][2].options[0][1]
self.packet_error = True
if self.packet_error:
fh = open("test_results.txt", "a")
fh.write(self.comment)
fh.close()
print "Upstream TCP MSS Clamping: FAIL"
if not self.packet_error:
print "Upstream TCP MSS Clamping: PASS"
def _run_on_interface(self, args):
interfaces = []
join_to = []
if args.output_file:
self.out_writer = PcapWriter(args.output_file)
handle_queue_thread = Thread(target=self.handle_packet_queue)
handle_queue_thread.start()
join_to.append(handle_queue_thread)
for iface in args.ifaces:
interfaces.append(set_monitor_mode(iface))
sniff_thread = Thread(target=self.sniff, kwargs={"iface": iface})
sniff_thread.start()
join_to.append(sniff_thread)
if args.channel is None:
hopping_thread = Thread(target=self.channel_hopping,
kwargs={
"interfaces": interfaces,
"band": args.band
})
hopping_thread.start()
join_to.append(hopping_thread)
else:
for interface in interfaces:
check_chset(interface, args.channel)
prev_sig_handler = signal.signal(signal.SIGINT, self.sig_int_handler)
self.cmd.pfeedback(
"[i] Starting reconnaissance, press ctrl-c to stop...\n")
for th in join_to:
th.join()
if self.out_writer:
self.out_writer.close()
signal.signal(signal.SIGINT, prev_sig_handler)
def save(p):
global filepath
global filename
if _is_need_change(filepath,filename):
filename = _change_filename(filepath,filename)
print "modifying filename: {}".format(filename)
writer = PcapWriter(filepath+filename,append=True)
writer.write(p)
writer.flush()
writer.close()
if _is_need_change(filepath,filename):
shutil.move(filepath+filename,toUploadPath+filename)
def __init__(self, destination_folder, filter_list=[], or_filter=False):
self.destination_folder = destination_folder
self._nlogs = self._get_log_count()
self.packet_filters = []
for filter in filter_list:
try:
type, value = map(str.strip, filter.split("="))
self.add_filter(type, value)
except Exception as e:
print e
pass
self.or_filter = or_filter
self.current_log_file = "packet_log{n}.cap".format(n=self._nlogs)
self.packet_logger = PcapWriter(
self.destination_folder +
"packet_log{n}.cap".format(n=self._nlogs),
append=True,
sync=True)
def __init__(self):
parser = argparse.ArgumentParser(description='Version: 3.0; Running in Py2.x')
parser.add_argument("-i", default='', help="the interface you want to use")
parser.add_argument("-mi", default='mon0', help="name of the interface in monitor mode")
parser.add_argument("-f", default='', help="local pcap filename(in the offline mode)")
parser.add_argument("-o", default='1', help="show msg in the terminal? 0: No, 1: Yes")
parser.add_argument("-sPkt", default='1', help="save Pkts during snifffing? 0: No, 1: Yes")
parser.add_argument("-sPcap", default='0', help="save Pcap during snifffing? 0: No, 1: Yes")
parser.add_argument("-fm", default='', help="filter syntax used in scapy")
parser.add_argument("-iHF", default='iHost.txt', help="highlight these hosts when stop the sniffer(in the iHost.txt")
parser.add_argument("-fHF", default='fHost.txt', help="filter these hosts when show msg in terminal(in the fHost.txt")
args = parser.parse_args()
self.iface = args.i #old interface
self.newiface = args.mi #a new interface in monitor mode
self.sign = ['—','\\' ,'|' ,'/'] #stupid thing :)
self.filename = args.f #local pcap filename
self.sfilename = str(int(time.time()))
self.outputmode = args.o #0->don't output, 1->output
self.savingPkt = args.sPkt #0->don't save, 1->save
self.savingPcap = args.sPcap
self.filtermode = '( tcp[13:1]==24 )'#'tcp[13:1]==24' -> only sniff tcp
self.SrcIP = []
self.fHF = args.fHF
if args.fm: self.filtermode += ' and ( %s )' %args.fm #
if self.savingPkt == '1': InitPktsFile(self.sfilename)
if self.savingPcap == '1': self.pktdump = PcapWriter("./Pcaps/%s.pcap" %(self.sfilename), append=True, sync=True)
try:
with open(args.iHF, 'r') as fp:
self.iHost = re.findall('(\S+)', fp.read())
except:
ErrorDog(self.Exit)
if self.iface == '' and self.filename:
print putColor('[!]Offline Mode!', 'green')
print ' [-]Filter:', putColor(self.filtermode, 'green')
print ' [-]',
ClearLine()
try:
pkt = sniff(offline = './Pcaps/' + self.filename,
prn = self.Collector,
filter = self.filtermode,
store = 0)#DO NOT USING store = 1!!!
#Or you'll see your memory BOOM
print
except:
ErrorDog(self.Exit)
else: self.Init()
self.Exit()
def upstream_hop_limit_expired(self):
self.m_finished = False
self.packet_error = False
self.comment = "\n IPv6_Hot_Limit_EXPIRED"
q = Queue()
v6_cap_filter = 'icmp6 and dst {}'.format(self.ipv6_source_address)
sniffer = Thread(target=self.v6sniffer, args=(q, v6_cap_filter, 1))
sniffer.daemon = True
sniffer.start()
while not self.m_finished:
ip = IPv6(src=self.ipv6_source_address, dst=self.ipv6_destination_address, hlim=2)
udp = UDP(sport=self.ipv6_udp_or_tcp_source_port, dport=self.ipv6_udp_or_tcp_destination_port)
payload = "a" * 82
send(ip / udp / payload, iface=self.ipv6_interface, verbose=False)
if not q.empty():
file_name = self.comment.lower() + ".pcap"
pktdump = PcapWriter(file_name, append=True, sync=True)
while not q.empty():
pkt = q.get()
# print(pkt.show())
# file_name = self.comment.lower()+".pcap"
# wrpcap(file_name, pkt)
pktdump.write(pkt)
try:
pkt
except NameError:
self.comment += "\n ICMPv6 Hop Limit Expired not received"
fh = open("test_results.txt", "a")
fh.write(self.comment)
fh.close()
return
if pkt[0][1].nh != 58:
self.comment += "\n Packet Type is not ICMPv6 (Proto 58)"
self.packet_error = True
if pkt[0][2].type != 3:
self.comment += "\n Incorrect Type Number"
self.packet_error = True
if pkt[0][2].code != 0:
self.comment += "\n Incorrect Code Number"
self.packet_error = True
if not self.packet_error:
print "ICMPv6 Hop Limit Expired: PASS"
def __init__(self, iface, save, file__, curses): self.iface=iface self.save=save self.file__ = PcapWriter(file__, append=True, sync=True) if self.save else '' self.handshakes = 0 self.stop_hopper = False self.thread = self.chain_thread() self.curses = curses if self.curses: self.display = Display(self) signal.signal(signal.SIGINT, self.print_exit)
def modify_traffic(self, output_filename, fake_ttl=False,
src_mac=None, dst_mac=None, src_ip_addr=None, dst_ip_addr=None):
if fake_ttl is True and len(self.src_hosts_with_fake_ttl) == 0:
print("Please extract ip2hc table before modify traffic with fake ttl.")
# show modify request
request = "Generating " + output_filename + " with\n"
if fake_ttl:
request += " fake ttl\n"
if src_mac is not None:
request += " src mac:" + src_mac + "\n"
if dst_mac is not None:
request += " dst mac:" + dst_mac + "\n"
if src_ip_addr is not None:
request += " src ip addr:" + src_ip_addr + "\n"
if dst_ip_addr is not None:
request += " dst ip addr:" + dst_ip_addr + "\n"
print(request + "\n")
pcap_reader = PcapReader(self.pcap_filename)
pcap_writer = PcapWriter(output_filename)
counter = 0
while True:
pkt = pcap_reader.read_packet()
if pkt is None:
break
if not pkt.haslayer('Ether') or not pkt.haslayer('IP'):
continue
# ipv4 packets
counter += 1
ip_int = self.__ip_str2int(pkt['IP'].src)
if fake_ttl:
pkt['IP'].ttl = self.src_hosts_with_fake_ttl[ip_int]
if src_mac is not None:
pkt['Ethernet'].src = src_mac
if dst_mac is not None:
pkt['Ethernet'].dst = dst_mac
if src_ip_addr is not None:
pkt['IP'].src = src_ip_addr
if dst_ip_addr is not None:
pkt['IP'].dst = dst_ip_addr
pcap_writer.write(pkt)
if counter % 10000 == 0:
print("%d packets have been processed\n" % counter)
pcap_writer.flush()
pcap_writer.close()
pcap_reader.close()
def create_pcap_file(self, file_name, frame_size, number_of_frames,
incremental_ip_address,
src_ip="0.0.0.0",
dst_ip="0.0.0.0"):
current_frame = 0
writer = PcapWriter(file_name, append=False)
while current_frame < number_of_frames:
ip_id = 0 # current_frame % 0x10000
frame = self.create_tcp_ipv4_frame(ip_id, src_ip, dst_ip,
frame_size)
writer.write(frame)
if incremental_ip_address:
dst_ip = self.increment_ip_addr(dst_ip, 1)
current_frame += 1
writer.close()
def __init__(self):
super(PacketLogger, self).__init__("packetlogger")
self.destination_folder = self.config["destination_folder"]
self._nlogs = self._get_log_count()
self.packet_filters = []
filter_list = self.config["filters"]
for filter in filter_list:
try:
type, value = map(str.strip, filter.split("="))
self.add_filter(type, value)
except Exception as e:
print e
pass
self.or_filter = self.config["filter_mode"].lower() == "or"
self.current_log_file = "packet_log{n}.cap".format(n=self._nlogs)
self.packet_logger = PcapWriter(
self.destination_folder +
"packet_log{n}.cap".format(n=self._nlogs),
append=True,
sync=True)
def analyze(self,pcapFilename):
hl7Output =BASE_DIR+"/hl7/networkFiles/hl7PacketDump.pcap"
hl7Dump = PcapWriter((hl7Output),append=True,sync=True)
G = nx.DiGraph(directed=True)
print(unquote(pcapFilename))
pcapFilename = unquote(pcapFilename)
packets = rdpcap(pcapFilename)
networkSession = packets.sessions()
for session in networkSession:
for packet in networkSession[session]:
try:
if (str(packet[TCP].payload).startswith("b\'")) and str(packet[TCP].payload).endswith("r\'"):
hl7Dump.write(packet)
G.add_edge( (str(packet[IP].dst)+":"+str(packet[IP].dport)),(str(packet[IP].src)+":"+str(packet[TCP].sport)))
except:
continue
nx.draw(G, with_labels=True)
plt.show()
hl7Dump.close()
return hl7Output
class WrpcapSink(Sink):
"""Packets received on low input are written to PCAP file
.. code::
+----------+
>>-| |->>
| |
>-|--[pcap] |->
+----------+
"""
def __init__(self, fname, name=None, linktype=None):
Sink.__init__(self, name=name)
self.fname = fname
self.f = None
self.linktype = linktype
def start(self):
self.f = PcapWriter(self.fname, linktype=self.linktype)
def stop(self):
if self.f:
self.f.flush()
self.f.close()
def push(self, msg):
if msg:
self.f.write(msg)
def main():
args = parse_args()
all_packet_dic = []
pkts = rdpcap(args.pcap)
for pkt in pkts:
if 'DNS' in pkt:
raw = str(pkt['DNS'])
d = read_dns_packet(raw, pkt, args.domain)
if d:
all_packet_dic.append(d)
if args.action == 'display':
for p in all_packet_dic:
pretty_print(p)
else:
n = args.pcap
ind = n.rfind('.')
new_pcap = n[:ind] + '.' + args.domain + '.' + n[ind + 1:]
pktdump = PcapWriter(new_pcap, append=True, sync=True)
addresses = []
for p in all_packet_dic:
pktdump.write(p['packet'])
if p['Answers']:
for a in p['Answers']:
if a[1] == 1:
addresses.append(a[4])
for pkt in pkts:
try:
if 'IP' in pkt and pkt[IP].src in addresses or pkt[
IP].dst in addresses:
pktdump.write(pkt)
except:
IndexError
class pcap_write(gr.sync_block):
def __init__(self, f):
gr.sync_block.__init__(self, "pcap_write", [], [])
self.message_port_register_in(pmt.intern("pdus"))
self.set_msg_handler(pmt.intern("pdus"), self.handler)
self.f = f
def start(self):
self.pcap = PcapWriter(self.f, append=True, sync=True)
def stop(self):
pass
def handler(self, pdu):
ba = bitarray.bitarray()
meta = pmt.car(pdu)
x = pmt.to_python(pmt.cdr(pdu))
z = l2.Raw(x.tostring())
self.pcap.write(z)
def work(self, input_items, output_items):
pass
def gen_ipv4_assemble_pcap():
"""Generate ipv4 assemble test case input pcap file."""
writer = PcapWriter(con.TLDK_TESTCONFIG + "/test_ipv4_assemble_rx.pcap",
append=False)
packets = create_packet(1066, False, 1024)
for packet in packets:
writer.write(packet)
writer.close()
def create_pcap_file_from_frames(self, file_name, frames):
writer = PcapWriter(file_name, append=False)
for frame in frames:
writer.write(frame)
writer.close()
class WrpcapSink(Sink):
"""
Writes :py:class:`Packet` on the low entry to a ``pcap`` file.
Ignores all messages on the high entry.
.. note::
Due to limitations of the ``pcap`` format, all packets **must** be of
the same link type. This class will not mutate packets to conform with
the expected link type.
.. code::
+----------+
>>-| |->>
| |
>-|--[pcap] |->
+----------+
:param fname: Filename to write packets to.
:type fname: str
:param linktype: See :py:attr:`linktype`.
:type linktype: None or int
.. py:attribute:: linktype
Set an explicit link-type (``DLT_``) for packets. This must be an
``int`` or ``None``.
This is the same as the :py:func:`wrpcap` ``linktype`` parameter.
If ``None`` (the default), the linktype will be auto-detected on the
first packet. This field will *not* be updated with the result of this
auto-detection.
This attribute has no effect after calling :py:meth:`PipeEngine.start`.
"""
def __init__(self, fname, name=None, linktype=None):
# type: (str, Optional[str], Optional[int]) -> None
Sink.__init__(self, name=name)
self.fname = fname
self.f = None # type: Optional[PcapWriter]
self.linktype = linktype
def start(self):
# type: () -> None
self.f = PcapWriter(self.fname, linktype=self.linktype)
def stop(self):
# type: () -> None
if self.f:
self.f.flush()
self.f.close()
def push(self, msg):
# type: (Packet) -> None
if msg and self.f:
self.f.write(msg)
def convert_file(input_file, output_file):
pktdump = PcapWriter(output_file, append=False)
ip_table = IPTable()
port_table = PortTable()
flow_table = FlowTable()
with open(input_file) as tsv:
for line in csv.reader(tsv, dialect="excel-tab"): #You can also use delimiter="\t" rather than giving a dialect.
# order in file is:
# 0: Timestamp, 1: PktLen, 2: SrcIP, 3: DestIP, 4: SrcPort, 5: DestPort, 6: Prot,
# 7: SrcHostPrefix, 8: DestHostPrefix, 9: SrcRack, 10: DestRack, 11: SrcPod,
# 12: DestPod, 13: InterCluster, 14: InterDC
#src_ip = ip_table.lookup_rack_pod(line[2], line[9], line[11])
#dst_ip = ip_table.lookup_rack_pod(line[3], line[10], line[12])
src_ip = ip_table.lookup_prefix(line[2], line[7])
dst_ip = ip_table.lookup_prefix(line[3], line[8])
pkt = IP(src=src_ip, dst=dst_ip)
sport = port_table.lookup(line[4])
dport = port_table.lookup(line[5])
prot = int(line[6])
if prot == 6:
# TCP
pkt = pkt/TCP(sport=sport,dport=dport,flags=flow_table.get_flags(src_ip, dst_ip, sport, dport, prot))
elif prot == 17:
# UDP
pkt = pkt/UDP(sport=sport,dport=dport)
else:
continue
pkt.time = int(line[0])
pkt.len = int(line[1])
pktdump.write(pkt)
def sanitize(filepath_in,
filepath_out=None,
sequential=True,
ipv4_mask=0,
ipv6_mask=0,
mac_mask=0,
start_ipv4='10.0.0.1',
start_ipv6='2001:aa::1',
start_mac='00:aa:00:00:00:00'):
if not filepath_out:
timestamp = datetime.datetime.now().strftime('%y%m%d-%H%m%S')
filepath_out = os.path.splitext(filepath_in)[
0] + '_sanitized_' + timestamp + os.path.splitext(filepath_in)[1]
mac_gen = MACGenerator(sequential=sequential,
mask=mac_mask,
start_mac=start_mac)
ip4_gen = IPv4Generator(sequential=sequential,
mask=ipv4_mask,
start_ip=start_ipv4)
ip6_gen = IPv6Generator(sequential=sequential,
mask=ipv6_mask,
start_ip=start_ipv6)
with open(filepath_in) as capfile:
#open cap file with pcapfile
cap = savefile.load_savefile(capfile, verbose=False)
#use scapy's pcapwriter
pktwriter = PcapWriter(filepath_out, append=True)
try:
for pkt in cap.packets:
#create scapy packet from pcapfile packet raw output
pkt = Ether(pkt.raw())
#MAC addresses
pkt.src = mac_gen.get_mac(pkt.src)
pkt.dst = mac_gen.get_mac(pkt.dst)
#IP Address
try:
pkt['IP'].src = ip4_gen.get_ip(pkt['IP'].src)
pkt['IP'].dst = ip4_gen.get_ip(pkt['IP'].dst)
except IndexError:
pkt['IPv6'].src = ip6_gen.get_ip(pkt['IPv6'].src)
pkt['IPv6'].dst = ip6_gen.get_ip(pkt['IPv6'].dst)
pktwriter.write(pkt)
finally:
pktwriter.close()
return filepath_out.split('/')[-1]
def gen_ipv6_fragment_pcap():
"""Generate ipv6 fragment test case input pcap file."""
writer = PcapWriter(con.TLDK_TESTCONFIG + "/test_ipv6_fragment_rx.pcap",
append=False)
for i in range(1, 1454):
packets = create_packet(i, True)
for packet in packets:
writer.write(packet)
writer.close()
def gen_ipv4_checksum_pcap():
"""Generate ipv4 checksum test case input pcap file."""
writer = PcapWriter(con.TLDK_TESTCONFIG + "/test_ipv4_checksum_rx.pcap",
append=False)
for i in range(1, 1474):
packets = create_packet(i, False)
for packet in packets:
writer.write(packet)
writer.close()
def sniff_goose(interface):
print(
"GOOSE messages use IEEE 802.1Q for VLAN tagging and prioritization. Many network cards filter out the "
"content of this layer. If this is also the case for you, there are often ways to change this. Since it "
"varies from card to card you should google it. Otherwise you can answer 'Tagged VLANs' with n."
)
time_to_capture = int(input("Time to capture (in seconds) : "))
with_iee = input("Does your interface support tagged VLANs? (y/n): ")
capture_name = input("Name of the pcap file (without extension) : ")
print('\nSniffing GOOSE traffic from '
'\n[*] Interface: {} '
'\n[*] For:{} seconds '
'\n[*] Tagged VLANs: {} '
'\n'.format(interface, time_to_capture, with_iee))
if with_iee == "y":
# Sniffing the traffic from Publisher
print(
"All network packets with Ethernet, IEEE 802.1Q and RAW Layer are captured!"
)
traffic = sniff(iface=interface, timeout=time_to_capture)
output = PcapWriter(capture_name + ".pcap", append=True, sync=True)
for frame in traffic: # Checks all frames in traffic
if frame.haslayer(Ether) == 1 and frame.haslayer(
Dot1Q
) == 1 and frame.haslayer(
Raw
) == 1: # Checks if the frame has the Ethernet, IEEE802.1Q and Raw layer
output.write(frame) # Saves the frame
print("File saved as: " + capture_name)
elif with_iee == "n":
# Sniffing the traffic from Publisher
print("All network packets with Ethernet and RAW Layer are captured!")
traffic = sniff(iface=interface, timeout=time_to_capture)
output = PcapWriter(capture_name + ".pcap", append=True, sync=True)
for frame in traffic: # Checks all frames in traffic
if frame.haslayer(Ether) == 1 and frame.haslayer(
Raw
) == 1: # Checks if the frame has the Ethernet, and Raw layer
output.write(frame) # Saves the frame
print("File saved as: " + capture_name)
else:
print("Your Input was: ", with_iee, "It should be 'y' or 'n'!")
def scapy_sniff(self):
file = open('iface.setting', 'r')
iface = file.read()
file.close()
if iface == 'None':
data = sniff(prn=lambda x: x.summary()) #scapy的sniff嗅探
else:
data = sniff(iface=iface, prn=lambda x: x.summary())
print("Start analyzing packets...")
file = "sniff_data/" + time.strftime('%Y_%m_%d_%H_%M_%S') + ".pcap"
writer = PcapWriter(file, append=True)
for i in data:
writer.write(i)
writer.flush()
writer.close()
def classify_bysrc(file_name, file_to):
packages = scapy.rdpcap(file_name)
t_results = {}
for p in packages:
if (get_srcip(p) + get_dstip(p) in t_results):
t_results[get_srcip(p) + get_dstip(p)].append(p)
elif (get_dstip(p) + get_srcip(p) in t_results):
t_results[get_dstip(p) + get_srcip(p)].append(p)
else:
t_results[get_srcip(p) + get_dstip(p)] = []
t_results[get_srcip(p) + get_dstip(p)].append(p)
for key in t_results:
t_temp = t_results[key]
t_writer = PcapWriter(file_to + key + '.pcap', append=True)
for p in t_results[key]:
t_writer.write(p)
t_writer.flush()
t_writer.close()
def __init__(self, outfile, mtu=1500):
self.pcap = PcapWriter(filename=outfile, linktype=1)
self.mss = mtu - 40
self.connstate = {}
self.last_packet_tm = datetime.datetime(1970, 1, 1, 0, 0, 0)
self.last_timeout_tm = datetime.datetime(1970, 1, 1, 0, 0, 0)
def write(file_name, packets):
writer = PcapWriter(file_name, append = True)
for p in packets:
writer.write(p)
writer.flush()
writer.close()
def pre_scanning(self):
self.packet_logger = PcapWriter(self.destination_folder + self.current_log_file,
append=True, sync=True)
SessionManager().log_event(NeutralEvent("Packet Logger initiated."))
def refresh(self):
self._nlogs = self._get_log_count()
self.packet_logger = PcapWriter(self.destination_folder + "packet_log{n}.cap".format(n = self._nlogs),
append=True, sync=True)
if options == []:
print parser.print_help()
sys.exit(-1)
if not options.input_target or options.input_target == "":
print parser.print_help()
sys.exit(-1)
if not options.output_pcap or options.output_pcap == "":
print parser.print_help()
sys.exit(-1)
if options.srcip and validate_ip(options.srcip):
src = options.srcip
if options.dstip and validate_ip(options.dstip):
dst = options.dstip
#Open our packet dumper
pktdump = PcapWriter(options.output_pcap, sync=True)
def build_handshake(src,dst,sport,dport):
ipsrc = src
ipdst = dst
portsrc = sport
portdst = dport
# We don't deal with session wrap around so lets make the range smaller for now
# client_isn = random.randint(1024, (2**32)-1)
# server_isn = random.randint(1024, (2**32)-1)
client_isn = random.randint(1024, 10000)
server_isn = random.randint(1024, 10000)
syn = IP(src=ipsrc, dst=ipdst)/TCP(flags="S", sport=portsrc, dport=portdst, seq=client_isn)
synack = IP(src=ipdst, dst=ipsrc)/TCP(flags="SA", sport=portdst, dport=portsrc, seq=server_isn, ack=syn.seq+1)
ack = IP(src=ipsrc, dst=ipdst)/TCP(flags="A", sport=portsrc, dport=portdst, seq=syn.seq+1, ack=synack.seq+1)
class PacketLogger(AirScannerPlugin):
def __init__(self, config):
super(PacketLogger, self).__init__(config, "packetlogger")
self.destination_folder = self.config["destination_folder"]
self._nlogs = self._get_log_count()
self.packet_filters = []
filter_list = self.config["filters"]
self.filter_types = {
"bssid" : BSSIDPacketFilter,
"ssid" : SSIDPacketFilter,
"channel" : ChannelPacketFilter
}
for filter in filter_list:
try:
type, value = map(str.strip, filter.split("="))
self.add_filter(type, value)
except Exception as e:
print e
pass
self.or_filter = self.config["filter_mode"].lower() == "or"
self.current_log_file = "packet_log{n}.cap".format(n = self._nlogs)
self.packet_logger = None
def pre_scanning(self):
self.packet_logger = PcapWriter(self.destination_folder + self.current_log_file,
append=True, sync=True)
SessionManager().log_event(NeutralEvent("Packet Logger initiated."))
def _get_log_count(self):
# Get the number of existing log files
if os.path.exists(self.destination_folder):
return len(filter(lambda x: x.startswith("packet_log"), os.listdir(self.destination_folder)))
else:
os.mkdir(self.destination_folder)
return 0
def add_filter(self, filter_type, value):
filter = None
try:
filter = self.filter_types[filter_type](value)
except KeyError:
print "There is no filter definition for '{}'.".format(filter_type)
except:
pass
if filter:
self.packet_filters.append(filter)
def refresh(self):
self._nlogs = self._get_log_count()
self.packet_logger = PcapWriter(self.destination_folder + "packet_log{n}.cap".format(n = self._nlogs),
append=True, sync=True)
def log(self, packet, OR = False):
if(OR):
# Only needs to pass through 1 filter
for filter in self.packet_filters:
if filter.passes(packet):
self.packet_logger.write(packet)
return
else:
# Needs to pass through all filter
for filter in self.packet_filters:
if not filter.passes(packet):
return
self.packet_logger.write(packet)
def handle_packet(self, packet):
self.log(packet, self.or_filter)
def saz_to_pcap(sazpath):
if not sazpath.lower().endswith(".saz"):
return None
if not HAVE_SCAPY:
log.error("Scapy is required for SAZ to PCAP conversion.")
return None
tmpdir = ""
pcappath = "%s/%s.pcap" % (tempfile.mkdtemp(), os.path.basename(sazpath))
fiddler_raw_dir = ""
pktdump = PcapWriter(pcappath, sync=True)
try:
tmpdir = tempfile.mkdtemp()
except Exception as e:
log.error("Failed to Create temp dir for SAZ extraction %s" % (e))
return None
try:
z = zipfile.ZipFile(sazpath, "r")
except Exception as e:
log.error("Failed to open SAZ file as Zip extraction %s" % (e))
return None
try:
z.extractall(tmpdir)
z.close()
except Exception as e:
log.error("Failed to extract SAZ file to temp dir %s" % (e))
return None
if not os.path.isdir("%s/raw/" % (tmpdir)):
return None
fiddler_raw_dir = "%s/raw/" % (tmpdir)
m_file_list = glob.glob("%s/%s" % (fiddler_raw_dir, "*_m.xml"))
m_file_list.sort()
if m_file_list:
for xml_file in m_file_list:
sport = random.randint(1024, 65535)
src = "192.168.1.1"
smac = "00:11:22:aa:bb:cc"
dport = 80
dst = "10.1.1.1"
dmac = "c0:c1:c0:b7:ce:63"
dom = parse(xml_file)
m = re.match(r"^(?P<fid>\d+)_m\.xml", os.path.basename(xml_file))
if m:
fid = m.group("fid")
else:
log.error("Failed to find fiddler ID tag")
return None
xmlTags = dom.getElementsByTagName("SessionFlag")
for xmlTag in xmlTags:
xmlTag = xmlTag.toxml()
m = re.match(
r"\<SessionFlag N=\x22x-(?:client(?:ip\x22 V=\x22[^\x22]*?(?P<clientip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})|port\x22 V=\x22(?P<sport>\d+))|hostip\x22 V=\x22[^\x22]*?(?P<hostip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))\x22",
xmlTag,
)
# TODO:to enable this we need to track 5 tuples otherwise we have session reuse issues
# if m and m.group("sport"):
# sport = int(m.group("sport"))
if m and m.group("clientip") and src == None:
src = m.group("clientip")
elif m and m.group("hostip"):
dst = m.group("hostip")
req = open(fiddler_raw_dir + fid + "_c.txt").read()
m = re.match(
r"^(?P<verb>[^\r\n\s]+)\s+(?P<host_and_port>https?\:\/\/[^\/\r\n\:]+(\:(?P<dport>\d{1,5}))?)\/", req
)
if m and m.group("verb") != "CONNECT":
req = req.replace(m.group("host_and_port"), "", 1)
if m.group("dport") and int(m.group("dport")) <= 65535:
dport = int(m.group("dport"))
resp = open(fiddler_raw_dir + fid + "_s.txt").read()
(seq, ack) = build_handshake(src, dst, sport, dport, pktdump, smac, dmac)
(seq, ack) = make_pkts(src, dst, sport, dport, seq, ack, req, pktdump, smac, dmac)
(seq, ack) = make_pkts(dst, src, dport, sport, seq, ack, resp, pktdump, dmac, smac)
build_finshake(src, dst, sport, dport, seq, ack, pktdump, smac, dmac)
else:
m_file_list = glob.glob("%s/%s" % (fiddler_raw_dir, "*_c.txt"))
m_file_list.sort()
if m_file_list:
for xml_file in m_file_list:
sport = random.randint(1024, 65535)
dport = 80
src = "192.168.1.1"
smac = "00:11:22:aa:bb:cc"
dst = "10.1.1.1"
dmac = "c0:c1:c0:b7:ce:63"
m = re.match(r"^(?P<fid>\d+)_c\.txt", os.path.basename(xml_file))
if m:
fid = m.group("fid")
else:
log.error("Failed to find fiddler ID tag")
return None
req = open(fiddler_raw_dir + fid + "_c.txt").read()
m = re.match(
r"^(?P<verb>[^\r\n\s]+)\s+(?P<host_and_port>https?\:\/\/[^\/\r\n\:]+(\:(?P<dport>\d{1,5}))?)\/", req
)
if m and m.group("verb") != "CONNECT":
req = req.replace(m.group("host_and_port"), "", 1)
if m.group("dport") and int(m.group("dport")) <= 65535:
dport = int(m.group("dport"))
resp = open(fiddler_raw_dir + fid + "_s.txt").read()
(seq, ack) = build_handshake(src, dst, sport, dport, pktdump, smac, dmac)
(seq, ack) = make_pkts(src, dst, sport, dport, seq, ack, req, pktdump, smac, dmac)
(seq, ack) = make_pkts(dst, src, dport, sport, seq, ack, resp, pktdump, dmac, smac)
build_finshake(src, dst, sport, dport, seq, ack, pktdump, smac, dmac)
else:
log.error("Unsupported SAZ format")
return None
pktdump.close()
if tmpdir:
try:
shutil.rmtree(tmpdir)
except:
pass
return pcappath
if options == []:
print parser.print_help()
sys.exit(-1)
if not options.input_target or options.input_target == "":
print parser.print_help()
sys.exit(-1)
if not options.output_pcap or options.output_pcap == "":
print parser.print_help()
sys.exit(-1)
if options.srcip and validate_ip(options.srcip):
src = options.srcip
if options.dstip and validate_ip(options.dstip):
dst = options.dstip
#Open our packet dumper
pktdump = PcapWriter(options.output_pcap, sync=True)
pktdump.linktype = 1 # Ethernet
def build_handshake(src,dst,sport,dport):
ipsrc = src
ipdst = dst
portsrc = sport
portdst = dport
# We don't deal with session wrap around so lets make the range smaller for now
# client_isn = random.randint(1024, (2**32)-1)
# server_isn = random.randint(1024, (2**32)-1)
client_isn = random.randint(1024, 10000)
server_isn = random.randint(1024, 10000)
syn = Ether(src="00:01:02:03:04:05",dst="06:07:08:09:0a:0b",type=0x800)/IP(version=4L,src=ipsrc, dst=ipdst)/TCP(flags="S", sport=portsrc, dport=portdst, seq=client_isn)
synack = Ether(dst="00:01:02:03:04:05",src="06:07:08:09:0a:0b",type=0x800)/IP(version=4L,src=ipdst, dst=ipsrc)/TCP(flags="SA", sport=portdst, dport=portsrc, seq=server_isn, ack=syn.seq+1)
class NetworkStack():
"""Emulated network stack, processing log entries into network packets"""
class ConnState():
"""State for a single TCP connection"""
def __init__(self, logentry, tm, ctx):
self.src_addr = logentry['src_addr']
self.src_port = logentry['src_port']
self.dst_addr = logentry['dst_addr']
self.dst_port = logentry['dst_port']
self.tm = tm
self._ctx = ctx
def touch(self, tm):
if self.tm < tm:
self.tm = tm
def _write_packet(self, pkt):
pkt.time = (self.tm - datetime.datetime(1970, 1, 1)).total_seconds()
self._ctx.pcap.write(pkt)
self._ctx.last_packet_tm = self.tm
def _seq(self, addr, port, inc):
if self.src_addr == addr and self.src_port == port:
seq = self.src_seq
ack = self.dst_seq
self.src_seq += inc
else:
seq = self.dst_seq
ack = self.src_seq
self.dst_seq += inc
return (seq, ack)
def syn(self):
"""Send a TCP SYN handshake, opeining the connection"""
self.src_seq = random.randint(1024, (2**32)-1)
self.dst_seq = random.randint(1024, (2**32)-1)
self._write_packet(
Ether()/
IP(src=self.src_addr, dst=self.dst_addr)/
TCP(flags='S',
sport=self.src_port, dport=self.dst_port,
seq=self.src_seq)
)
self.src_seq += 1
self._write_packet(
Ether()/
IP(src=self.dst_addr, dst=self.src_addr)/
TCP(flags='SA',
sport=self.dst_port, dport=self.src_port,
seq=self.dst_seq, ack=self.src_seq)
)
self.dst_seq += 1
self._write_packet(
Ether()/
IP(src=self.src_addr, dst=self.dst_addr)/
TCP(flags='A',
sport=self.src_port, dport=self.dst_port,
seq=self.src_seq, ack=self.dst_seq)
)
def fin(self):
"""Send a TCP FIN handshake, closing current connection"""
self._write_packet(
Ether()/
IP(src=self.src_addr, dst=self.dst_addr)/
TCP(flags="FA",
sport=self.src_port, dport=self.dst_port,
seq=self.src_seq, ack=self.dst_seq)
)
self.src_seq += 1
self._write_packet(
Ether()/
IP(src=self.dst_addr, dst=self.src_addr)/
TCP(flags='A',
sport=self.dst_port, dport=self.src_port,
seq=self.dst_seq, ack=self.src_seq)
)
def data(self, logentry):
"""Send a TCP data segment within the connection"""
for segment in chunks(logentry['data'], self._ctx.mss):
seq, ack = self._seq(logentry['src_addr'],
logentry['src_port'], len(segment))
self._write_packet(
Ether()/
IP(src=logentry['src_addr'], dst=logentry['dst_addr'])/
TCP(flags='PA',
sport=logentry['src_port'],
dport=logentry['dst_port'],
seq=seq, ack=ack)/
segment
)
def __init__(self, outfile, mtu=1500):
self.pcap = PcapWriter(filename=outfile, linktype=1)
self.mss = mtu - 40
self.connstate = {}
self.last_packet_tm = datetime.datetime(1970, 1, 1, 0, 0, 0)
self.last_timeout_tm = datetime.datetime(1970, 1, 1, 0, 0, 0)
def _make5tuple(self, logentry):
"""Construct a canonical per-connection 5-tuple"""
if (logentry['src_addr'] < logentry['dst_addr']) or \
(logentry['src_addr'] == logentry['dst_addr'] and \
logentry['src_port'] < logentry['dst_port']):
return "tcp|%s|%d|%s|%d" % (logentry['src_addr'],
logentry['src_port'],
logentry['dst_addr'],
logentry['dst_port'])
else:
return "tcp|%s|%d|%s|%d" % (logentry['dst_addr'],
logentry['dst_port'],
logentry['src_addr'],
logentry['src_port'])
# Note that the chosen data structure for the internal state scales badly
# for large numbers of connections: O(n) search every minute. This needs
# to be rewritten using better data structures for scalability.
def add(self, logentry):
"""Process a log entry, keeping internal state"""
tm = parse_timestamp(logentry['timestamp'])
conn5tuple = self._make5tuple(logentry)
if not conn5tuple in self.connstate:
self.connstate[conn5tuple] = NetworkStack.ConnState(logentry, tm,
self)
self.connstate[conn5tuple].syn()
else:
self.connstate[conn5tuple].touch(tm)
self.connstate[conn5tuple].data(logentry)
# at most very 60 seconds, time out old connections (doesn't scale!)
if tm > self.last_timeout_tm + datetime.timedelta(0, 1, 0):
for conn in self.connstate:
if self.last_timeout_tm > self.connstate[conn5tuple].tm + \
datetime.timedelta(0, 1, 0):
self.connstate[conn5tuple].fin()
del self.connstate[conn5tuple]
self.last_timeout_tm = tm
def done(self):
"""We are done, all active connections can be closed"""
for conn in self.connstate:
self.connstate[conn].touch(self.last_packet_tm)
self.connstate[conn].fin()
self.pcap.close()
def start(self):
self.pcap = PcapWriter(self.f, append=True, sync=True)
def __init__(self, fname, name=None):
Sink.__init__(self, name=name)
self.f = PcapWriter(fname)
def __init__(self, fname):
self.f = PcapWriter(fname)
