def parse(self, raw):
assert isinstance(raw, bytes)
self.next = None # In case of unfinished parsing
self.raw = raw
dlen = len(raw)
if dlen < ipv4.MIN_LEN:
self.msg('warning IP packet data too short to parse header: data len %u' % (dlen,))
return
(vhl, self.tos, self.iplen, self.id, self.frag, self.ttl,
self.protocol, self.csum, self.srcip, self.dstip) \
= struct.unpack('!BBHHHBBHII', raw[:ipv4.MIN_LEN])
self.v = vhl >> 4
self.hl = vhl & 0x0f
self.flags = self.frag >> 13
self.frag = self.frag & 0x1fff
self.dstip = IPAddr(self.dstip)
self.srcip = IPAddr(self.srcip)
if self.v != ipv4.IPv4:
self.msg('(ip parse) warning IP version %u not IPv4' % self.v)
return
elif self.hl < 5:
self.msg('(ip parse) warning IP header %u longer than len %u' \
% (self.hl, self.iplen))
return
elif self.iplen < ipv4.MIN_LEN:
self.msg('(ip parse) warning invalid IP len %u' % self.iplen)
return
elif (self.hl * 4) >= self.iplen or (self.hl * 4) > dlen:
self.msg('(ip parse) warning IP header %u longer than len %u' \
% (self.hl, self.iplen))
return
# At this point, we are reasonably certain that we have an IP
# packet
self.parsed = True
length = self.iplen
if length > dlen:
length = dlen # Clamp to what we've got
if self.protocol == ipv4.UDP_PROTOCOL:
self.next = udp(raw=raw[self.hl*4:length], prev=self)
elif self.protocol == ipv4.TCP_PROTOCOL:
self.next = tcp(raw=raw[self.hl*4:length], prev=self)
elif self.protocol == ipv4.ICMP_PROTOCOL:
self.next = icmp(raw=raw[self.hl*4:length], prev=self)
elif self.protocol == ipv4.IGMP_PROTOCOL:
self.next = igmp(raw=raw[self.hl*4:length], prev=self)
elif dlen < self.iplen:
self.msg('(ip parse) warning IP packet data shorter than IP len: %u < %u' % (dlen, self.iplen))
else:
self.next = raw[self.hl*4:length]
if isinstance(self.next, packet_base) and not self.next.parsed:
self.next = raw[self.hl*4:length]
def parse(self, raw):
assert isinstance(raw, bytes)
self.raw = raw
dlen = len(raw)
if dlen < ipv4.MIN_LEN:
self.msg('warning IP packet data too short to parse header: data len %u' % (dlen,))
return
(vhl, self.tos, self.iplen, self.id, self.frag, self.ttl,
self.protocol, self.csum, self.srcip, self.dstip) \
= struct.unpack('!BBHHHBBHII', raw[:ipv4.MIN_LEN])
self.v = vhl >> 4
self.hl = vhl & 0x0f
self.flags = self.frag >> 13
self.frag = self.frag & 0x1fff
if self.v != ipv4.IPv4:
self.msg('ip parse) warning IP version %u not IPv4' % self.v)
return
elif self.hl < 5:
self.msg('(ip parse) warning IP header %u longer than len %u' \
% (self.hl, self.iplen))
return
elif self.iplen < ipv4.MIN_LEN:
self.msg('(ip parse) warning invalid IP len %u' % self.iplen)
return
elif (self.hl * 4) >= self.iplen or (self.hl * 4) > dlen:
self.msg('(ip parse) warning IP header %u longer than len %u' \
% (self.hl, self.iplen))
return
self.dstip = IPAddr(self.dstip)
self.srcip = IPAddr(self.srcip)
# At this point, we are reasonably certain that we have an IP
# packet
self.parsed = True
length = self.iplen
if length > dlen:
length = dlen # Clamp to what we've got
if self.protocol == ipv4.UDP_PROTOCOL:
self.next = udp(raw=raw[self.hl*4:length], prev=self)
elif self.protocol == ipv4.TCP_PROTOCOL:
self.next = tcp(raw=raw[self.hl*4:length], prev=self)
elif self.protocol == ipv4.ICMP_PROTOCOL:
self.next = icmp(raw=raw[self.hl*4:length], prev=self)
elif dlen < self.iplen:
self.msg('(ip parse) warning IP packet data shorter than IP len: %u < %u' % (dlen, self.iplen))
else:
self.next = raw[self.hl*4:length]
if isinstance(self.next, packet_base) and not self.next.parsed:
self.next = raw[self.hl*4:length]
def parse(self):
dlen = len(self.arr)
if dlen < ipv4.MIN_LEN:
self.msg(
'warning IP packet data too short to parse header: data len %u'
% dlen)
return
(vhl, self.tos, self.iplen, self.id, self.frag, self.ttl,
self.protocol, self.csum, self.srcip, self.dstip) \
= struct.unpack('!BBHHHBBHII', self.arr[:ipv4.MIN_LEN])
self.v = vhl >> 4
self.hl = vhl & 0x0f
self.flags = self.frag >> 13
self.frag = self.frag & 0x1f
if self.v != ipv4.IPv4:
self.msg('ip parse) warning IP version %u not IPv4' % self.v)
return
elif self.hl < 5:
self.msg('(ip parse) warning IP header %u longer than len %u' \
% (self.hl, self.iplen))
return
elif self.iplen < ipv4.MIN_LEN:
self.msg('(ip parse) warning invalid IP len %u' % self.iplen)
return
elif (self.hl * 4) >= self.iplen or (self.hl * 4) > dlen:
self.msg('(ip parse) warning IP header %u longer than len %u' \
% (self.hl, self.iplen))
return
# At this point, we are reasonably certain that we have an IP
# packet
self.parsed = True
if self.protocol == ipv4.UDP_PROTOCOL:
self.next = udp(arr=self.arr[self.hl * 4:], prev=self)
elif self.protocol == ipv4.TCP_PROTOCOL:
self.next = tcp(arr=self.arr[self.hl * 4:], prev=self)
elif self.protocol == ipv4.ICMP_PROTOCOL:
self.next = icmp(arr=self.arr[self.hl * 4:], prev=self)
elif dlen < self.iplen:
self.msg(
'(ip parse) warning IP packet data shorter than IP len: %u < %u'
% (dlen, self.iplen))
else:
self.next = self.arr[self.hl * 4:].tostring()
if isinstance(self.next, packet_base) and not self.next.parsed:
self.next = self.arr[self.hl * 4:].tostring()
def parse(self):
dlen = len(self.arr)
if dlen < ipv4.MIN_LEN:
self.msg('warning IP packet data too short to parse header: data len %u' % dlen)
return
(vhl, self.tos, self.iplen, self.id, self.frag, self.ttl,
self.protocol, self.csum, self.srcip, self.dstip) \
= struct.unpack('!BBHHHBBHII', self.arr[:ipv4.MIN_LEN])
self.v = vhl >> 4
self.hl = vhl & 0x0f
self.flags = self.frag >> 13
self.frag = self.frag & 0x1f
if self.v != ipv4.IPv4:
self.msg('ip parse) warning IP version %u not IPv4' % self.v)
return
elif self.hl < 5:
self.msg('(ip parse) warning IP header %u longer than len %u' \
% (self.hl, self.iplen))
return
elif self.iplen < ipv4.MIN_LEN:
self.msg('(ip parse) warning invalid IP len %u' % self.iplen)
return
elif (self.hl * 4) >= self.iplen or (self.hl * 4) > dlen:
self.msg('(ip parse) warning IP header %u longer than len %u' \
% (self.hl, self.iplen))
return
# At this point, we are reasonably certain that we have an IP
# packet
self.parsed = True
if self.protocol == ipv4.UDP_PROTOCOL:
self.next = udp(arr=self.arr[self.hl*4:], prev=self)
elif self.protocol == ipv4.TCP_PROTOCOL:
self.next = tcp(arr=self.arr[self.hl*4:], prev=self)
elif self.protocol == ipv4.ICMP_PROTOCOL:
self.next = icmp(arr=self.arr[self.hl*4:], prev=self)
elif dlen < self.iplen:
self.msg('(ip parse) warning IP packet data shorter than IP len: %u < %u' % (dlen, self.iplen))
else:
self.next = self.arr[self.hl*4:].tostring()
if isinstance(self.next, packet_base) and not self.next.parsed:
self.next = self.arr[self.hl*4:].tostring()
def icmp(self, packet, extractedAttIndex, printKey):
return icmp(self, packet, extractedAttIndex, printKey)
def parse(self, raw):
assert isinstance(raw, bytes)
self.next = None # In case of unfinished parsing
self.raw = raw
dlen = len(raw)
if dlen < ipv4.MIN_LEN:
self.msg(
'warning IP packet data too short to parse header: data len %u'
% (dlen, ))
return
(vhl, self.tos, self.iplen, self.id, self.frag, self.ttl,
self.protocol, self.csum, self.srcip, self.dstip) \
= struct.unpack('!BBHHHBBHII', raw[:ipv4.MIN_LEN])
self.v = vhl >> 4
self.hl = vhl & 0x0f
self.flags = self.frag >> 13
self.frag = self.frag & 0x1fff
self.dstip = IPAddr(self.dstip)
self.srcip = IPAddr(self.srcip)
if self.v != ipv4.IPv4:
self.msg('(ip parse) warning: IP version %u not IPv4' % self.v)
return
if self.hl < 5:
self.msg('(ip parse) warning: IP header length shorter than MIN_LEN (IHL=%u => header len=%u)' \
% (self.hl, 4 * self.hl))
return
if self.iplen < ipv4.MIN_LEN:
self.msg('(ip parse) warning: Invalid IP len %u' % self.iplen)
return
if (self.hl * 4) > self.iplen:
self.msg('(ip parse) warning: IP header longer than IP length including payload (%u vs %u)' \
% (self.hl, self.iplen))
return
if (self.hl * 4) > dlen:
self.msg('(ip parse) warning: IP header is truncated')
return
self.raw_options = raw[self.MIN_LEN:self.hl * 4]
# At this point, we are reasonably certain that we have an IP
# packet
self.parsed = True
length = self.iplen
if length > dlen:
length = dlen # Clamp to what we've got
if self.frag != 0:
# We can't parse payloads!
self.next = raw[self.hl * 4:length]
elif self.protocol == ipv4.UDP_PROTOCOL:
self.next = udp(raw=raw[self.hl * 4:length], prev=self)
elif self.protocol == ipv4.TCP_PROTOCOL:
self.next = tcp(raw=raw[self.hl * 4:length], prev=self)
elif self.protocol == ipv4.ICMP_PROTOCOL:
self.next = icmp(raw=raw[self.hl * 4:length], prev=self)
elif self.protocol == ipv4.IGMP_PROTOCOL:
self.next = igmp(raw=raw[self.hl * 4:length], prev=self)
elif self.protocol == ipv4.GRE_PROTOCOL:
self.next = gre(raw=raw[self.hl * 4:length], prev=self)
elif dlen < self.iplen:
self.msg(
'(ip parse) warning IP packet data shorter than IP len: %u < %u'
% (dlen, self.iplen))
else:
self.next = raw[self.hl * 4:length]
if isinstance(self.next, packet_base) and not self.next.parsed:
self.next = raw[self.hl * 4:length]
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_IP)
s.bind((HOST, 0))
# Include IP headers
s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
# receive all packages
s.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON)
data = recieveData(s)
unpackedData = struct.unpack("!BBHHHBBH4s4s", data[:20])
protocol = unpackedData[6]
ipobj = ip()
udpobj = udp()
icmpobj = icmp()
tcpobj = tcp()
# part for tcp protocol
if (ipobj.getProtocol(protocol) == "Transmission Control Protocol"):
tcpobj.parseTCP(data)
payloadTCP = data[40:]
# check payload if there is malicious signature
appDetect.checkAppDetectTCP(str(payloadTCP))
#blackList.checkBlackListTCP(str(payloadTCP))
browserFirefox.checkbrowserFirefoxTCP(str(payloadTCP))
# part for udp protocol
if (ipobj.getProtocol(protocol) == "User Datagram Protocol"):
udpobj.parseUDP(data)
