def check_validity(flags, i, r, c, l):
global pcap_obj, file, pcap_file
if flags['i']:
if flags['c']:
if c < 0:
print 'Count must be at least 0.'
return False
if flags['r']:
print 'Read and interface flags must be used exclusively.'
return False
if flags['l']:
try:
file = open(l, 'w')
except:
print 'Invalid logfile.'
return False
return True
elif flags['r']:
try:
if flags['l']:
try:
file = open(l, 'w')
except:
print 'Invalid logfile.'
return False
pcap_file = open(r, 'r')
pcap_obj = pcap.Reader(pcap_file)
return True
except:
print 'Invalid pcap file.'
raise
return False
else:
print 'Interface or read flag required.'
return False
def merge_cap_files(pcap_file_list, out_filename, delete_src=False):
out_pkts = []
if not all([os.path.exists(f) for f in pcap_file_list]):
print "failed to merge cap file list...\nnot all files exist\n"
return
# read all packets to a list
for src in pcap_file_list:
f = open(src, 'r')
reader = pcap.Reader(f)
pkts = reader.readpkts()
out_pkts += pkts
f.close()
if delete_src:
os.unlink(src)
# sort by the timestamp
out_pkts = sorted(out_pkts, key=itemgetter(0))
out = open(out_filename, 'w')
out_writer = pcap.Writer(out)
for ts, pkt in out_pkts:
out_writer.writepkt(pkt, ts)
out.close()
def __pcap_to_df(pcap_file: str) -> pd.DataFrame:
with open(pcap_file, "rb") as f:
_pcap = pcap.Reader(f)
ref_time = None
data = []
for ts, buf in _pcap:
eth = ethernet.Ethernet(buf)
ip = eth.data
tcp = ip.data
if ref_time is None:
ref_time = ts
direction = 1 if tcp.sport == 22 else -1
data.append({
"time": (ts - ref_time) * 1000,
"size": direction * ip.len
})
if len(data) == 0:
data.append({"time": 0, "size": 0})
return pd.DataFrame(data, columns=["time", "size"])
def compare_caps (self, cap1, cap2, max_diff_sec = 0.01):
f1 = open(cap1, 'r')
reader1 = pcap.Reader(f1)
pkts1 = reader1.readpkts()
f2 = open(cap2, 'r')
reader2 = pcap.Reader(f2)
pkts2 = reader2.readpkts()
assert_equal(len(pkts1), len(pkts2))
for pkt1, pkt2, i in zip(pkts1, pkts2, xrange(1, len(pkts1))):
ts1 = pkt1[0]
ts2 = pkt2[0]
if abs(ts1-ts2) > 0.000005: # 5 nsec
raise AssertionError("TS error: cap files '{0}', '{1}' differ in cap #{2} - '{3}' vs. '{4}'".format(cap1, cap2, i, ts1, ts2))
if pkt1[1] != pkt2[1]:
raise AssertionError("RAW error: cap files '{0}', '{1}' differ in cap #{2}".format(cap1, cap2, i))
def start(self, callback):
# read pcap file
filePath = self.config.get('Reader', 'input_file')
fileContents = open(filePath)
pcapFile = pcap.Reader(fileContents)
# parse all lines of pcap file
for timestamp, data in pcapFile:
callback(data)
if self.pause:
raw_input("Press Enter to continue...")
print 'End of input file reached'
def read_pcap(filepath):
with open(filepath, "rb") as pcap_file:
filename, file_extension = os.path.splitext(filepath)
if file_extension == ".pcap":
pcap_data = pcap.Reader(pcap_file)
elif file_extension == ".pcapng":
pcap_data = pcapng.Reader(pcap_file)
else:
raise ValueError("pcap and pcapng is supported!")
for ts, buf in pcap_data:
eth = Ethernet(buf)
ip = eth.data
tcp = ip.data
def parse_pcaps():
"""
Iterates over all pcap files, registers all ports that are contacted before
target port is reached, per file.
"""
# get pcap files from directory
ports = {}
pcap_file_names = get_pcap_files()
for pcap_file_name in pcap_file_names:
# print("reading %s" % pcap_file_name)
f = open(pcap_file_name)
pcap_file = pcap.Reader(f)
# iterate over all packets inside pcap
for ts, buf in pcap_file:
eth = ethernet.Ethernet(buf)
ip = eth.data
# only process TCP packets
if (type(ip.data) is tcp.TCP and ip.data.flags == 2):
tcp_packet = ip.data
port = tcp_packet.dport
# stop iteration if target port is found
if (port in [80]):
break
# otherwise, increment counter
else:
if port in ports:
ports[port] += 1
else:
ports[port] = 1
f.close()
# convert dict to list of tuples so it can be sorted
ports_list = []
for port in ports:
port_tuple = (port, ports[port])
ports_list.append(port_tuple)
# sort list
return sorted(ports_list, key=lambda x: x[1], reverse=True)
def read_pcap(path):
data = []
try:
with open(path, 'rb') as f:
src = pcap.Reader(f)
for index, [ts, buf] in enumerate(src):
# List of dictionaries
data.append({
'index': index + 1, # to correlate with Wireshark indexing
'ts': ts,
'buf': buf
})
f.close()
return data
except IOError:
print('Unable to read file')
exit(1)
def parse_pcaps():
"""
Iterate over all pcap files and check whether target ports were opened or closed
Returns a tuple of (<total_scans>, <open_ports_count>)
"""
# get pcap files from directory
pcap_file_names = get_pcap_files()
total_scans = 0
open_target_ports = 0
# iterate over pcap file
for pcap_file_name in pcap_file_names:
f = open(pcap_file_name)
pcap_file = pcap.Reader(f)
total_scans += 1
# iterate over all packets inside pcap
for ts, buf in pcap_file:
eth = ethernet.Ethernet(buf)
ip = eth.data
# only process TCP packets
try:
if (type(ip.data) is tcp.TCP
and ip.data.sport in target_ports):
# SYN,ACK flag indicates that port is open
if (ip.data.flags == 18):
open_target_ports += 1
print("Found open port %d with flag %d" %
(ip.data.sport, ip.data.flags))
break
except:
pass
f.close()
return (total_scans, open_target_ports)
from dpkt import pcap,ethernet,UnpackError,tcp,ip
from sys import argv
def parseIP(hexstring):
attackip = []
for i in range(0, len(hexstring), 2):
attackip.append(str(int(hexstring[i:i + 2], 16)))
print attackip[0] + '.' + attackip[1] + '.' + attackip[2] + '.' + attackip[3]
f=open(argv[1],"rb")
pcap = pcap.Reader(f)
dict = {}
for ts, buf in pcap:
try:
eth = ethernet.Ethernet(buf)
except UnpackError:
continue
if eth.type != ethernet.ETH_TYPE_IP: continue
ip = eth.data
if ip.p == 6:
packet = ip.data
if packet.flags & tcp.TH_SYN != 0:
if ip.src not in dict: dict[ip.src] = {'SYN': 0, 'SYN+ACK': 0}
if ip.dst not in dict: dict[ip.dst] = {'SYN': 0, 'SYN+ACK': 0}
if packet.flags & tcp.TH_ACK != 0:
dict[ip.dst]['SYN+ACK'] += 1
else:
csv_header = ['connection']
for i in xrange(1, _PRECEDING_PACKETS_NUM + 1):
csv_header.append('packet ' + str(i) + ' size')
csv_header.append('packet count A')
csv_header.append('packet count B')
csv_header.append('packet count A+B')
csv_header.append('byte count A')
csv_header.append('byte count B')
csv_header.append('byte count A+B')
csv_header.append('dport')
csv_header.append('sport')
csv_header.append('label')
fo_writer.writerow(csv_header)
# Prepare PCAP reader
pcapin = pcap.Reader(fi)
cons = {} # set of connections
features = {} # set of features
for ts, buf in pcapin:
try:
pkt = mpkt.Packet(buf)
except mpkt.PacketError:
continue
name = pkt.get5tuple().toString()
name_rev = pkt.get5tuple().reversal().toString()
# Append to connections list if this is a SYN-SENT, or reset it
if name not in cons and pkt.isFlags('SYN'):
cons[name] = mpkt.Connection.from5tuple(ts, pkt.get5tuple())
features[name] = Feature.from5tuple(pkt.get5tuple())
def _filter_pcap(self, output_pcap):
"""Using a provided file with XML flow summaries, create a
new PCAP file with the flows in the XML file.
:param output_pcap: Path for the new PCAP file.
"""
try:
print("Opening file: {0}".format(self._pcap))
f = open(self._pcap)
raw_pcap = pcap.Reader(f)
pckt_num = 0
for ts, buf in raw_pcap:
pckt_num += 1
if not pckt_num % 1000:
# Print every thousandth packets, just to monitor
# progress.
print("\tProcessing packet #{0}".format(pckt_num))
# Loop through packets in PCAP file
eth = ethernet.Ethernet(buf)
if eth.type != ETH_TYPE_IP:
# We are only interested in IP packets
continue
ip = eth.data
ip_src = socket.inet_ntop(socket.AF_INET, ip.src)
ip_dst = socket.inet_ntop(socket.AF_INET, ip.dst)
ip_proto = ip.p
match = False
for flow in self._raw_data:
# Does this packet match a flow in the raw data?
if ((ip_src == flow["source"]
and ip_dst == flow["destination"])
or (ip_src == flow["destination"]
and ip_dst == flow["source"])):
if ip_proto == IP_PROTO_TCP and flow[
"protocolName"] == "tcp_ip":
tcp = ip.data
if self._check_port_num(tcp.sport, tcp.dport,
flow["sourcePort"],
flow["destinationPort"]):
if self._check_timestamp(
ts, flow["startDateTime"],
flow["stopDateTime"]):
# We have found a match, stop looping
match = True
break
elif ip_proto == IP_PROTO_UDP and flow[
"protocolName"] == "udp_ip":
udp = ip.data
if self._check_port_num(udp.sport, udp.dport,
flow["sourcePort"],
flow["destinationPort"]):
if self._check_timestamp(
ts, flow["startDateTime"],
flow["stopDateTime"]):
# We have found a match, stop looping
match = True
break
elif ip_proto == IP_PROTO_ICMP and flow[
"protocolName"] == "icmp_ip":
if self._check_timestamp(ts, flow["startDateTime"],
flow["stopDateTime"]):
# We have found a match, stop looping
break
match = True
elif ip_proto == IP_PROTO_IGMP and flow[
"protocolName"] == "igmp":
if self._check_timestamp(ts, flow["startDateTime"],
flow["stopDateTime"]):
# We have found a match, stop looping
match = True
break
if match:
# The packet matches the flow. Append the packet data
# to the new PCAP file and move onto the next packet.
try:
print(
"\tWrting packet to file: {0}".format(output_pcap))
f_out = open(output_pcap, "ab")
pcap_out = pcap.Writer(f_out)
pcap_out.writepkt(buf, ts=ts)
except:
exc_type, exc_value, exc_traceback = sys.exc_info()
print("ERROR writing to file: {0}.\n\t"
"Exception: {1}, {2}, {3}".format(
output_pcap, exc_type, exc_value,
exc_traceback))
sys.exit(1)
finally:
f_out.close
except:
exc_type, exc_value, exc_traceback = sys.exc_info()
print("ERROR reading from file: {0}.\n\tException: {1}, "
"{2}, {3}".format(self._pcap, exc_type, exc_value,
exc_traceback))
sys.exit(1)
finally:
f.close()