def decodeLayer4(self, ipProtocolNum, l3Payload):
if ipProtocolNum == Packets.UDP.protocol:
l4Proto = "UDP"
l4Decoder = Decoders.UDPDecoder()
layer4 = l4Decoder.decode(l3Payload)
l4SrcPort = layer4.get_uh_sport()
l4DstPort = layer4.get_uh_dport()
l4Payload = layer4.get_data_as_string()
return (l4Proto, l4SrcPort, l4DstPort, l4Payload)
elif ipProtocolNum == Packets.TCP.protocol:
l4Proto = "TCP"
l4Decoder = Decoders.TCPDecoder()
layer4 = l4Decoder.decode(l3Payload)
l4SrcPort = layer4.get_th_sport()
l4DstPort = layer4.get_th_dport()
l4Payload = layer4.get_data_as_string()
return (l4Proto, l4SrcPort, l4DstPort, l4Payload)
else:
warnMessage = _(
"Cannot import one of the provided packets since " +
"its layer 4 is unsupported (Only UDP and TCP " +
"are currently supported, packet IP protocol " +
"number = {0})").format(ipProtocolNum)
self.log.warn(warnMessage)
raise NetzobImportException("PCAP", warnMessage, WARNING,
self.INVALID_LAYER4)
def __decodeLayer4(self, ipProtocolNum, l3Payload):
"""Internal method that parses the specified header and extracts
layer4 related proprieties."""
if ipProtocolNum == Packets.UDP.protocol:
l4Proto = "UDP"
l4Decoder = Decoders.UDPDecoder()
layer4 = l4Decoder.decode(l3Payload)
l4SrcPort = layer4.get_uh_sport()
l4DstPort = layer4.get_uh_dport()
l4Payload = layer4.get_data_as_string()
return (l4Proto, l4SrcPort, l4DstPort, l4Payload)
elif ipProtocolNum == Packets.TCP.protocol:
l4Proto = "TCP"
l4Decoder = Decoders.TCPDecoder()
layer4 = l4Decoder.decode(l3Payload)
l4SrcPort = layer4.get_th_sport()
l4DstPort = layer4.get_th_dport()
l4Payload = layer4.get_data_as_string()
return (l4Proto, l4SrcPort, l4DstPort, l4Payload)
else:
warnMessage = _(
"Cannot import one of the provided packets since " +
"its layer 4 is unsupported (Only UDP and TCP " +
"are currently supported, packet IP protocol " +
"number = {0})").format(ipProtocolNum)
self._logger.warn(warnMessage)
raise NetzobImportException("PCAP", warnMessage,
self.INVALID_LAYER4)
def decodeLayer4(self, ipProtocolNum, l3Payload):
if ipProtocolNum == Packets.UDP.protocol:
l4Proto = "UDP"
l4Decoder = Decoders.UDPDecoder()
layer4 = l4Decoder.decode(l3Payload)
l4SrcPort = layer4.get_uh_sport()
l4DstPort = layer4.get_uh_dport()
l4Payload = layer4.get_data_as_string()
return (l4Proto, l4SrcPort, l4DstPort, l4Payload)
elif ipProtocolNum == Packets.TCP.protocol:
l4Proto = "TCP"
l4Decoder = Decoders.TCPDecoder()
layer4 = l4Decoder.decode(l3Payload)
l4SrcPort = layer4.get_th_sport()
l4DstPort = layer4.get_th_dport()
l4Payload = layer4.get_data_as_string()
return (l4Proto, l4SrcPort, l4DstPort, l4Payload)
else:
warnMessage = "Cannot import one of the provided packets since its layer 4 is unsupported (Only UDP and TCP are currently supported, packet IP protocol number = {0})".format(ipProtocolNum)
logging.warn(warnMessage)
def get_linux_packets(pcap_file):
'''
This program pairs UDP probes and ICMP error packets.
Furthermore it records all unique protocols seen.
It also collects fragmets of ip datagrams, if there are any.
'''
print("get_linux_packets")
cap = open_offline(pcap_file)
header, payload = cap.next()
udp = 17
icmp = 1
icmp_echo = 8
icmp_error = 11
dns = 53
stp = 123
icmp_pairs = {}
packets = []
protocls = []
i = 0
j = 0
k = 0
num_icmp = 0
banana = 0
icmp_keys = []
udp_keys = []
pairs = []
original_src = 0
original_dst = 0
fragments = {}
while header:
decoder = ImpactDecoder.EthDecoder()
ether = decoder.decode(payload)
if not is_ip(ether):
header, payload = cap.next()
continue
iphdr = ether.child()
proto = iphdr.get_ip_p()
if proto not in protocls:
protocls.append(proto)
if proto != icmp and proto != udp:
header, payload = cap.next()
continue
if proto == udp:
udp_pkt = iphdr.child()
src_p = udp_pkt.get_uh_sport()
dst_p = udp_pkt.get_uh_dport()
if (src_p == dns or dst_p == dns) or (src_p == stp
or dst_p == stp):
header, payload = cap.next()
continue
if iphdr.get_ip_ttl() == 1:
original_src = iphdr.get_ip_src()
original_dst = iphdr.get_ip_dst()
key = str(src_p) + str(dst_p)
udp_keys.append(key)
if key not in icmp_pairs:
icmp_pairs[key] = u_pckt(header, udp_pkt, iphdr,
header.getts())
j += 1
if proto == icmp:
num_icmp += 1
icmp_pckt = iphdr.child()
if icmp_pckt.get_icmp_type(
) == icmp_error or 3: # and banana == 0:
banana += 1
ether_off = ether.get_header_size()
ip_off = iphdr.get_header_size()
ic_off = icmp_pckt.get_header_size()
total_off = ether_off + ip_off + ic_off
uh_decoder = ImpactDecoder.UDPDecoder()
original_udp = uh_decoder.decode(payload[total_off + 20:])
key = str(original_udp.get_uh_sport()) + str(
original_udp.get_uh_dport())
icmp_keys.append(key)
if key in icmp_pairs:
pair1 = icmp_pairs.pop(key)
pairs.append((pair1,
ic_pckt(header, icmp_pckt, iphdr,
header.getts())))
fragment_offset = iphdr.get_ip_off() << 3
if iphdr.get_ip_src() == original_src and iphdr.get_ip_dst(
) == original_dst:
if not iphdr.get_ip_df() and (iphdr.get_ip_mf() == 1
or fragment_offset > 0):
if iphdr.get_ip_id() not in fragments:
fragments[iphdr.get_ip_id()] = [] #1
fragments[iphdr.get_ip_id()].append(iphdr)
else:
fragments[iphdr.get_ip_id()].append(iphdr) #+= 1
else:
if iphdr.get_ip_id() in fragments:
fragments[iphdr.get_ip_id()].append(iphdr) #+= 1
header, payload = cap.next()
probe_packets = []
keys_in_pp = []
for pair in pairs:
if (pair[0].ip_header.get_ip_src() == original_src
or pair[0].ip_header.get_ip_dst() == original_dst):
probe_packets.append(pair[0])
keys_in_pp.append(pair[0].ip_header.get_ip_id())
for key in icmp_pairs:
if (icmp_pairs[key].ip_header.get_ip_src() == original_src or icmp_pairs[key].ip_header.get_ip_dst()==original_dst) and \
icmp_pairs[key].ip_header.get_ip_id() not in keys_in_pp:
probe_packets.append(icmp_pairs[key])
probe_packets.sort(key=lambda x: x.get_ts())
pairs.sort(key=lambda x: x[0].ip_header.get_ip_ttl())
return pairs, protocls, fragments, probe_packets