def setupPcap(self):
device = libpcap.pcap_findalldevs()[0]
self.pcap = libpcap.pcap_open_live(device, self.snaplen, self.promisc,
self.to_ms)
bpf = libpcap.bpf_program()
libpcap.pcap_compile(self.pcap, self.pcap_filter, bpf)
libpcap.pcap_setfilter(self.pcap, bpf)
def forever():
try:
handle = libpcap.pcap_open_live(DEVICE, SNAPLEN, PROMISC, TIMEOUT_MS)
if handle:
bpf = libpcap.bpf_program()
libpcap.pcap_compile(handle, BPF_FILTER, bpf)
libpcap.pcap_setfilter(handle, bpf)
while 1:
pkt_hdr, pkt_data = libpcap.pcap_next(handle)
packet = libpcap.Packet(pkt_hdr, pkt_data)
processPackets(packet)
except KeyboardInterrupt:
print "Trap Ctrl+C."
print "Exiting..."
sys.exit(0)
def forever():
try:
handle = libpcap.pcap_open_live(DEVICE, SNAPLEN, PROMISC, TIMEOUT_MS)
if handle:
bpf = libpcap.bpf_program()
libpcap.pcap_compile(handle, BPF_FILTER, bpf)
libpcap.pcap_setfilter(handle, bpf)
while(1):
pkt_hdr, pkt_data = libpcap.pcap_next(handle)
packet = libpcap.Packet(pkt_hdr, pkt_data)
processPackets(packet)
except KeyboardInterrupt:
print "Trap Ctrl+C."
print "Exiting..."
sys.exit(0)
def _capture_single_device(
device: str, filter_expression: str, data_link_hints: typing.Sequence[int]
) -> typing.Optional[object]:
"""
Returns None if the interface managed by this device is not up or if it cannot be captured from for other reasons.
On GNU/Linux, some virtual devices (like netfilter devices) can only be accessed by a superuser.
The function will configure libpcap to use the first supported data link type from the list.
If none of the specified data link types are supported, a log message is emitted but no error is raised.
The available link types are listed in https://www.tcpdump.org/linktypes.html.
"""
import libpcap as pcap
def status_to_str(error_code: int) -> str:
"""
Some libpcap-compatible libraries (e.g., WinPCap) do not have this function, so we have to define a fallback.
"""
try:
return str(pcap.statustostr(error_code).decode())
except AttributeError: # pragma: no cover
return f"[error {error_code}]"
# This is helpful: https://github.com/karpierz/libpcap/blob/master/tests/capturetest.py
err_buf = ctypes.create_string_buffer(pcap.PCAP_ERRBUF_SIZE)
pd = pcap.create(device.encode(), err_buf)
if pd is None:
raise LinkLayerCaptureError(f"Could not instantiate pcap_t for {device!r}: {err_buf.value.decode()}")
try:
# Non-fatal errors are intentionally logged at a low severity level to not disturb the user unnecessarily.
err = pcap.set_snaplen(pd, _SNAPSHOT_LENGTH)
if err != 0:
_logger.info("Could not set snapshot length for %r: %r", device, status_to_str(err))
err = pcap.set_timeout(pd, int(_BUFFER_TIMEOUT * 1e3))
if err != 0:
_logger.info("Could not set timeout for %r: %r", device, status_to_str(err))
err = pcap.set_promisc(pd, 1)
if err != 0:
_logger.info("Could not enable promiscuous mode for %r: %r", device, status_to_str(err))
err = pcap.activate(pd)
if err in (pcap.PCAP_ERROR_PERM_DENIED, pcap.PCAP_ERROR_PROMISC_PERM_DENIED):
raise PermissionError(f"Capture is not permitted on {device!r}: {status_to_str(err)}")
if err == pcap.PCAP_ERROR_IFACE_NOT_UP:
_logger.debug("Device %r is not capturable because the iface is not up. %s", device, status_to_str(err))
pcap.close(pd)
return None
if err < 0:
_logger.info(
"Could not activate capture on %r: %s; %s", device, status_to_str(err), pcap.geterr(pd).decode()
)
pcap.close(pd)
return None
if err > 0:
_logger.info(
"Capture on %r started successfully, but libpcap reported a warning: %s", device, status_to_str(err)
)
# https://www.tcpdump.org/manpages/pcap_set_datalink.3pcap.html
for dlt in data_link_hints:
err = pcap.set_datalink(pd, dlt)
if err == 0:
_logger.debug("Device %r is configured to use the data link type %r", device, dlt)
break
else:
_logger.debug(
"Device %r supports none of the following data link types: %r. Last error was: %s",
device,
list(data_link_hints),
pcap.geterr(pd).decode(),
)
# https://www.tcpdump.org/manpages/pcap_compile.3pcap.html
code = pcap.bpf_program() # This memory needs to be freed when closed. Fix it later.
err = pcap.compile(pd, ctypes.byref(code), filter_expression.encode(), 1, pcap.PCAP_NETMASK_UNKNOWN)
if err != 0:
raise LinkLayerCaptureError(
f"Could not compile filter expression {filter_expression!r}: {status_to_str(err)}; "
f"{pcap.geterr(pd).decode()}"
)
err = pcap.setfilter(pd, ctypes.byref(code))
if err != 0:
raise LinkLayerCaptureError(f"Could not install filter: {status_to_str(err)}; {pcap.geterr(pd).decode()}")
except Exception:
pcap.close(pd)
raise
return typing.cast(object, pd)
def main(argv=sys.argv):
global program_name
program_name = os.path.basename(sys.argv[0])
try:
opts, args = getopt.getopt(argv[1:], "i:sptn")
except getopt.GetoptError:
usage()
device = None
doselect = False
dopoll = False
mechanism = None
dotimeout = False
dononblock = False
for opt, optarg in opts:
if opt == '-i':
device = optarg.encode("utf-8")
elif opt == '-s':
doselect = True
mechanism = "select() and pcap_dispatch()"
elif opt == '-p':
dopoll = True
mechanism = "poll() and pcap_dispatch()"
elif opt == '-t':
dotimeout = True
elif opt == '-n':
dononblock = True
else:
usage()
expression = args
if doselect and dopoll:
print("selpolltest: choose select (-s) or poll (-p), but not both",
file=sys.stderr)
return 1
if dotimeout and not doselect and not dopoll:
print("selpolltest: timeout (-t) requires select (-s) or poll (-p)",
file=sys.stderr)
return 1
ebuf = ct.create_string_buffer(pcap.PCAP_ERRBUF_SIZE)
if device is None:
devlist = ct.POINTER(pcap.pcap_if_t)()
if pcap.findalldevs(ct.byref(devlist), ebuf) == -1:
error("{!s}", ebuf.value.decode("utf-8", "ignore"))
if not devlist:
error("no interfaces available for capture")
device = devlist[0].name
pcap.freealldevs(devlist)
ebuf.value = b""
pd = pcap.open_live(device, 65535, 0, 1000, ebuf)
if not pd:
error("{!s}", ebuf.value.decode("utf-8", "ignore"))
elif ebuf.value:
warning("{!s}", ebuf.value.decode("utf-8", "ignore"))
localnet = pcap.bpf_u_int32()
netmask = pcap.bpf_u_int32()
if pcap.lookupnet(device, ct.byref(localnet), ct.byref(netmask), ebuf) < 0:
localnet = pcap.bpf_u_int32(0)
netmask = pcap.bpf_u_int32(0)
warning("{!s}", ebuf.value.decode("utf-8", "ignore"))
fcode = pcap.bpf_program()
cmdbuf = " ".join(expression).encode("utf-8")
if pcap.compile(pd, ct.byref(fcode), cmdbuf, 1, netmask) < 0:
error("{!s}", pcap.geterr(pd).decode("utf-8", "ignore"))
if pcap.setfilter(pd, ct.byref(fcode)) < 0:
error("{!s}", pcap.geterr(pd).decode("utf-8", "ignore"))
if doselect or dopoll:
# We need either an FD on which to do select()/poll()
# or, if there isn't one, a timeout to use in select()/
# poll().
try:
selectable_fd = pcap.get_selectable_fd(pd)
except AttributeError:
error("pcap.get_selectable_fd is not available on this platform")
if selectable_fd == -1:
print("Listening on {!s}, using {}, with a timeout".format(
device.decode("utf-8"), mechanism))
try:
required_timeout = pcap.get_required_select_timeout(pd)
except AttributeError:
error("pcap.get_required_select_timeout is not available "
"on this platform")
if not required_timeout:
error("select()/poll() isn't supported on {!s}, "
"even with a timeout", device.decode("utf-8"))
required_timeout = required_timeout[0]
# As we won't be notified by select() or poll()
# that a read can be done, we'll have to periodically
# try reading from the device every time the required
# timeout expires, and we don't want those attempts
# to block if nothing has arrived in that interval,
# so we want to force non-blocking mode.
dononblock = True
else:
print("Listening on {!s}, using {}".format(
device.decode("utf-8"), mechanism))
required_timeout = None
else:
print("Listening on {!s}, using pcap_dispatch()".format(
device.decode("utf-8")))
if dononblock:
if pcap.setnonblock(pd, 1, ebuf) == -1:
error("pcap.setnonblock failed: {!s}",
ebuf.value.decode("utf-8", "ignore"))
status = 0
if doselect:
while True:
try:
if dotimeout:
seltimeout = (0 + (required_timeout.tv_usec
if required_timeout is not None and
required_timeout.tv_usec < 1000
else 1000) / 1000000.0)
rfds, wfds, efds = select.select([selectable_fd], [],
[selectable_fd], seltimeout)
elif required_timeout is not None:
seltimeout = (required_timeout.tv_sec +
required_timeout.tv_usec / 1000000.0)
rfds, wfds, efds = select.select([selectable_fd], [],
[selectable_fd], seltimeout)
else:
rfds, wfds, efds = select.select([selectable_fd], [],
[selectable_fd])
except select.error as exc:
print("Select returns error ({})".format(exc.args[1]))
else:
if selectable_fd == -1:
if status != 0:
print("Select returned a descriptor")
else:
print("Select timed out: "
if not rfds and not wfds and not efds else
"Select returned a descriptor: ", end="")
print("readable, "
if selectable_fd in rfds else
"not readable, ", end="")
print("exceptional condition"
if selectable_fd in efds else
"no exceptional condition", end="")
print()
packet_count = ct.c_int(0)
status = pcap.dispatch(pd, -1, countme,
ct.cast(ct.pointer(packet_count), ct.POINTER(ct.c_ubyte)))
if status < 0:
break
# Don't report this if we're using a
# required timeout and we got no packets,
# because that could be a very short timeout,
# and we don't want to spam the user with
# a ton of "no packets" reports.
if (status != 0 or packet_count.value != 0 or
required_timeout is not None):
print("{:d} packets seen, {:d} packets counted after "
"select returns".format(status, packet_count.value))
elif dopoll:
while True:
poller = select.poll()
poller.register(selectable_fd, select.POLLIN)
if dotimeout:
polltimeout = 1
elif (required_timeout is not None and
required_timeout.tv_usec >= 1000):
polltimeout = required_timeout.tv_usec // 1000
else:
polltimeout = None
try:
events = poller.poll(polltimeout)
except select.error as exc:
print("Poll returns error ({})".format(exc.args[1]))
else:
if selectable_fd == -1:
if status != 0:
print("Poll returned a descriptor")
else:
if not events:
print("Poll timed out")
else:
event = events[0][1]
print("Poll returned a descriptor: ", end="")
print("readable, "
if event & select.POLLIN else
"not readable, ", end="")
print("exceptional condition, "
if event & select.POLLERR else
"no exceptional condition, ", end="")
print("disconnect, "
if event & select.POLLHUP else
"no disconnect, ", end="")
print("invalid"
if event & select.POLLNVAL else
"not invalid", end="")
print()
packet_count = ct.c_int(0)
status = pcap.dispatch(pd, -1, countme,
ct.cast(ct.pointer(packet_count), ct.POINTER(ct.c_ubyte)))
if status < 0:
break
# Don't report this if we're using a
# required timeout and we got no packets,
# because that could be a very short timeout,
# and we don't want to spam the user with
# a ton of "no packets" reports.
if (status != 0 or packet_count.value != 0 or
required_timeout is not None):
print("{:d} packets seen, {:d} packets counted after "
"poll returns".format(status, packet_count.value))
else:
while True:
packet_count = ct.c_int(0)
status = pcap.dispatch(pd, -1, countme,
ct.cast(ct.pointer(packet_count), ct.POINTER(ct.c_ubyte)))
if status < 0:
break
print("{:d} packets seen, {:d} packets counted after "
"pcap.dispatch returns".format(status, packet_count.value))
if status == -2:
# We got interrupted, so perhaps we didn't manage to finish a
# line we were printing. Print an extra newline, just in case.
print()
sys.stdout.flush()
if status == -1:
# Error. Report it.
print("{}: pcap.loop: {!s}".format(program_name,
pcap.geterr(pd).decode("utf-8", "ignore")), file=sys.stderr)
pcap.freecode(ct.byref(fcode))
pcap.close(pd)
return 1 if status == -1 else 0
def main(argv):
global program_name
program_name = os.path.basename(sys.argv[0])
try:
opts, args = getopt.getopt(argv[1:], "i:mnt:")
except getopt.GetoptError:
usage()
device = None
immediate = False
nonblock = 0
timeout = 1000
for opt, optarg in opts:
if opt == '-i':
device = optarg.encode("utf-8")
elif opt == '-m':
immediate = True
elif opt == '-n':
nonblock = 1
elif opt == '-t':
try:
timeout = int(optarg)
except:
error('Timeout value "{}" is not a number', optarg)
if timeout < 0:
error("Timeout value {:d} is negative", timeout)
if timeout > INT_MAX:
error("Timeout value {:d} is too large (> {:d})",
timeout, INT_MAX)
else:
usage()
expression = args
ebuf = ct.create_string_buffer(pcap.PCAP_ERRBUF_SIZE)
if device is None:
devlist = ct.POINTER(pcap.pcap_if_t)()
if pcap.findalldevs(ct.byref(devlist), ebuf) == -1:
error("{!s}", ebuf.value.decode("utf-8", "ignore"))
if not devlist:
error("no interfaces available for capture")
device = devlist[0].name
pcap.freealldevs(devlist)
ebuf.value = b""
pd = pcap.create(device, ebuf)
if not pd:
error("{!s}", ebuf.value.decode("utf-8", "ignore"))
status = pcap.set_snaplen(pd, 65535)
if status != 0:
error("{!s}: pcap.set_snaplen failed: {!s}",
device.decode("utf-8"),
statustostr(status).decode("utf-8", "ignore"));
if immediate:
try:
status = pcap.set_immediate_mode(pd, 1)
except AttributeError:
error("pcap.set_immediate_mode is not available on this platform")
if status != 0:
error("{!s}: pcap.set_immediate_mode failed: {!s}",
device.decode("utf-8"),
statustostr(status).decode("utf-8", "ignore"));
status = pcap.set_timeout(pd, timeout)
if status != 0:
error("{!s}: pcap.set_timeout failed: {!s}",
device.decode("utf-8"),
statustostr(status).decode("utf-8", "ignore"));
status = pcap.activate(pd)
if status < 0:
# pcap.activate() failed.
error("{!s}: {!s}\n({!s})",
device.decode("utf-8"),
statustostr(status).decode("utf-8", "ignore"),
pcap.geterr(pd).decode("utf-8", "ignore"))
elif status > 0:
# pcap.activate() succeeded, but it's warning us
# of a problem it had.
warning("{!s}: {!s}\n({!s})",
device.decode("utf-8"),
statustostr(status).decode("utf-8", "ignore"),
pcap.geterr(pd).decode("utf-8", "ignore"))
localnet = pcap.bpf_u_int32()
netmask = pcap.bpf_u_int32()
if pcap.lookupnet(device, ct.byref(localnet), ct.byref(netmask), ebuf) < 0:
localnet = pcap.bpf_u_int32(0)
netmask = pcap.bpf_u_int32(0)
warning("{!s}", ebuf.value.decode("utf-8", "ignore"))
fcode = pcap.bpf_program()
cmdbuf = " ".join(expression).encode("utf-8")
if pcap.compile(pd, ct.byref(fcode), cmdbuf, 1, netmask) < 0:
error("{!s}", pcap.geterr(pd).decode("utf-8", "ignore"))
if pcap.setfilter(pd, ct.byref(fcode)) < 0:
error("{!s}", pcap.geterr(pd).decode("utf-8", "ignore"))
if pcap.setnonblock(pd, nonblock, ebuf) == -1:
error("pcap.setnonblock failed: {!s}",
ebuf.value.decode("utf-8", "ignore"))
print("Listening on {!s}".format(device.decode("utf-8")))
while True:
packet_count = ct.c_int(0)
status = pcap.dispatch(pd, -1, countme,
ct.cast(ct.pointer(packet_count), ct.POINTER(ct.c_ubyte)))
if status < 0:
break
if status != 0:
print("{:d} packets seen, {:d} packets counted after "
"pcap.dispatch returns".format(status, packet_count.value))
if status == -2:
# We got interrupted, so perhaps we didn't manage to finish a
# line we were printing. Print an extra newline, just in case.
print()
sys.stdout.flush()
if status == -1:
# Error. Report it.
print("{}: pcap.loop: {!s}".format(program_name,
pcap.geterr(pd).decode("utf-8", "ignore")), file=sys.stderr)
pcap.freecode(ct.byref(fcode))
pcap.close(pd)
return 1 if status == -1 else 0
def main(argv=sys.argv):
global program_name
program_name = os.path.basename(argv[0])
try:
opts, args = getopt.getopt(argv[1:], "dF:gm:Os:")
except getopt.GetoptError:
usage()
if is_windows and hasattr(pcap, "wsockinit") and pcap.wsockinit() != 0:
return 1
have_fcode = False
dflag = 1
if defined("BDEBUG"):
gflag = 0
infile = None
netmask = pcap.PCAP_NETMASK_UNKNOWN
Oflag = 1
snaplen = MAXIMUM_SNAPLEN
for opt, optarg in opts:
if opt == '-d':
dflag += 1
elif opt == 'g':
if defined("BDEBUG"):
gflag += 1
else:
error(
"libpcap and filtertest not built with optimizer debugging enabled"
)
elif opt == '-F':
infile = optarg
elif opt == '-O':
Oflag = 0
elif opt == '-m': # !!!
# try:
# addr = socket.inet_pton(socket.AF_INET, optarg)
# except socket.error:
# if r == 0:
# error("invalid netmask {}", optarg)
# elif r == -1:
# error("invalid netmask {}: {}", optarg, pcap_strerror(errno))
# else: # elif r == 1:
# addr = bpf_u_int32(addr)
# netmask = addr
pass
elif opt == '-s':
try:
long_snaplen = int(optarg)
except:
error("invalid snaplen {}", optarg)
if not (0 <= long_snaplen <= MAXIMUM_SNAPLEN):
error("invalid snaplen {}", optarg)
elif long_snaplen == 0: # <AK> fix, was: snaplen == 0:
snaplen = MAXIMUM_SNAPLEN
else:
snaplen = long_snaplen
else:
usage()
if not args:
usage()
dlt_name = args[0]
expression = args[1:]
dlt = pcap.datalink_name_to_val(dlt_name.encode("utf-8"))
if dlt < 0:
try:
dlt = int(dlt_name)
except:
error("invalid data link type {!s}", dlt_name)
if infile:
cmdbuf = read_infile(infile)
else:
# concatenating arguments with spaces.
cmdbuf = " ".join(expression).encode("utf-8")
pd = pcap.open_dead(dlt, snaplen)
if not pd:
error("Can't open fake pcap_t")
fcode = pcap.bpf_program()
if pcap.compile(pd, ct.byref(fcode), cmdbuf, Oflag, netmask) < 0:
error("{!s}", pcap.geterr(pd).decode("utf-8", "ignore"))
have_fcode = True
if not pcap.bpf_validate(fcode.bf_insns, fcode.bf_len):
warning("Filter doesn't pass validation")
if defined("BDEBUG"):
if cmdbuf:
# replace line feed with space
mcodes = cmdbuf.decode("utf-8", "ignore")
mcodes = mcodes.replace('\r', ' ').replace('\n', ' ')
# only show machine code if BDEBUG defined, since dflag > 3
print("machine codes for filter: {}".format(mcodes))
else:
print("machine codes for empty filter:")
pcap.bpf_dump(ct.byref(fcode), dflag)
del cmdbuf
if have_fcode:
pcap.freecode(ct.byref(fcode))
pcap.close(pd)
return 0
