def _decode_payload(self, pktt): """Decode UDP payload.""" if 123 in [self.src_port, self.dst_port]: # NTP on port 123 ntp = NTP(pktt) if ntp: pktt.pkt.ntp = ntp return elif 53 in [self.src_port, self.dst_port]: # DNS on port 53 dns = DNS(pktt, proto=17) if dns: pktt.pkt.dns = dns return elif 88 in [self.src_port, self.dst_port]: # KRB5 on port 88 krb = KRB5(pktt, proto=17) if krb: pktt.pkt.krb = krb return # Get RPC header rpc = RPC(pktt, proto=17) if rpc: # Save RPC layer on packet object pktt.pkt.rpc = rpc if rpc.type: # Remove packet call from the xid map since reply has # already been decoded pktt._rpc_xid_map.pop(rpc.xid, None) # Decode NFS layer rpc.decode_payload()
def _decode_payload(self, pktt): """Decode UDP payload.""" # Get RPC header rpc = RPC(pktt, proto=17) if rpc: # Save RPC layer on packet object pktt.pkt.rpc = rpc if rpc.type: # Remove packet call from the xid map since reply has # already been decoded pktt._rpc_xid_map.pop(rpc.xid, None) # Decode NFS layer rpc.decode_payload()
def _decode_payload(self, pktt, stream): """Decode TCP payload.""" rpc = None if stream['frag_off'] > 0 and len(stream['msfrag']) == 0: # This RPC packet lies within previous TCP packet, # Re-position the offset of the data self.data = self.data[stream['frag_off']:] # Get the total size save_data = self.data size = len(self.data) # Try decoding the RPC header before using the msfrag data # to re-sync the stream if len(stream['msfrag']) > 0: rpc = RPC(pktt, self.data, proto=6) if not rpc: self.data = save_data if rpc or (size == 0 and len(stream['msfrag']) > 0 and self.flags_raw != 0x10): # There has been some data lost in the capture, # to continue decoding next packets, reset stream # except if this packet is just a TCP ACK (flags = 0x10) stream['msfrag'] = '' stream['frag_off'] = 0 # Expected data segment sequence number nseg = self.seq - stream['last_seq'] # Make sure this segment has valid data if nseg != len(stream['msfrag']) and \ size <= 20 and save_data == '\x00' * size: return if not rpc: # Concatenate previous fragment self.data = stream['msfrag'] + self.data ldata = len(self.data) - 4 # Get RPC header rpc = RPC(pktt, self.data, proto=6) else: ldata = size - 4 if not rpc: return rpcsize = rpc.fragment_hdr.size if ldata < rpcsize: # An RPC fragment is missing to decode RPC payload stream['msfrag'] += save_data else: if len(stream['msfrag']) > 0 or ldata == rpcsize: stream['frag_off'] = 0 stream['msfrag'] = '' # Save RPC layer on packet object pktt.pkt.rpc = rpc del self.data # Decode NFS layer nfs = rpc.decode_nfs() if nfs: pktt.pkt.nfs = nfs rpcbytes = ldata - len(rpc.data) if not nfs and rpcbytes != rpcsize: pass elif rpc.data: # Save the offset of next RPC packet within this TCP packet # Data offset is cumulative stream['frag_off'] += size - len(rpc.data) save_data = rpc.data ldata = len(rpc.data) - 4 try: rpc_header = RPC(pktt, rpc.data, proto=6) except Exception: rpc_header = None if not rpc_header or ldata < rpc_header.fragment_hdr.size: # Part of next RPC packet is within this TCP packet # Save the multi-span fragment data stream['msfrag'] += save_data else: # Next RPC packet is entirely within this TCP packet # Re-position the file pointer to the current offset pktt.offset = pktt.b_offset pktt._getfh().seek(pktt.offset) else: stream['frag_off'] = 0
def _decode_payload(self, pktt, stream): """Decode TCP payload.""" rpc = None pkt = pktt.pkt unpack = pktt.unpack if stream['frag_off'] > 0 and len(stream['msfrag']) == 0: # This RPC packet lies within previous TCP packet, # Re-position the offset of the data unpack.seek(unpack.tell() + stream['frag_off']) # Get the total size sid = unpack.save_state() size = unpack.size() nonvalid = bool(size <= 20 and unpack.getbytes() == '\x00' * size) # Try decoding the RPC header before using the msfrag data # to re-sync the stream if len(stream['msfrag']) > 0: rpc = RPC(pktt, proto=6) if not rpc: unpack.restore_state(sid) sid = unpack.save_state() if rpc or (size == 0 and len(stream['msfrag']) > 0 and self.flags_raw != 0x10): # There has been some data lost in the capture, # to continue decoding next packets, reset stream # except if this packet is just a TCP ACK (flags = 0x10) stream['msfrag'] = '' stream['frag_off'] = 0 # Expected data segment sequence number nseg = self.seq - stream['last_seq'] # Make sure this segment has valid data if nseg != len(stream['msfrag']) and nonvalid: return if not rpc: if len(stream['msfrag']): # Concatenate previous fragment unpack.insert(stream['msfrag']) ldata = unpack.size() - 4 # Get RPC header rpc = RPC(pktt, proto=6) else: ldata = size - 4 if not rpc: return rpcsize = rpc.fragment_hdr.size truncbytes = pkt.record.length_orig - pkt.record.length_inc if truncbytes == 0 and ldata < rpcsize: # An RPC fragment is missing to decode RPC payload unpack.restore_state(sid) stream['msfrag'] += unpack.getbytes() else: if len(stream['msfrag']) > 0 or ldata == rpcsize: stream['frag_off'] = 0 stream['msfrag'] = '' # Save RPC layer on packet object pkt.rpc = rpc if rpc.type: # Remove packet call from the xid map since reply has # already been decoded pktt._rpc_xid_map.pop(rpc.xid, None) # Decode NFS layer rpcload = rpc.decode_payload() rpcbytes = ldata - unpack.size() if not rpcload and rpcbytes != rpcsize: pass elif unpack.size(): # Save the offset of next RPC packet within this TCP packet # Data offset is cumulative stream['frag_off'] += size - unpack.size() sid = unpack.save_state() ldata = unpack.size() - 4 try: rpc_header = RPC(pktt, proto=6, state=False) except Exception: rpc_header = None if not rpc_header or ldata < rpc_header.fragment_hdr.size: # Part of next RPC packet is within this TCP packet # Save the multi-span fragment data unpack.restore_state(sid) stream['msfrag'] += unpack.getbytes() else: # Next RPC packet is entirely within this TCP packet # Re-position the file pointer to the current offset pktt.offset = pktt.boffset pktt._getfh().seek(pktt.offset) else: stream['frag_off'] = 0
def _decode_payload(self, pktt, stream): """Decode TCP payload.""" rpc = None pkt = pktt.pkt unpack = pktt.unpack if 53 in [self.src_port, self.dst_port]: # DNS on port 53 dns = DNS(pktt, proto=6) if dns: pkt.dns = dns return elif 88 in [self.src_port, self.dst_port]: # KRB5 on port 88 krb = KRB5(pktt, proto=6) if krb: pkt.krb = krb return if stream.frag_off > 0 and len(stream.buffer) == 0: # This RPC packet lies within previous TCP packet, # Re-position the offset of the data unpack.seek(unpack.tell() + stream.frag_off) # Get the total size sid = unpack.save_state() size = unpack.size() # Try decoding the RPC header before using the stream buffer data # to re-sync the stream if len(stream.buffer) > 0: rpc = RPC(pktt, proto=6) if not rpc: unpack.restore_state(sid) sid = unpack.save_state() if rpc or (size == 0 and len(stream.buffer) > 0 and self.flags.rawflags != 0x10): # There has been some data lost in the capture, # to continue decoding next packets, reset stream # except if this packet is just a TCP ACK (flags = 0x10) stream.buffer = "" stream.frag_off = 0 if not rpc: if len(stream.buffer): # Concatenate previous fragment unpack.insert(stream.buffer) ldata = unpack.size() - 4 # Get RPC header rpc = RPC(pktt, proto=6) else: ldata = size - 4 if not rpc: return rpcsize = rpc.fragment_hdr.size truncbytes = pkt.record.length_orig - pkt.record.length_inc if truncbytes == 0 and ldata < rpcsize: # An RPC fragment is missing to decode RPC payload unpack.restore_state(sid) stream.add_fragment(unpack.getbytes(), self.seq) else: if len(stream.buffer) > 0 or ldata == rpcsize: stream.frag_off = 0 stream.buffer = "" # Save RPC layer on packet object pkt.rpc = rpc if rpc.type: # Remove packet call from the xid map since reply has # already been decoded pktt._rpc_xid_map.pop(rpc.xid, None) # Decode NFS layer rpcload = rpc.decode_payload() rpcbytes = ldata - unpack.size() if not rpcload and rpcbytes != rpcsize: pass elif unpack.size(): # Save the offset of next RPC packet within this TCP packet # Data offset is cumulative stream.frag_off += size - unpack.size() sid = unpack.save_state() ldata = unpack.size() - 4 try: rpc_header = RPC(pktt, proto=6, state=False) except Exception: rpc_header = None if not rpc_header or ldata < rpc_header.fragment_hdr.size: # Part of next RPC packet is within this TCP packet # Save the multi-span fragment data unpack.restore_state(sid) stream.add_fragment(unpack.getbytes(), self.seq) else: # Next RPC packet is entirely within this TCP packet # Re-position the file pointer to the current offset pktt.seek(pktt.boffset) else: stream.frag_off = 0
def _decode_payload(self, pktt, stream): """Decode TCP payload.""" rpc = None pkt = pktt.pkt unpack = pktt.unpack if stream['frag_off'] > 0 and len(stream['msfrag']) == 0: # This RPC packet lies within previous TCP packet, # Re-position the offset of the data unpack.seek(unpack.tell() + stream['frag_off']) # Get the total size sid = unpack.save_state() size = unpack.size() nonvalid = bool(size <= 20 and unpack.getbytes() == '\x00' * size) # Try decoding the RPC header before using the msfrag data # to re-sync the stream if len(stream['msfrag']) > 0: rpc = RPC(pktt, proto=6) if not rpc: unpack.restore_state(sid) sid = unpack.save_state() if rpc or (size == 0 and len(stream['msfrag']) > 0 and self.flags_raw != 0x10): # There has been some data lost in the capture, # to continue decoding next packets, reset stream # except if this packet is just a TCP ACK (flags = 0x10) stream['msfrag'] = '' stream['frag_off'] = 0 # Expected data segment sequence number nseg = self.seq - stream['last_seq'] # Make sure this segment has valid data if nseg != len(stream['msfrag']) and nonvalid: return if not rpc: if len(stream['msfrag']): # Concatenate previous fragment unpack.insert(stream['msfrag']) ldata = unpack.size() - 4 # Get RPC header rpc = RPC(pktt, proto=6) else: ldata = size - 4 if not rpc: return rpcsize = rpc.fragment_hdr.size truncbytes = pkt.record.length_orig - pkt.record.length_inc if truncbytes == 0 and ldata < rpcsize: # An RPC fragment is missing to decode RPC payload unpack.restore_state(sid) stream['msfrag'] += unpack.getbytes() else: if len(stream['msfrag']) > 0 or ldata == rpcsize: stream['frag_off'] = 0 stream['msfrag'] = '' # Save RPC layer on packet object pkt.rpc = rpc if rpc.type: # Remove packet call from the xid map since reply has # already been decoded pktt._rpc_xid_map.pop(rpc.xid, None) # Decode NFS layer nfs = rpc.decode_nfs() if nfs: pkt.nfs = nfs rpcbytes = ldata - unpack.size() if not nfs and rpcbytes != rpcsize: pass elif unpack.size(): # Save the offset of next RPC packet within this TCP packet # Data offset is cumulative stream['frag_off'] += size - unpack.size() sid = unpack.save_state() ldata = unpack.size() - 4 try: rpc_header = RPC(pktt, proto=6, state=False) except Exception: rpc_header = None if not rpc_header or ldata < rpc_header.fragment_hdr.size: # Part of next RPC packet is within this TCP packet # Save the multi-span fragment data unpack.restore_state(sid) stream['msfrag'] += unpack.getbytes() else: # Next RPC packet is entirely within this TCP packet # Re-position the file pointer to the current offset pktt.offset = pktt.boffset pktt._getfh().seek(pktt.offset) else: stream['frag_off'] = 0