def flow_handler(self, flow): # print "FLOW HANDLER", flow.srcaddr src = pcap.aton(flow.srcaddr) dst = pcap.aton(flow.dstaddr) bsrc = netutils.ip_is_reserved(src) bdst = netutils.ip_is_reserved(dst) db = flow.dOctets if bsrc and bdst: self.data["net_load_loc"] += db elif not bsrc and bdst: self.data["net_load_in"] += db elif bsrc and not bdst: self.data["net_load_out"] += db else: print "Raaa"
def handle_query(query, ip_dict, port_dict, ip_to_ip_dict, ip_port_dict): arr = query.split() if arr[0] == "list": list_all(ip_dict) print return # IP-specific queries try: ip = pcap.aton(arr[1]) except: print("Couldn't parse IP address " + arr[1]) return # Display all IPs that this IP has communicated with if arr[0] == "friends": for other in ip_dict[ip]: print(pcap.ntoa(other)) print # List all live TCP sessions for IP if arr[0] == "live": list_live(ip, ip_dict, ip_to_ip_dict, ip_port_dict)
def ip_is_reserved(ip, reverse=False): dIPReserved = [ (pcap.aton('0.0.0.0'), 8), # Current network (only valid as source address) RFC 5735 (pcap.aton('10.0.0.0'), 8), # Private network RFC 1918 (pcap.aton('100.64.0.0'), 10), # Shared Address Space RFC 6598 (pcap.aton('127.0.0.0'), 8), # Loopback RFC 5735 (pcap.aton('169.254.0.0'), 16), # Link-local RFC 3927 (pcap.aton('172.16.0.0'), 12), # Private network RFC 1918 (pcap.aton('192.0.0.0'), 24), # IETF Protocol Assignments RFC 5735 (pcap.aton('192.0.2.0'), 24), # TEST-NET-1, documentation and examples RFC 5735 (pcap.aton('192.88.99.0'), 24), # IPv6 to IPv4 relay RFC 3068 (pcap.aton('192.168.0.0'), 16), # Private network RFC 1918 (pcap.aton('198.18.0.0'), 15), # Network benchmark tests RFC 2544 (pcap.aton('198.51.100.0'), 24), # TEST-NET-2, documentation and examples RFC 5737 (pcap.aton('203.0.113.0'), 24), # TEST-NET-3, documentation and examples RFC 5737 (pcap.aton('224.0.0.0'), 4), # IP multicast (former Class D network) RFC 5771 (pcap.aton('240.0.0.0'), 4), # Reserved (former Class E network) RFC 1700 (pcap.aton('255.255.255.255'), 32) # Broadcast ] if reverse: ip = ip_reverse(ip) reserved = False for (net, m) in dIPReserved: mask = 0xffffffff >> (32 - m) if (ip & mask) == net: reserved = True break return reserved
def run(self): logger = logging.getLogger() # no module, no start if len(self.lmod) == 0: logger.debug("No Flow module") return 0 logger.info("NetFlow : Listining on %s:%i" % (self.config.flow_addr, self.config.flow_port)) sock = socket.socket( socket.AF_INET, socket.SOCK_DGRAM) sock.bind((self.config.flow_addr, self.config.flow_port)) sock.settimeout(SOCKET_TIMEOUT) lmod = self.lmod lfnt_flowhandle = list() lfnt_trigger_save = list() for mod in lmod: lfnt_flowhandle.append(mod.flow_handler) lfnt_trigger_save.append(mod.trigger_db_save) # List loaded module for mod in self.lmod: logger.info("NetFlow : Load network module - websocket subprotocol " + mod.__str__()) # Init ws_data = WsData() last_update_t = time() last_save_t = time() self.database = self.config.database db_on = self.config.database["on"] # Mysql database mydb = self.database["class"]( host=self.database["conf"]["host"], user=self.database["conf"]["user"], passwd=self.database["conf"]["passwd"], database=self.database["conf"]["database"], port=self.database["conf"]["port"]) if db_on: # connection to database mydb.connection() if mydb.is_connect(): for mod in lmod: mod.database_init(mydb) mydb.commit() while not self.term: try: data, addr = sock.recvfrom(SOCKET_BUFFER) sett = flowtools.FlowPDU(pcap.aton(addr[0]), data) map(lambda x: map(lambda y: y(x), lfnt_flowhandle), sett) except socket.timeout: pass except SystemError: logger.error("SystemError on Flow packet") # Modules update call if time() - last_update_t > MIN_TIME_MOD_UPDATE: last_update_t = time() l_res = list() for mod in lmod: data = mod.trigger_data_update() if data is not None: ws_data.send(mod.protocol, data) # Modules save call if db_on and mydb.connect is not None: if time() - last_save_t > MIN_TIME_DB_UPDATE: last_save_t = time() map(lambda x: x(mydb), lfnt_trigger_save) mydb.commit()
'description': 'Shim6 Protocol' }, 141: { 'callback': None, 'protocol': 'WESP', 'description': 'Wrapped Encapsulating Security Payload' }, 142: { 'callback': None, 'protocol': 'ROHC', 'description': 'Robust Header Compression' } } dIPReserved = [ (pcap.aton('0.0.0.0'), 8), # Current network (only valid as source address) RFC 5735 (pcap.aton('10.0.0.0'), 8), # Private network RFC 1918 (pcap.aton('100.64.0.0'), 10), # Shared Address Space RFC 6598 (pcap.aton('127.0.0.0'), 8), # Loopback RFC 5735 (pcap.aton('169.254.0.0'), 16), # Link-local RFC 3927 (pcap.aton('172.16.0.0'), 12), # Private network RFC 1918 (pcap.aton('192.0.0.0'), 24), # IETF Protocol Assignments RFC 5735 (pcap.aton('192.0.2.0'), 24), # TEST-NET-1, documentation and examples RFC 5735 (pcap.aton('192.88.99.0'), 24), # IPv6 to IPv4 relay RFC 3068 (pcap.aton('192.168.0.0'), 16), # Private network RFC 1918 (pcap.aton('198.18.0.0'), 15), # Network benchmark tests RFC 2544 (pcap.aton('198.51.100.0'), 24), # TEST-NET-2, documentation and examples RFC 5737 (pcap.aton('203.0.113.0'),
131: {'callback': None, 'protocol': 'PIPE', 'description': 'Private IP Encapsulation within IP'}, 132: {'callback': None, 'protocol': 'SCTP', 'description': 'Stream Control Transmission Protocol'}, 133: {'callback': None, 'protocol': 'FC', 'description': 'Fibre Channel'}, 134: {'callback': None, 'protocol': 'RSVP-E2E-IGNORE', 'description': ''}, 135: {'callback': None, 'protocol': 'Mobility Header', 'description': ''}, 136: {'callback': None, 'protocol': 'UDPLite', 'description': ''}, 137: {'callback': None, 'protocol': 'MPLS-in-IP', 'description': ''}, 138: {'callback': None, 'protocol': 'manet', 'description': 'MANET Protocols'}, 139: {'callback': None, 'protocol': 'HIP', 'description': 'Host Identity Protocol'}, 140: {'callback': None, 'protocol': 'Shim6', 'description': 'Shim6 Protocol'}, 141: {'callback': None, 'protocol': 'WESP', 'description': 'Wrapped Encapsulating Security Payload'}, 142: {'callback': None, 'protocol': 'ROHC', 'description': 'Robust Header Compression'} } dIPReserved = [ (pcap.aton('0.0.0.0'), 8), # Current network (only valid as source address) RFC 5735 (pcap.aton('10.0.0.0'), 8), # Private network RFC 1918 (pcap.aton('100.64.0.0'), 10), # Shared Address Space RFC 6598 (pcap.aton('127.0.0.0'), 8), # Loopback RFC 5735 (pcap.aton('169.254.0.0'), 16), # Link-local RFC 3927 (pcap.aton('172.16.0.0'), 12), # Private network RFC 1918 (pcap.aton('192.0.0.0'), 24), # IETF Protocol Assignments RFC 5735 (pcap.aton('192.0.2.0'), 24), # TEST-NET-1, documentation and examples RFC 5735 (pcap.aton('192.88.99.0'), 24), # IPv6 to IPv4 relay RFC 3068 (pcap.aton('192.168.0.0'), 16), # Private network RFC 1918 (pcap.aton('198.18.0.0'), 15), # Network benchmark tests RFC 2544 (pcap.aton('198.51.100.0'), 24), # TEST-NET-2, documentation and examples RFC 5737 (pcap.aton('203.0.113.0'), 24), # TEST-NET-3, documentation and examples RFC 5737 (pcap.aton('224.0.0.0'), 4), # IP multicast (former Class D network) RFC 5771 (pcap.aton('240.0.0.0'), 4), # Reserved (former Class E network) RFC 1700 (pcap.aton('255.255.255.255'), 32) # Broadcast
def ip_is_reserved(ip, reverse=False): dIPReserved = [ (pcap.aton("0.0.0.0"), 8), # Current network (only valid as source address) RFC 5735 (pcap.aton("10.0.0.0"), 8), # Private network RFC 1918 (pcap.aton("100.64.0.0"), 10), # Shared Address Space RFC 6598 (pcap.aton("127.0.0.0"), 8), # Loopback RFC 5735 (pcap.aton("169.254.0.0"), 16), # Link-local RFC 3927 (pcap.aton("172.16.0.0"), 12), # Private network RFC 1918 (pcap.aton("192.0.0.0"), 24), # IETF Protocol Assignments RFC 5735 (pcap.aton("192.0.2.0"), 24), # TEST-NET-1, documentation and examples RFC 5735 (pcap.aton("192.88.99.0"), 24), # IPv6 to IPv4 relay RFC 3068 (pcap.aton("192.168.0.0"), 16), # Private network RFC 1918 (pcap.aton("198.18.0.0"), 15), # Network benchmark tests RFC 2544 (pcap.aton("198.51.100.0"), 24), # TEST-NET-2, documentation and examples RFC 5737 (pcap.aton("203.0.113.0"), 24), # TEST-NET-3, documentation and examples RFC 5737 (pcap.aton("224.0.0.0"), 4), # IP multicast (former Class D network) RFC 5771 (pcap.aton("240.0.0.0"), 4), # Reserved (former Class E network) RFC 1700 (pcap.aton("255.255.255.255"), 32), # Broadcast ] if reverse: ip = ip_reverse(ip) reserved = False for (net, m) in dIPReserved: mask = 0xFFFFFFFF >> (32 - m) if (ip & mask) == net: reserved = True break return reserved
def ip_str_to_bytes(ip): """ Converts a string representation of an ip to a bytes object """ return struct.pack('I', pcap.aton(ip))
def run(self): logger = logging.getLogger() # no module, no start if len(self.lmod) == 0: logger.debug("No Flow module") return 0 logger.info("NetFlow : Listining on %s:%i" % (self.config.flow_addr, self.config.flow_port)) sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.bind((self.config.flow_addr, self.config.flow_port)) sock.settimeout(SOCKET_TIMEOUT) lmod = self.lmod lfnt_flowhandle = list() lfnt_trigger_save = list() for mod in lmod: lfnt_flowhandle.append(mod.flow_handler) lfnt_trigger_save.append(mod.trigger_db_save) # List loaded module for mod in self.lmod: logger.info( "NetFlow : Load network module - websocket subprotocol " + mod.__str__()) # Init ws_data = WsData() last_update_t = time() last_save_t = time() self.database = self.config.database db_on = self.config.database["on"] # Mysql database mydb = self.database["class"]( host=self.database["conf"]["host"], user=self.database["conf"]["user"], passwd=self.database["conf"]["passwd"], database=self.database["conf"]["database"], port=self.database["conf"]["port"]) if db_on: # connection to database mydb.connection() if mydb.is_connect(): for mod in lmod: mod.database_init(mydb) mydb.commit() while not self.term: try: data, addr = sock.recvfrom(SOCKET_BUFFER) sett = flowtools.FlowPDU(pcap.aton(addr[0]), data) map(lambda x: map(lambda y: y(x), lfnt_flowhandle), sett) except socket.timeout: pass except SystemError: logger.error("SystemError on Flow packet") # Modules update call if time() - last_update_t > MIN_TIME_MOD_UPDATE: last_update_t = time() l_res = list() for mod in lmod: data = mod.trigger_data_update() if data is not None: ws_data.send(mod.protocol, data) # Modules save call if db_on and mydb.connect is not None: if time() - last_save_t > MIN_TIME_DB_UPDATE: last_save_t = time() map(lambda x: x(mydb), lfnt_trigger_save) mydb.commit()