def parse_pcap_file(file_path):
"""pcap parser.
parse a pcap file to get a list :class:`TcpPacket` objects
Args:
file_path (str): address of the Pcap file that is ready to be parsed
Returns:
list of :class:TcpPacket of found conversations in the Pcap file
Raises:
:class:FileParsingException if either file format were not recognized or file was not found
"""
conn_dict = OrderedDict()
all_packets = []
try:
with io.open(file_path, "rb") as infile:
file_format, head = get_file_format(infile)
if file_format == FileFormat.PCAP:
pcap_file = pcap.PcapFile(infile, head).read_packet
elif file_format == FileFormat.PCAP_NG:
pcap_file = pcapng.PcapngFile(infile, head).read_packet
else:
FileParsingException("unknown file format.")
for tcp_pac in packet_parser.read_tcp_packet(pcap_file):
key = tcp_pac.gen_key()
# we already have this conn
if key in conn_dict:
url = conn_dict[key].on_packet(tcp_pac)
if url is not None:
packet = TcpPacket()
packet.request = url
splited = str(key).split('-')
packet.sourceHost = splited[0].split(':')[0]
packet.destinationHost = splited[1].split(':')[0]
packet.sourcePort = splited[0].split(':')[1]
packet.destinationPort = splited[1].split(':')[1]
all_packets.append(packet)
# conn closed.
if conn_dict[key].closed():
conn_dict[key].finish()
del conn_dict[key]
# begin tcp connection.
elif tcp_pac.syn and not tcp_pac.ack:
conn_dict[key] = TcpConnection(tcp_pac)
elif utils.is_request(tcp_pac.body):
# tcp init before capture, we start from a possible http request header.
conn_dict[key] = TcpConnection(tcp_pac)
except (FileNotFoundError, FileParsingException):
raise FileParsingException("parse_pcap failed to parse " +
str(file_path))
# finish connection which not close yet
for conn in conn_dict.values():
conn.finish()
return all_packets
def pcap_file(conn_dict, infile):
"""
:type conn_dict: dict
:type infile:file
"""
file_format, head = get_file_format(infile)
if file_format == FileFormat.PCAP:
pcap_file = pcap.PcapFile(infile, head).read_packet
elif file_format == FileFormat.PCAP_NG:
pcap_file = pcapng.PcapngFile(infile, head).read_packet
else:
print("unknown file format.", file=sys.stderr)
sys.exit(1)
_filter = config.get_filter()
for tcp_pac in packet_parser.read_package_r(pcap_file):
# filter
# get time
if CTCore.activity_date_time == "":
CTCore.activity_date_time = datetime.fromtimestamp(
int(str(tcp_pac.micro_second)[:10]))
if CTCore.client.headers["IP"] == "":
CTCore.client.headers["IP"] = tcp_pac.source
if CTCore.client.headers["MAC"] == "":
CTCore.client.headers["MAC"] = tcp_pac.src_mac
if not (_filter.by_ip(tcp_pac.source) or _filter.by_ip(tcp_pac.dest)):
continue
if not (_filter.by_port(tcp_pac.source_port)
or _filter.by_port(tcp_pac.dest_port)):
continue
key = tcp_pac.gen_key()
# we already have this conn
if key in conn_dict:
conn_dict[key].append(tcp_pac)
# conn closed.
if tcp_pac.pac_type == packet_parser.TcpPack.TYPE_CLOSE:
conn_dict[key].finish()
del conn_dict[key]
# begin tcp connection.
elif tcp_pac.pac_type == 1:
conn_dict[key] = HttpConn(tcp_pac)
elif tcp_pac.pac_type == 0:
# tcp init before capture, we found a http request header, begin parse
# if is a http request?
if utils.is_request(tcp_pac.body):
conn_dict[key] = HttpConn(tcp_pac)
def parse_pcap_file(infile):
"""
:type infile:file
"""
conn_dict = OrderedDict()
file_format, head = get_file_format(infile)
if file_format == FileFormat.PCAP:
pcap_file = pcap.PcapFile(infile, head).read_packet
elif file_format == FileFormat.PCAP_NG:
pcap_file = pcapng.PcapngFile(infile, head).read_packet
else:
print("unknown file format.", file=sys.stderr)
sys.exit(1)
_filter = config.get_filter()
for tcp_pac in packet_parser.read_tcp_packet(pcap_file):
# filter
if not (_filter.by_ip(tcp_pac.source) or _filter.by_ip(tcp_pac.dest)):
continue
if not (_filter.by_port(tcp_pac.source_port)
or _filter.by_port(tcp_pac.dest_port)):
continue
key = tcp_pac.gen_key()
# we already have this conn
if key in conn_dict:
conn_dict[key].on_packet(tcp_pac)
# conn closed.
if conn_dict[key].closed():
conn_dict[key].finish()
del conn_dict[key]
# begin tcp connection.
elif tcp_pac.syn and not tcp_pac.ack:
conn_dict[key] = TcpConnection(tcp_pac)
elif utils.is_request(tcp_pac.body):
# tcp init before capture, we start from a possible http request header.
conn_dict[key] = TcpConnection(tcp_pac)
# finish connection which not close yet
for conn in conn_dict.values():
conn.finish()
def process_pcap_file(conn_dict, infile):
file_format, head = get_file_format(infile)
if file_format == FileFormat.PCAP:
pcap_file = pcap.PcapFile(infile, head).read_packet
elif file_format == FileFormat.PCAP_NG:
pcap_file = pcapng.PcapngFile(infile, head).read_packet
else:
print("unknown file format.")
sys.exit(1)
#used for diameter decode
diameterConn = DiameterConn()
_filter = config.get_filter()
for tcp_pac in packet_parser.read_package_r(pcap_file):
# filter
if not (_filter.by_ip(tcp_pac.source) or _filter.by_ip(tcp_pac.dest)):
continue
if not (_filter.by_port(tcp_pac.source_port)
or _filter.by_port(tcp_pac.dest_port)):
continue
#IP Protocol
if (tcp_pac.source_port == 8083 or tcp_pac.dest_port == 8083):
key = tcp_pac.gen_key()
# we already have this conn
if key in conn_dict:
conn_dict[key].append(tcp_pac)
# conn closed.
if tcp_pac.pac_type == packet_parser.TcpPack.TYPE_CLOSE:
for package in conn_dict[key].tcp_pac_list:
msg = Message()
msg.type = 'http'
msg.sourceIP = package[1]
msg.sourcePort = package[2]
msg.destIP = package[3]
msg.destPort = package[4]
msg.body = package[0].body
msg.seconds = package[0].seconds
msg.suseconds = package[0].suseconds
yield msg
del conn_dict[key]
# begin tcp connection.
elif tcp_pac.pac_type == 1:
conn_dict[key] = HttpConn(tcp_pac)
elif tcp_pac.pac_type == 0:
# tcp init before capture, we found a http request header, begin parse
# if is a http request?
if utils.is_request(tcp_pac.body):
conn_dict[key] = HttpConn(tcp_pac)
elif (tcp_pac.source_port in (6553, 16553, 3868)
or tcp_pac.dest_port in (3868, 6553, 16553)):
if len(tcp_pac.body) > 20:
version = struct.unpack('!b', tcp_pac.body[0:1])[0]
message_length = struct.unpack('!I',
b'\x00' + tcp_pac.body[1:4])[0]
Command_Flags = struct.unpack('!b', tcp_pac.body[4:5])[0]
command_code = struct.unpack('!I',
b'\x00' + tcp_pac.body[5:8])[0]
application_ID, hop_by_hop_ID, end_to_end_ID = struct.unpack(
'!III', tcp_pac.body[8:20])
if (version == 1):
#print(version, message_length, command_code)
headerinfo, tree = diameterConn.decode(tcp_pac.body)
body = headerinfo + '\n'
for avp in tree:
body += avp.AVPoutput() + '\n'
msg = Message()
msg.type = 'diameter'
msg.sourceIP = tcp_pac.source
msg.sourcePort = tcp_pac.source_port
msg.destIP = tcp_pac.dest
msg.destPort = tcp_pac.dest_port
msg.body = body
msg.seconds = tcp_pac.seconds
msg.suseconds = tcp_pac.suseconds
yield msg