def pcap_to_object(pcap_file, obj_file):
"""Create a Python serialized graph object.
Read the pcap file given in parameter, extracts source and destination IP
and write a serialized graph object.
"""
dic_ip = ip_dict()
reader = ppcap.Reader(filename=pcap_file)
if options.verbose:
print("Reading pcap file...")
for ts, buf in reader:
eth = ethernet.Ethernet(buf)
if eth[ip.IP] is not None:
# print("%d: %s:%s -> %s:%s" % (ts, eth[ip.IP].src_s,
# eth[tcp.TCP].sport, eth[ip.IP].dst_s,
# eth[tcp.TCP].dport))
dic_ip[eth[ip.IP].src_s][eth[ip.IP].dst_s] += 1
if options.verbose:
print("Serialization...")
dic_obj = open(obj_file, "wb")
pickle.dump(dic_ip, dic_obj)
dic_obj.close()
def gen_samples(pcap_name, mac, window=25, step=1, is_time_slice=True):
pcap = ppcap.Reader(pcap_name, lowest_layer=radiotap.Radiotap)
if is_time_slice:
return time_slice_pcap(pcap, window, step)
else:
return pkt_slice_pcap(pcap, window, step)
def map_pcap(f, pcap_name, lowest_layer=None, pktfilter=None):
pcap = ppcap.Reader(pcap_name, lowest_layer=lowest_layer, pktfilter=pktfilter)
xs, ys = [], []
bt = None
for ts, buf in pcap:
if bt is None: bt = ts
xs.append((ts - bt)/(60 * 10**9))
ys.append(f(buf))
return xs, ys
def readndump_capfile(infile_name="bugpackets.pcap"):
outfile_name = infile_name + "_buggyagain.pcap"
#print("will store bug-packets to: %s" % outfile_name)
pcap_in = ppcap.Reader(filename=infile_name)
pcap_out = ppcap.Writer(filename=outfile_name)
for ts, bts in pcap_in:
pass_or_dump(bts, pcap_out)
pcap_in.close()
pcap_out.close()
def get_pcap(fname, cnt=1000):
"""
Read cnt packets from a pcap file, default: 1000
"""
packet_bytes = []
pcap = ppcap.Reader(fname)
for ts, buf in pcap:
packet_bytes.append(buf)
cnt -= 1
if cnt <= 0:
break
pcap.close()
return packet_bytes
def show_pcap(fname, cnt=1000):
"""
Read cnt packets from a pcap file, default: 1000
"""
f = open(fname, "rb")
pcap = ppcap.Reader(f)
cnt = 0
for ts, buf in pcap:
cnt += 1
"""
if cnt > 1:
continue
"""
print(">>> read packet %d" % cnt)
rt = radiotap.Radiotap(buf)
print("%r" % rt)
print("%r" % rt.ieee80211)
try:
print("%r" % rt.ieee80211.dataframe)
except:
try:
print("%r" % rt.ieee80211.assocreq)
except:
try:
print("%r" % rt.ieee80211.beacon)
except:
try:
print("%r" % rt.ieee80211.proberesp)
except:
try:
print("%r" % rt.ieee80211.probereq)
except:
print("%r" % rt.ieee80211.assocresp)
f.close()
Usage: %(app)s pcap_file src_ip src_port dst_ip dst_port
Ex: %(app)s test.pcap 192.168.1.1 10000 192.168.1.2 20000
""" % {"app": app})
if len(sys.argv) != 6:
usage(sys.argv[0])
sys.exit(1)
app, pcap_file, src_ip, src_port, dst_ip, dst_port = sys.argv
src_port = int(src_port)
dst_port = int(dst_port)
#print(pcap_file)
preader = ppcap.Reader(filename=pcap_file)
#print(dir(preader))
def handle_packet(o, src_ip, src_port, dst_ip, dst_port):
if not (o[ip.IP].src_s == src_ip and o[udp.UDP].sport == src_port
and o[ip.IP].dst_s == dst_ip and o[udp.UDP].dport == dst_port):
return
r = rtp.RTP(o[udp.UDP].body_bytes)
print("%d: pt=%s ts=%s seqnum=%s" % (ts, r.pt, r.ts, r.seq))
sys.stdout.write("payload: ")
for b in r.body_bytes:
sys.stdout.write(hex(b) + " ")
from pypacker import ppcap
from pypacker.layer12 import ethernet
from pypacker.layer3 import ip
from pypacker.layer4 import tcp
import struct
def u32(x):
return struct.unpack('<I', x)[0]
preader = ppcap.Reader(filename="HideInSSL.pcap")
npic = 0
data = {}
response = {}
keys = []
need_to_add = False
for ts, buf in preader:
eth = ethernet.Ethernet(buf)
try:
if eth[ethernet.Ethernet, ip.IP, tcp.TCP] is not None:
if eth[tcp.TCP].dport == 443 and eth.ip.dst_s == "192.168.0.128":
for record in eth.ip.tcp.ssl.records:
if record.type == 22:
x = len("\x01\x00\x00\xab\x03\x03[\x1e\x7f\\")
body_len = len(eth.ip.tcp.ssl.records[0].body_bytes)
length = u32(record.body_bytes[x:x + 4])
def main():
#override some warning settings in pypacker. May need to change this to .CRITICAL in the future, but for now we're trying .ERROR
#without this when parsing http for example we get "WARNINGS" when packets aren't quite right in the header.
logger = pypacker.logging.getLogger("pypacker")
pypacker.logger.setLevel(pypacker.logging.ERROR)
counter = 0
startTime = time.time()
tcpCheck = False
dhcpCheck = False
httpCheck = False
icmpCheck = False #not enabled in lower code at this point due to tracking features I'm not willing to code at this time.
smbCheck = False
#read in fingerprints
[sExactList, saExactList, sPartialList,
saPartialList] = satoriTCP.BuildTCPFingerprintFiles()
[
DiscoverOptionsExactList, DiscoverOptionsPartialList,
RequestOptionsExactList, RequestOptionsPartialList,
ReleaseOptionsExactList, ReleaseOptionsPartialList,
ACKOptionsExactList, ACKOptionsPartialList, AnyOptionsExactList,
AnyOptionsPartialList, InformOptionsExactList,
InformOptionsPartialList, DiscoverOption55ExactList,
DiscoverOption55PartialList, RequestOption55ExactList,
RequestOption55PartialList, ReleaseOption55ExactList,
ReleaseOption55PartialList, ACKOption55ExactList,
ACKOption55PartialList, AnyOption55ExactList, AnyOption55PartialList,
InformOption55ExactList, InformOption55PartialList,
DiscoverVendorCodeExactList, DiscoverVendorCodePartialList,
RequestVendorCodeExactList, RequestVendorCodePartialList,
ReleaseVendorCodeExactList, ReleaseVendorCodePartialList,
ACKVendorCodeExactList, ACKVendorCodePartialList,
AnyVendorCodeExactList, AnyVendorCodePartialList,
InformVendorCodeExactList, InformVendorCodePartialList,
DiscoverTTLExactList, DiscoverTTLPartialList, RequestTTLExactList,
RequestTTLPartialList, ReleaseTTLExactList, ACKTTLExactList,
AnyTTLExactList, InformTTLExactList, ACKTTLPartialList,
AnyTTLPartialList, InformTTLPartialList, NAKOptionsPartialList,
NAKOptionsExactList, NAKOption55PartialList, NAKOption55ExactList,
NAKVendorCodePartialList, NAKVendorCodeExactList, NAKTTLPartialList,
NAKTTLExactList, OfferOptionsPartialList, OfferOptionsExactList,
OfferOption55PartialList, OfferOption55ExactList,
OfferVendorCodePartialList, OfferVendorCodeExactList,
OfferTTLPartialList, OfferTTLExactList, DeclineOptionsPartialList,
DeclineOptionsExactList, DeclineOption55PartialList,
DeclineOption55ExactList, DeclineVendorCodePartialList,
DeclineVendorCodeExactList, DeclineTTLPartialList, DeclineTTLExactList
] = satoriDHCP.BuildDHCPFingerprintFiles()
[useragentExactList,
useragentPartialList] = satoriHTTP.BuildHTTPUserAgentFingerprintFiles()
[serverExactList,
serverPartialList] = satoriHTTP.BuildHTTPServerFingerprintFiles()
#[icmpExactList, icmpDataExactList, icmpPartialList, icmpDataPartialList] = satoriICMP.BuildICMPFingerprintFiles()
[nativeExactList, lanmanExactList, nativePartialList,
lanmanPartialList] = satoriSMB.BuildSMBTCPFingerprintFiles()
[browserExactList,
browserPartialList] = satoriSMB.BuildSMBUDPFingerprintFiles()
if len(modules) == 0:
#no preference so we'll run all modules we have
tcpCheck = True
dhcpCheck = True
httpCheck = True
icmpCheck = True
smbCheck = True
else:
#requested a specific one, so lets only enable what was asked for
mod = modules.split(',')
for i in range(len(mod)):
if (mod[i].lower() == 'tcp'):
tcpCheck = True
elif (mod[i].lower() == 'dhcp'):
dhcpCheck = True
elif (mod[i].lower() == 'http'):
httpCheck = True
elif (mod[i].lower() == 'icmp'):
icmpCheck = True
elif (mod[i].lower() == 'smb'):
smbCheck = True
if (
directory != ''
): #probably a better way to do this and dupe most of the below code from preader section, but DHCP passing parameters into a procedure sucks.
onlyfiles = [
f for f in os.listdir(directory)
if os.path.isfile(os.path.join(directory, f))
]
for f in onlyfiles:
#print(f, end='\n', flush=True)
try:
preader = ppcap.Reader(filename=directory + '/' + f)
for ts, buf in preader:
try:
counter = counter + 1
ts = ts / 1000000000
(pkt, layer, tcpPacket, dhcpPacket, httpPacket,
udpPacket) = packetType(buf)
if tcpPacket and tcpCheck:
satoriTCP.tcpProcess(pkt, layer, ts, sExactList,
saExactList, sPartialList,
saPartialList)
if dhcpPacket and dhcpCheck:
satoriDHCP.dhcpProcess(
pkt, layer, ts, DiscoverOptionsExactList,
DiscoverOptionsPartialList,
RequestOptionsExactList,
RequestOptionsPartialList,
ReleaseOptionsExactList,
ReleaseOptionsPartialList, ACKOptionsExactList,
ACKOptionsPartialList, AnyOptionsExactList,
AnyOptionsPartialList, InformOptionsExactList,
InformOptionsPartialList,
DiscoverOption55ExactList,
DiscoverOption55PartialList,
RequestOption55ExactList,
RequestOption55PartialList,
ReleaseOption55ExactList,
ReleaseOption55PartialList,
ACKOption55ExactList, ACKOption55PartialList,
AnyOption55ExactList, AnyOption55PartialList,
InformOption55ExactList,
InformOption55PartialList,
DiscoverVendorCodeExactList,
DiscoverVendorCodePartialList,
RequestVendorCodeExactList,
RequestVendorCodePartialList,
ReleaseVendorCodeExactList,
ReleaseVendorCodePartialList,
ACKVendorCodeExactList,
ACKVendorCodePartialList,
AnyVendorCodeExactList,
AnyVendorCodePartialList,
InformVendorCodeExactList,
InformVendorCodePartialList,
DiscoverTTLExactList, DiscoverTTLPartialList,
RequestTTLExactList, RequestTTLPartialList,
ReleaseTTLExactList, ACKTTLExactList,
AnyTTLExactList, InformTTLExactList,
ACKTTLPartialList, AnyTTLPartialList,
InformTTLPartialList, NAKOptionsPartialList,
NAKOptionsExactList, NAKOption55PartialList,
NAKOption55ExactList, NAKVendorCodePartialList,
NAKVendorCodeExactList, NAKTTLPartialList,
NAKTTLExactList, OfferOptionsPartialList,
OfferOptionsExactList,
OfferOption55PartialList,
OfferOption55ExactList,
OfferVendorCodePartialList,
OfferVendorCodeExactList, OfferTTLPartialList,
OfferTTLExactList, DeclineOptionsPartialList,
DeclineOptionsExactList,
DeclineOption55PartialList,
DeclineOption55ExactList,
DeclineVendorCodePartialList,
DeclineVendorCodeExactList,
DeclineTTLPartialList, DeclineTTLExactList)
if httpPacket and httpCheck:
satoriHTTP.httpUserAgentProcess(
pkt, layer, ts, useragentExactList,
useragentPartialList)
satoriHTTP.httpServerProcess(
pkt, layer, ts, serverExactList,
serverPartialList)
# if (eth[ethernet.Ethernet, ip.IP, icmp.ICMP] is not None) and icmpCheck:
# satoriICMP.icmpProcess(eth, ts, icmpExactList, icmpDataExactList, icmpPartialList, icmpDataPartialList)
if tcpPacket and smbCheck:
satoriSMB.smbTCPProcess(pkt, layer, ts,
nativeExactList,
lanmanExactList,
nativePartialList,
lanmanPartialList)
if udpPacket and smbCheck:
satoriSMB.smbUDPProcess(pkt, layer, ts,
browserExactList,
browserPartialList)
except (KeyboardInterrupt, SystemExit):
raise
except:
pass
except:
pass
# print('File was not pcap format')
# sys.exit(1)
elif (readpcap != ''):
try:
preader = ppcap.Reader(filename=readpcap)
except:
print('File was not pcap format', end='\n', flush=True)
sys.exit(1)
for ts, buf in preader:
try:
counter = counter + 1
ts = ts / 1000000000
(pkt, layer, tcpPacket, dhcpPacket, httpPacket,
udpPacket) = packetType(buf)
if tcpPacket and tcpCheck:
satoriTCP.tcpProcess(pkt, layer, ts, sExactList,
saExactList, sPartialList,
saPartialList)
if dhcpPacket and dhcpCheck:
satoriDHCP.dhcpProcess(
pkt, layer, ts, DiscoverOptionsExactList,
DiscoverOptionsPartialList, RequestOptionsExactList,
RequestOptionsPartialList, ReleaseOptionsExactList,
ReleaseOptionsPartialList, ACKOptionsExactList,
ACKOptionsPartialList, AnyOptionsExactList,
AnyOptionsPartialList, InformOptionsExactList,
InformOptionsPartialList, DiscoverOption55ExactList,
DiscoverOption55PartialList, RequestOption55ExactList,
RequestOption55PartialList, ReleaseOption55ExactList,
ReleaseOption55PartialList, ACKOption55ExactList,
ACKOption55PartialList, AnyOption55ExactList,
AnyOption55PartialList, InformOption55ExactList,
InformOption55PartialList, DiscoverVendorCodeExactList,
DiscoverVendorCodePartialList,
RequestVendorCodeExactList,
RequestVendorCodePartialList,
ReleaseVendorCodeExactList,
ReleaseVendorCodePartialList, ACKVendorCodeExactList,
ACKVendorCodePartialList, AnyVendorCodeExactList,
AnyVendorCodePartialList, InformVendorCodeExactList,
InformVendorCodePartialList, DiscoverTTLExactList,
DiscoverTTLPartialList, RequestTTLExactList,
RequestTTLPartialList, ReleaseTTLExactList,
ACKTTLExactList, AnyTTLExactList, InformTTLExactList,
ACKTTLPartialList, AnyTTLPartialList,
InformTTLPartialList, NAKOptionsPartialList,
NAKOptionsExactList, NAKOption55PartialList,
NAKOption55ExactList, NAKVendorCodePartialList,
NAKVendorCodeExactList, NAKTTLPartialList,
NAKTTLExactList, OfferOptionsPartialList,
OfferOptionsExactList, OfferOption55PartialList,
OfferOption55ExactList, OfferVendorCodePartialList,
OfferVendorCodeExactList, OfferTTLPartialList,
OfferTTLExactList, DeclineOptionsPartialList,
DeclineOptionsExactList, DeclineOption55PartialList,
DeclineOption55ExactList, DeclineVendorCodePartialList,
DeclineVendorCodeExactList, DeclineTTLPartialList,
DeclineTTLExactList)
if httpPacket and httpCheck:
satoriHTTP.httpUserAgentProcess(pkt, layer, ts,
useragentExactList,
useragentPartialList)
satoriHTTP.httpServerProcess(pkt, layer, ts,
serverExactList,
serverPartialList)
# if (eth[ethernet.Ethernet, ip.IP, icmp.ICMP] is not None) and icmpCheck:
# satoriICMP.icmpProcess(eth, ts, icmpExactList, icmpDataExactList, icmpPartialList, icmpDataPartialList)
if tcpPacket and smbCheck:
satoriSMB.smbTCPProcess(pkt, layer, ts, nativeExactList,
lanmanExactList, nativePartialList,
lanmanPartialList)
if udpPacket and smbCheck:
satoriSMB.smbUDPProcess(pkt, layer, ts, browserExactList,
browserPartialList)
except (KeyboardInterrupt, SystemExit):
raise
except:
pass
elif interface != '':
try:
preader = pcapy.open_live(interface, 65536, False, 1)
#highly recommended to add something like this for a bpf filter on a high throughput connection (4 Gb/s link script sorta died on me in testing)
#assuming only doing -m http
#preader.setfilter('tcp port 80 or tcp port 8080')
except Exception as e:
print(e, end='\n', flush=True)
sys.exit(1)
while True:
try:
counter = counter + 1
(header, buf) = preader.next()
ts = header.getts()[0]
(pkt, layer, tcpPacket, dhcpPacket, httpPacket,
udpPacket) = packetType(buf)
if tcpPacket and tcpCheck:
satoriTCP.tcpProcess(pkt, layer, ts, sExactList,
saExactList, sPartialList,
saPartialList)
if dhcpPacket and dhcpCheck:
satoriDHCP.dhcpProcess(
pkt, layer, ts, DiscoverOptionsExactList,
DiscoverOptionsPartialList, RequestOptionsExactList,
RequestOptionsPartialList, ReleaseOptionsExactList,
ReleaseOptionsPartialList, ACKOptionsExactList,
ACKOptionsPartialList, AnyOptionsExactList,
AnyOptionsPartialList, InformOptionsExactList,
InformOptionsPartialList, DiscoverOption55ExactList,
DiscoverOption55PartialList, RequestOption55ExactList,
RequestOption55PartialList, ReleaseOption55ExactList,
ReleaseOption55PartialList, ACKOption55ExactList,
ACKOption55PartialList, AnyOption55ExactList,
AnyOption55PartialList, InformOption55ExactList,
InformOption55PartialList, DiscoverVendorCodeExactList,
DiscoverVendorCodePartialList,
RequestVendorCodeExactList,
RequestVendorCodePartialList,
ReleaseVendorCodeExactList,
ReleaseVendorCodePartialList, ACKVendorCodeExactList,
ACKVendorCodePartialList, AnyVendorCodeExactList,
AnyVendorCodePartialList, InformVendorCodeExactList,
InformVendorCodePartialList, DiscoverTTLExactList,
DiscoverTTLPartialList, RequestTTLExactList,
RequestTTLPartialList, ReleaseTTLExactList,
ACKTTLExactList, AnyTTLExactList, InformTTLExactList,
ACKTTLPartialList, AnyTTLPartialList,
InformTTLPartialList, NAKOptionsPartialList,
NAKOptionsExactList, NAKOption55PartialList,
NAKOption55ExactList, NAKVendorCodePartialList,
NAKVendorCodeExactList, NAKTTLPartialList,
NAKTTLExactList, OfferOptionsPartialList,
OfferOptionsExactList, OfferOption55PartialList,
OfferOption55ExactList, OfferVendorCodePartialList,
OfferVendorCodeExactList, OfferTTLPartialList,
OfferTTLExactList, DeclineOptionsPartialList,
DeclineOptionsExactList, DeclineOption55PartialList,
DeclineOption55ExactList, DeclineVendorCodePartialList,
DeclineVendorCodeExactList, DeclineTTLPartialList,
DeclineTTLExactList)
if httpPacket and httpCheck:
satoriHTTP.httpUserAgentProcess(pkt, layer, ts,
useragentExactList,
useragentPartialList)
satoriHTTP.httpServerProcess(pkt, layer, ts,
serverExactList,
serverPartialList)
# if (eth[ethernet.Ethernet, ip.IP, icmp.ICMP] is not None) and icmpCheck:
# satoriICMP.icmpProcess(eth, ts, icmpExactList, icmpDataExactList, icmpPartialList, icmpDataPartialList)
if tcpPacket and smbCheck:
satoriSMB.smbTCPProcess(pkt, layer, ts, nativeExactList,
lanmanExactList, nativePartialList,
lanmanPartialList)
if udpPacket and smbCheck:
satoriSMB.smbUDPProcess(pkt, layer, ts, browserExactList,
browserPartialList)
except (KeyboardInterrupt, SystemExit):
raise
except:
pass
else: #we should never get here with "proceed" check, but just in case
print("Not sure how we got here", end='\n', flush=True)
endTime = time.time()
totalTime = endTime - startTime
if verbose:
print('Total Time: %s, Total Packets: %s, Packets/s: %s' %
(totalTime, counter, counter / totalTime))
import socket
import pypacker.pypacker as pypacker
from pypacker.pypacker import Packet
from pypacker import ppcap
from pypacker import psocket
from pypacker.layer12 import arp, ethernet, ieee80211, prism
from pypacker.layer3 import ip, icmp
from pypacker.layer4 import udp, tcp
from pypacker.layer567 import radius
#import dpkt
from pypacker import pcapng
#pcap_file = ppcap.Reader(filename="TEST_Radius.pcap")
#pcap_file = pcapng.Reader(filename="TEST_Radius.pcap")
pcap_file = ppcap.Reader(filename="TEST_Radius.pcap")
cnt = 1
for ts, buf in pcap_file:
if (cnt == 3):
break
print(cnt)
cnt += 1
eth = ethernet.Ethernet(buf)
eth2 = ethernet.Ethernet(buf)
print("Packet :%s " % eth2)
u = udp.UDP
if eth[u] is not None:
print("(%s):%s:%s->(%s)%s:%s" %
(eth.src_s, eth[ip.IP].src_s, eth[u].sport, eth.dst_s,
eth[ip.IP].dst_s, eth[u].dport))
if (eth[radius.Radius] is not None):
print("RADIUS")
parser.add_argument('file', help='the pcap file to process')
parser.add_argument('-c', '--config', help='configuration file')
parser.add_argument('-a',
'--available-properties',
dest='availableproperties',
help='list the available properties from the file',
action='store_true')
args = parser.parse_args()
requestedattributes = []
if args.config is not None:
with open(args.config) as c:
for line in c:
requestedattributes.append(line.rstrip())
pcap = ppcap.Reader(filename=args.file)
def isproperty(member):
if inspect.ismethod(member):
return False
if inspect.isfunction(member):
return False
return True
printedattribues = []
generatingattribues = args.availableproperties
def traversePackets(prop, parentstring, packet):
icmp.ICMP(type=8) +\
icmp.ICMP.Echo(id=1, ts=123456789, body_bytes=b"12345678901234567890")
print(packet1)
print(packet1.direction)
if packet1.is_direction(packet2, Packet.DIR_SAME):
print("same direction for packet 1/2")
elif packet1.is_direction(packet2, Packet.DIR_REV):
print("reverse direction for packet 1/2")
else:
print("unknown direction for packet 1/2, type: %d" % dir)
#
# read packets from pcap-file using pypacker-reader
#
pcap = ppcap.Reader(filename="packets_ether.pcap")
cnt = 0
for ts, buf in pcap:
cnt += 1
eth = ethernet.Ethernet(buf)
if eth[tcp.TCP] is not None:
print("%d: %s:%s -> %s:%s" % (ts, eth[ip.IP].src_s, eth[tcp.TCP].sport,
eth[ip.IP].dst_s, eth[tcp.TCP].dport))
pcap.close()
#
# send/receive packets to/from network using raw sockets
#
try:
psock = psocket.SocketHndl(timeout=10)
