def main():
parser = argparse.ArgumentParser(
description='Fragments the IPv4 packets in the given PCAP file '
'and writes the results to another file.')
parser.add_argument('input_file')
parser.add_argument('output_file')
parser.add_argument(
'--fragment-size',
'-s',
type=int,
default=500,
help='Fragment size. Packets larger than this are fragmented '
'if their df flag is not set. Defaults to 500.')
args = parser.parse_args()
reader = RawPcapReader(args.input_file)
writer = PcapWriter(args.output_file, append=False, sync=True)
for pkt_data in reader:
p = Ether(pkt_data[0])
if isinstance(
p[1],
IP) and len(p[2]) > args.fragment_size and p[1].flags & 2 != 0:
p = fragment(p, args.fragment_size)
print 'Fragmented packet into {} fragments.'.format(len(p))
writer.write(p)
def scapy_io(f_in, f_out):
f = PcapReader(f_in)
o = PcapWriter(f_out)
pkt = f.read_packet()
while pkt is not None:
o.write(pkt)
pkt = f.read_packet()
f.close()
o.close()
def scapy_io(f_in,f_out):
f = PcapReader(f_in)
o = PcapWriter(f_out)
pkt = f.read_packet()
while pkt is not None:
o.write(pkt)
pkt = f.read_packet()
f.close()
o.close()
class ScapySniffer(ScapyProtocol):
def __init__(self, pcap_filename, *arg, **kw):
self.pcapwriter = PcapWriter(pcap_filename, *arg, **kw)
def packetReceived(self, packet):
self.pcapwriter.write(packet)
def close(self):
self.pcapwriter.close()
def writePCAP(src, dst, data): try: pktdump = PcapWriter(sOutfile + '.pcap', append=True, sync=True) pktinfo = Ether()/IP(src=src[0],dst=dst[0])/TCP(sport=src[1],dport=dst[1])/data pktdump.write(pktinfo) pktdump.close() except Exception as Error: #print(str(Error)) pass
class ScapySniffer(ScapyProtocol):
def __init__(self, pcap_filename, *arg, **kw):
self.pcapwriter = PcapWriter(pcap_filename, *arg, **kw)
def packetReceived(self, packet):
self.pcapwriter.write(packet)
def close(self):
self.pcapwriter.close()
def writePCAP(src, dst, data):
try:
pktdump = PcapWriter(sOutfile + '.pcap', append=True, sync=True)
pktinfo = Ether() / IP(src=src[0], dst=dst[0]) / TCP(
sport=src[1], dport=dst[1]) / data
pktdump.write(pktinfo)
pktdump.close()
except Exception as Error:
#print(str(Error))
pass
def concatenate_files(self, pcap1, pcap2):
'''Appends second file's packets onto the first. For creating pcap files used in
unit testing.'''
pkts1 = rdpcap(pcap1)
pkts1_writer = PcapWriter(pcap1, append=True, sync=True)
pkts2 = rdpcap(pcap2)
for pkt in pkts2:
pkts1_writer.write(pkt)
pkts1 = rdpcap(pcap1)
def _log_packets(self, file_path, client_mac):
with self.log_lock:
cap_writer = PcapWriter(file_path)
if not self.wpa_handshakes[client_mac]['logged']:
self.wpa_handshakes[client_mac]['logged'] = True
for packet in self.wpa_handshakes[client_mac]['packets']:
if Dot11Beacon not in packet:
cap_writer.write(packet)
cap_writer.close()
cap_writer = PcapWriter(file_path, append = True)
for packet in self.wpa_handshakes[client_mac]['packets']:
if Dot11Beacon in packet:
cap_writer.write(packet)
cap_writer.close()
def _log_packets(self, file_path, client_mac):
with self.log_lock:
cap_writer = PcapWriter(file_path)
if not self.wpa_handshakes[client_mac]['logged']:
self.wpa_handshakes[client_mac]['logged'] = True
for packet in self.wpa_handshakes[client_mac]['packets']:
if Dot11Beacon not in packet:
cap_writer.write(packet)
cap_writer.close()
cap_writer = PcapWriter(file_path, append=True)
for packet in self.wpa_handshakes[client_mac]['packets']:
if Dot11Beacon in packet:
cap_writer.write(packet)
cap_writer.close()
def foo(in_filename, out_filename):
# open the input file for reading
f = PcapReader(in_filename)
# open the output file for writing
o = PcapWriter(out_filename)
# read the first packet from the input file
p = f.read_packet()
# while we haven't processed the last packet
while p:
layer = p.firstlayer()
while not isinstance(layer, NoPayload):
if (type(layer) is IPv6):
new_layer = IP()
del new_layer.ihl
new_layer.ttl = layer.hlim
new_layer.proto = layer.nh
new_layer.src = ".".join(map(str, six2four(layer.src)))
new_layer.dst = ".".join(map(str, six2four(layer.dst)))
new_layer.add_payload(layer.payload)
prev_layer = layer.underlayer
del layer
prev_layer.remove_payload()
prev_layer.add_payload(new_layer)
if type(prev_layer) is Ether:
prev_layer.type = ETH_P_IP
layer = new_layer
if layer.default_fields.has_key('chksum'):
del layer.chksum
if layer.default_fields.has_key('len'):
del layer.len
# advance to the next layer
layer = layer.payload
# write the packet we just dissected into the output file
o.write(p)
# read the next packet
p = f.read_packet()
# close the input file
f.close()
# close the output file
o.close()
def main():
parser = argparse.ArgumentParser(
description='Defragments the IPv4 packets in the given PCAP file '
'and writes the results to another file.')
parser.add_argument('input_file')
parser.add_argument('output_file')
args = parser.parse_args()
fragments = []
reader = RawPcapReader(args.input_file)
writer = PcapWriter(args.output_file, append=False, sync=True)
for pkt_data in reader:
p = Ether(pkt_data[0])
if not isinstance(p[1], IP):
writer.write(p)
continue
if p[IP].flags & 1 == 0 and p[IP].frag == 0:
writer.write(p)
continue
fragments += p
fragments = defragment(fragments)
defragged = []
for f in fragments:
if f[IP].flags & 1 == 0 and f[IP].frag == 0:
defragged.append(f)
fragments = [f for f in fragments if f not in defragged]
for df in defragged:
print 'Defragmented packet.'
writer.write(df)
class IDSPcapSniffer:
def __init__(self, config):
self.config = config
def start(self, callback):
# create an sniffer output file, if needed
self.logPackets = self.config.getboolean('Sniffer', 'log_packets')
if self.logPackets:
outputFile = self.config.get('Sniffer', 'output_file')
self.pcapWriter = PcapWriter(outputFile, append=False, sync=True)
# start sniffing with the given filter and callback,
# the appropriate filter will be applied within each module
self.callback = callback
interface = self.config.get('Sniffer', 'interface')
sniff(iface=interface, filter='', prn=self.__snifferCallback)
def __snifferCallback(self, packet):
# append output file with packet
if self.logPackets:
self.pcapWriter.write(packet)
# parse packet
self.callback(str(packet))
from scapy.all import IPv6, Dot1Q, IP, Ether, UDP, TCP
except ModuleNotFoundError as err:
print(err + ": Scapy")
import sys
path = str(sys.argv[1]) + "/pcap/fuzzy.pcap"
pktdump = PcapWriter(path, append=False, sync=True)
for i in range(0, 2000):
# Generate random protocol bases, use a fuzz() over the combined packet
# for full fuzzing.
eth = Ether(src=RandMAC(), dst=RandMAC())
vlan = Dot1Q()
ipv4 = IP(src=RandIP(), dst=RandIP())
ipv6 = IPv6(src=RandIP6(), dst=RandIP6())
udp = UDP(dport=RandShort(), sport=RandShort())
tcp = TCP(dport=RandShort(), sport=RandShort())
# IPv4 packets with fuzzing
pktdump.write(fuzz(eth / ipv4 / udp))
pktdump.write(fuzz(eth / ipv4 / tcp))
pktdump.write(fuzz(eth / vlan / ipv4 / udp))
pktdump.write(fuzz(eth / vlan / ipv4 / tcp))
# IPv6 packets with fuzzing
pktdump.write(fuzz(eth / ipv6 / udp))
pktdump.write(fuzz(eth / ipv6 / tcp))
pktdump.write(fuzz(eth / vlan / ipv6 / udp))
pktdump.write(fuzz(eth / vlan / ipv6 / tcp))
class LAN(Module):
"""
Sniff packets on a local area network.
"""
# Prevent newlines when generating
delimiter = b""
# Global variables
pcap = None
regex = None
xregex = None
debug = False
@classmethod
def add_arguments(self, parser):
parser.add_argument("-n",
"--interface",
action="append",
help="network interface(s) on which to sniff)")
parser.add_argument("-c",
"--count",
type=int,
default=0,
help="number of packets to sniff (all)")
parser.add_argument("-t",
"--timeout",
type=int,
default=None,
help="number of seconds to sniff (infinite)")
parser.add_argument("-f",
"--filter",
type=str,
help="BPF filter to apply")
parser.add_argument("-r",
"--regex",
type=str,
action="append",
default=[],
help="expression(s) to qualify packet (AND)")
parser.add_argument("-x",
"--xregex",
type=str,
action="append",
default=[],
help="expression(s) to disqualify packet (OR)")
parser.add_argument("-m",
"--monitor",
action="store_true",
help="listen in monitor mode (False)")
parser.add_argument("-p",
"--pcap",
action="store_true",
help="output packets as pcap (False)")
parser.add_argument("-d",
"--debug",
action="store_true",
help="unpack and display each captured packet")
def handle(self,
input,
interface=None,
count=0,
timeout=None,
filter=None,
regex=None,
xregex=None,
monitor=False,
pcap=False,
debug=False):
self.debug = debug
# Compile expressions
if regex:
self.regex = [
re.compile(r.encode(), re.DOTALL | re.MULTILINE)
for r in list(regex)
]
if xregex:
self.xregex = [
re.compile(x.encode(), re.DOTALL | re.MULTILINE)
for x in list(xregex)
]
# Output pcap to infinitely iterable file
with IterWriter() as output:
if pcap:
self.pcap = PcapWriter(output, sync=True)
# Configure sniffer and produce sniffer stream
try:
stream = AsyncSniffer(
started_callback=lambda: self.log.info(
"Sniffing interface(s): %s...", interface or conf.iface
),
iface=interface or conf.iface,
count=count,
timeout=timeout,
filter=filter,
lfilter=self._lfilter,
prn=self._prn,
store=False,
monitor=monitor,
)
# Start sniffer stream
stream.start()
# Output pcap data
if pcap:
for data in output:
yield data
if not stream.running and not output.closed:
output.close()
# Wait for stream to complete
stream.join()
except Scapy_Exception as e:
self.log.error(e)
def _prn(self, pkt):
"""
Handle captured packet.
:param object pkt: captured packet
"""
# Show packet summary
self.log.logger.debug(pkt.summary())
# Show packet details
if self.debug:
self.log.logger.info(pkt.show(dump=True))
# Output full pcap
if self.pcap:
self.pcap.write(pkt)
def _lfilter(self, pkt):
"""
Assess potential packet for capture.
:param object pkt: potential packet
:return: whether to capture packet
:rtype: bool
"""
# Check xregex are excluded (OR)
if self.xregex:
for x in self.xregex:
if x.search(raw(pkt)):
return False
# Check regex are included (AND)
if self.regex:
for r in self.regex:
if not r.search(raw(pkt)):
return False
return True
def anonymize_file(input_file: str, output_file: str) -> None:
logger = logging.getLogger(inspect.stack()[0][3])
with PcapReader(input_file) as reader:
writer = PcapWriter(output_file, sync=True)
ssid_number = 0
address_hash = {}
ssid_hash = {}
for frame in reader:
if frame.haslayer(Dot11):
frame_fcs = frame.fcs
logger.info("frame_fcs: %s", hex(frame_fcs))
# raw_fcs = struct.unpack("I", bytes(frame.payload)[-4:])[0]
# matches frame.fcs
crc_bytes = struct.pack(
"I",
zlib.crc32(bytes(frame.payload)[:-4]) & 0xFFFF_FFFF)
crc_int = int.from_bytes(crc_bytes, byteorder="little")
logger.info("crc_int: %s", hex(crc_int))
fcs_match = frame_fcs == crc_int
logger.info("fcs_match: %s", fcs_match)
# anonymize mac addresses
frame[Dot11].addr1 = anonymize_mac(frame.addr1, address_hash)
frame[Dot11].addr2 = anonymize_mac(frame.addr2, address_hash)
frame[Dot11].addr3 = anonymize_mac(frame.addr3, address_hash)
# anonymize SSID and address fields (this code seems problematic in py3)
if args.skip:
logger.info("skipping anonymizing SSID: %s", args.skip)
else:
dot11elt = frame.getlayer(Dot11Elt)
while dot11elt:
logger.info("ie: %s", dot11elt.ID)
if dot11elt.ID == 0:
ssid = anonymize_ssid(dot11elt.info, ssid_number,
ssid_hash)
dot11elt.len = len(ssid)
dot11elt.info = ssid
dot11elt = dot11elt.payload.getlayer(Dot11Elt)
if fcs_match:
# if fcs and crc originally matched, recompute new valid fcs:
fcs = struct.pack(
"I",
zlib.crc32(bytes(frame.payload)[:-4]) & 0xFFFF_FFFF)
else:
# otherwise throw garbage in the fcs which will not validate
fcs = b"\x00\x00\x00\x00"
logger.info("new fcs: %s",
hex(int.from_bytes(fcs, byteorder="little")))
# write anonymized packet
writer.write(RadioTap(bytes(frame)[:-4] + fcs))
logger.info("done")
def _log_packets(self, file_path, client_mac):
cap_writer = PcapWriter(file_path, append=True, sync=True)
for packet in self.wpa_handshakes[client_mac]['packets']:
cap_writer.write(packet)
self.wpa_handshakes[client_mac]['logged'] = True
mac_addr_dst = "80:FF:FF:FF:FF:{:02X}".format(i % 0xff)
src_port = 200 + (i % 20)
dst_port = 1000 + (i % 20)
eth = Ether(src=mac_addr_src, dst=mac_addr_dst)
vlan = Dot1Q(vlan=(i % 10))
udp = UDP(dport=src_port, sport=dst_port)
# IPv4 address range limits to 255 and IPv6 limit to 65535
ipv4_addr_src = "192.168.150." + str((i % 255))
ipv4_addr_dst = "200.100.198." + str((i % 255))
ipv6_addr_src = "2001:0db8:85a3:0000:0000:8a2e:0370:{:04x}" \
.format(i % 0xffff)
ipv6_addr_dst = "3021:ffff:85a3:ffff:0000:8a2e:0480:{:04x}" \
.format(i % 0xffff)
ipv4 = IP(src=ipv4_addr_src, dst=ipv4_addr_dst)
ipv6 = IPv6(src=ipv6_addr_src, dst=ipv6_addr_dst)
tcp = TCP(dport=src_port, sport=dst_port, flags='S')
# IPv4 packets
pkt.append(eth / ipv4 / udp)
pkt.append(eth / ipv4 / tcp)
pkt.append(eth / vlan / ipv4 / udp)
pkt.append(eth / vlan / ipv4 / tcp)
# IPv6 packets
pkt.append(eth / ipv6 / udp)
pkt.append(eth / ipv6 / tcp)
pkt.append(eth / vlan / ipv6 / udp)
pkt.append(eth / vlan / ipv6 / tcp)
pktdump.write(pkt)
