class WrpcapSink(Sink):
"""Packets received on low input are written to PCAP file
.. code::
+----------+
>>-| |->>
| |
>-|--[pcap] |->
+----------+
"""
def __init__(self, fname, name=None, linktype=None):
Sink.__init__(self, name=name)
self.fname = fname
self.f = None
self.linktype = linktype
def start(self):
self.f = PcapWriter(self.fname, linktype=self.linktype)
def stop(self):
if self.f:
self.f.flush()
self.f.close()
def push(self, msg):
if msg:
self.f.write(msg)
def clsMessagesByIp(fileFrom, fileTo):
packages = scapy.rdpcap(fileFrom)
t_results = {}
for p in packages:
srcIp = MessageConvert.getClsSrcIp(p)
desIp = MessageConvert.getClsDesIp(p)
if srcIp == 'null' or desIp == 'null':
continue
mesKeyFirst = srcIp + desIp
mesKeySecond = desIp + srcIp
if mesKeyFirst in t_results:
t_results[mesKeyFirst].append(p)
elif (mesKeySecond in t_results):
t_results[mesKeySecond].append(p)
else:
t_results[mesKeyFirst] = []
t_results[mesKeyFirst].append(p)
for key in t_results:
t_temp = t_results[key]
t_writer = PcapWriter('%s%s.pcap' %(fileTo, key), append=True)
#t_writer = PcapWriter('/home/wxw/data/cip_datanew/' + key + '.pcap', append=True)
for p in t_results[key]:
t_writer.write(p)
t_writer.flush()
t_writer.close()
class WrpcapSink(Sink):
"""
Writes :py:class:`Packet` on the low entry to a ``pcap`` file.
Ignores all messages on the high entry.
.. note::
Due to limitations of the ``pcap`` format, all packets **must** be of
the same link type. This class will not mutate packets to conform with
the expected link type.
.. code::
+----------+
>>-| |->>
| |
>-|--[pcap] |->
+----------+
:param fname: Filename to write packets to.
:type fname: str
:param linktype: See :py:attr:`linktype`.
:type linktype: None or int
.. py:attribute:: linktype
Set an explicit link-type (``DLT_``) for packets. This must be an
``int`` or ``None``.
This is the same as the :py:func:`wrpcap` ``linktype`` parameter.
If ``None`` (the default), the linktype will be auto-detected on the
first packet. This field will *not* be updated with the result of this
auto-detection.
This attribute has no effect after calling :py:meth:`PipeEngine.start`.
"""
def __init__(self, fname, name=None, linktype=None):
# type: (str, Optional[str], Optional[int]) -> None
Sink.__init__(self, name=name)
self.fname = fname
self.f = None # type: Optional[PcapWriter]
self.linktype = linktype
def start(self):
# type: () -> None
self.f = PcapWriter(self.fname, linktype=self.linktype)
def stop(self):
# type: () -> None
if self.f:
self.f.flush()
self.f.close()
def push(self, msg):
# type: (Packet) -> None
if msg and self.f:
self.f.write(msg)
def gen_traffic(self, output_filename,
dst_ip_addr, dst_mac, src_mac="00:00:00:00:00:01",
ip_num=10000, packet_num=500000, payload="Normal Traffic pkts"):
print("PAcket Number: %d" % packet_num)
if not output_filename.endswith(".pcap"):
print("Invalid PCAP filename! Exiting...")
return
self.pcap_filename = output_filename
self.ip_hc_filename = str.join(".", output_filename.split(".")[:-1]) + "_ip_hc.txt"
self.ip_fake_ttl_filename = str.join(".", output_filename.split(".")[:-1]) + "_fake_ttl.txt"
# show modify request
request = "Generating " + output_filename + " with\n"
if src_mac is not None:
request += " src mac:" + src_mac + "\n"
if dst_mac is not None:
request += " dst mac:" + dst_mac + "\n"
if dst_ip_addr is not None:
request += " dst ip addr:" + dst_ip_addr + "\n"
print(request + "\n")
pcap_writer = PcapWriter(output_filename)
src_ips = []
src_hosts_with_ttl = {}
for i in range(packet_num):
if len(self.src_hosts) < ip_num:
# pick a random src ip
src_ip = self.__generate_ip()
# pick a random hc
ttl = self.__generate_rand_ttl()
else:
src_ip = src_ips[random.randint(0, len(src_ips) - 1)]
ttl = src_hosts_with_ttl[src_ip]
# calculate ttl according to hc
pkt = Ether(src=src_mac, dst=dst_mac)/IP(src=self.__ip_int2str(src_ip), dst=dst_ip_addr, ttl=ttl)/TCP(flags=0x10)/payload
pcap_writer.write(pkt)
if src_ip not in src_ips:
src_ips.append(src_ip)
src_hosts_with_ttl[src_ip] = ttl
self.src_hosts[src_ip] = self.__ttl2hc(ttl)
if i % 10000 == 0:
print("%d packets have been produced\n" % i)
print(str(len(self.src_hosts)) + " source hosts produced")
print("Writing ip,hc dict into " + self.ip_hc_filename + "...")
with open(self.ip_hc_filename, "w") as f:
json.dump(self.src_hosts, f)
f.close()
pcap_writer.flush()
pcap_writer.close()
def save(p):
global filepath
global filename
if _is_need_change(filepath,filename):
filename = _change_filename(filepath,filename)
print "modifying filename: {}".format(filename)
writer = PcapWriter(filepath+filename,append=True)
writer.write(p)
writer.flush()
writer.close()
if _is_need_change(filepath,filename):
shutil.move(filepath+filename,toUploadPath+filename)
def modify_traffic(self, output_filename, fake_ttl=False,
src_mac=None, dst_mac=None, src_ip_addr=None, dst_ip_addr=None):
if fake_ttl is True and len(self.src_hosts_with_fake_ttl) == 0:
print("Please extract ip2hc table before modify traffic with fake ttl.")
# show modify request
request = "Generating " + output_filename + " with\n"
if fake_ttl:
request += " fake ttl\n"
if src_mac is not None:
request += " src mac:" + src_mac + "\n"
if dst_mac is not None:
request += " dst mac:" + dst_mac + "\n"
if src_ip_addr is not None:
request += " src ip addr:" + src_ip_addr + "\n"
if dst_ip_addr is not None:
request += " dst ip addr:" + dst_ip_addr + "\n"
print(request + "\n")
pcap_reader = PcapReader(self.pcap_filename)
pcap_writer = PcapWriter(output_filename)
counter = 0
while True:
pkt = pcap_reader.read_packet()
if pkt is None:
break
if not pkt.haslayer('Ether') or not pkt.haslayer('IP'):
continue
# ipv4 packets
counter += 1
ip_int = self.__ip_str2int(pkt['IP'].src)
if fake_ttl:
pkt['IP'].ttl = self.src_hosts_with_fake_ttl[ip_int]
if src_mac is not None:
pkt['Ethernet'].src = src_mac
if dst_mac is not None:
pkt['Ethernet'].dst = dst_mac
if src_ip_addr is not None:
pkt['IP'].src = src_ip_addr
if dst_ip_addr is not None:
pkt['IP'].dst = dst_ip_addr
pcap_writer.write(pkt)
if counter % 10000 == 0:
print("%d packets have been processed\n" % counter)
pcap_writer.flush()
pcap_writer.close()
pcap_reader.close()
class WrpcapSink(Sink):
"""Packets received on low input are written to PCA file
+----------+
>>-| |->>
| |
>-|--[pcap] |->
+----------+
"""
def __init__(self, fname):
self.f = PcapWriter(fname)
def stop(self):
self.f.flush()
def push(self, msg):
self.f.write(msg)
class WrpcapSink(Sink):
"""Packets received on low input are written to PCA file
+----------+
>>-| |->>
| |
>-|--[pcap] |->
+----------+
"""
def __init__(self, fname):
self.f = PcapWriter(fname)
def stop(self):
self.f.flush()
def push(self, msg):
self.f.write(msg)
def scapy_sniff(self):
file = open('iface.setting', 'r')
iface = file.read()
file.close()
if iface == 'None':
data = sniff(prn=lambda x: x.summary()) #scapy的sniff嗅探
else:
data = sniff(iface=iface, prn=lambda x: x.summary())
print("Start analyzing packets...")
file = "sniff_data/" + time.strftime('%Y_%m_%d_%H_%M_%S') + ".pcap"
writer = PcapWriter(file, append=True)
for i in data:
writer.write(i)
writer.flush()
writer.close()
def classify_bysrc(file_name, file_to):
packages = scapy.rdpcap(file_name)
t_results = {}
for p in packages:
if (get_srcip(p) + get_dstip(p) in t_results):
t_results[get_srcip(p) + get_dstip(p)].append(p)
elif (get_dstip(p) + get_srcip(p) in t_results):
t_results[get_dstip(p) + get_srcip(p)].append(p)
else:
t_results[get_srcip(p) + get_dstip(p)] = []
t_results[get_srcip(p) + get_dstip(p)].append(p)
for key in t_results:
t_temp = t_results[key]
t_writer = PcapWriter(file_to + key + '.pcap', append=True)
for p in t_results[key]:
t_writer.write(p)
t_writer.flush()
t_writer.close()
def split_pcap(self, filename, rate):
package_pr = scapy.PcapReader(filename)
package_one = []
i = 1
while (True):
package = package_pr.read_packet()
if package is None:
break
package_one.append(package)
package_pr.close()
length = len(package_one)
i = 0
final_len = int(length * length)
t_writer = PcapWriter('/home/wxw/data/Ethernetip/' + 'modbus_pure' +
'.pcap',
append=True)
for p in package_one[0:final_len]:
t_writer.write(p)
t_writer.flush()
t_writer.close()
def noise_remove(self, filename, protocolname, t_lo):
package_two = FileCapture(filename)
package_pr = scapy.PcapReader(filename)
package_one = []
i = 1
while (True):
package = package_pr.read_packet()
if package is None:
break
package_one.append(package)
package_pr.close()
package_three = []
length = len(package_one)
i = 0
while (i < length):
if package_two[i].layers[t_lo].layer_name == protocolname:
package_three.append(package_one[i])
i = i + 1
t_writer = PcapWriter('/home/wxw/data/' + 'modbus_pure' + '.pcap',
append=True)
for p in package_three:
t_writer.write(p)
t_writer.flush()
t_writer.close()
def PCAPwrite(file_name, packets):
writer = PcapWriter(file_name, append=True)
for p in packets:
writer.write(p)
writer.flush()
writer.close()
def gen_spoofing_attack(self, output_filename,
dst_ip_addr, dst_mac, src_mac="00:00:00:00:00:11",
syn=True, ack=True, udp=True,
packet_num=500000, payload="Spoofing pkts"):
if len(self.src_hosts_with_fake_ttl) == 0:
print("Please extract ip2hc table before modify traffic with fake ttl.")
# convert dict to array
src_hosts_array = []
for (src_ip, hc) in self.src_hosts.items():
src_hosts_array.append(src_ip)
# show modify request
request = "Generating " + output_filename + " including\n"
if syn:
request += " spoofing SYN packets\n"
if ack:
request += " spoofing ACK packets\n"
if udp:
request += " spoofing UDP packets\n"
request += "with\n"
if src_mac is not None:
request += " src mac:" + src_mac + "\n"
if dst_mac is not None:
request += " dst mac:" + dst_mac + "\n"
if dst_ip_addr is not None:
request += " dst ip addr:" + dst_ip_addr + "\n"
print(request + "\n")
pkt_types = []
if syn:
pkt_types.append("SYN")
if ack:
pkt_types.append("ACK")
if udp:
pkt_types.append("UDP")
pcap_writer = PcapWriter(output_filename)
for i in range(packet_num):
# pick a random packet type
pkt_type = pkt_types[random.randint(0, len(pkt_types) - 1)]
# pick a random src ip
src_host = src_hosts_array[random.randint(0, len(src_hosts_array) - 1)]
# pick a random hc
rand_ttl = self.__generate_rand_ttl()
# calculate ttl according to hc
if pkt_type == "SYN":
pkt = Ether(src=src_mac, dst=dst_mac)/IP(src=self.__ip_int2str(int(src_host)),
dst=dst_ip_addr, ttl=rand_ttl)/TCP(flags=0x02)/payload
elif pkt_type == "ACK":
pkt = Ether(src=src_mac, dst=dst_mac)/IP(src=self.__ip_int2str(int(src_host)),
dst=dst_ip_addr, ttl=rand_ttl)/TCP(flags=0x10)/payload
elif pkt_type == "UDP":
pkt = Ether(src=src_mac, dst=dst_mac)/IP(src=self.__ip_int2str(int(src_host)),
dst=dst_ip_addr, ttl=rand_ttl)/UDP()/payload
pcap_writer.write(pkt)
if i % 10000 == 0:
print("%d packets have been produced\n" % i)
pcap_writer.flush()
pcap_writer.close()
def write(file_name, packets):
writer = PcapWriter(file_name, append = True)
for p in packets:
writer.write(p)
writer.flush()
writer.close()
def write_Packets(self, filePath, datas):
t_writer = PcapWriter(filePath, append=True)
for p in datas:
t_writer.write(p)
t_writer.flush()
t_writer.close()
pcap_name = get_pcap_name(sys.argv[3])
target_pcap = target_path + '/'
target_pcap += "%s_by_%s_part_%d.pcap" % (pcap_name, split_type, i + 1)
writer = PcapWriter(target_pcap)
writer_array.append(writer)
# Start to split according to split type
if split_type == "mod":
split_by_mod(reader)
elif split_type == "mod_execution":
split_by_mod_without_for_train(reader, train_num, split_num)
elif split_type == "random":
split_by_random(reader, split_num)
elif split_type == "random_execution":
split_by_random_without_for_train(reader, train_num, split_num)
elif split_type == "ecmp":
split_by_ecmp(reader, split_num)
elif split_type == "ecmp_execution":
split_by_ecmp_without_for_train(reader, train_num, split_num)
elif split_type == "host":
split_by_host(reader, split_num)
elif split_type == "host_execution":
split_by_host_without_for_train(reader, train_num, split_num)
# Flush and close all parts' writers
for i in range(split_num):
writer = writer_array[i]
writer.flush()
writer.close()
