def dotransform(request, response): pcap = request.value # Create a temporary folder for this particular pcap file and return as part of the pcapFile entity try: tmpfolder = request.fields['sniffMyPackets.outputfld'] except: tmpfolder = '/tmp/'+str(uuid.uuid4()) if not os.path.exists(tmpfolder): os.makedirs(tmpfolder) # Run the pcapFile through a convertor to ensure it's the correct libpcap format dumpfile = '/tmp/output.dmp' cmd = 'editcap ' + pcap + ' -F libpcap ' + dumpfile os.system(cmd) cmd2 = 'mv ' + dumpfile + ' ' + pcap os.system(cmd2) # Hash the pcapFile and return both the SHA1 hash and the MD5 hash fh = open(pcap, 'r') sha1hash = hashlib.sha1(fh.read()).hexdigest() fh = open(pcap, 'r') md5hash = hashlib.md5(fh.read()).hexdigest() e = pcapFile(pcap) e.sha1hash = sha1hash e.md5hash = md5hash e.outputfld = tmpfolder e.linklabel = 'Ready for use!! :)' response += e return response
def dotransform(request, response): interface = request.fields['sniffMyPackets.interface'] tmpfolder = request.value tstamp = int(time()) fileName = tmpfolder + '/' + str(tstamp) + '-filtered.pcap' if 'sniffMyPackets.count' in request.fields: pktcount = int(request.fields['sniffMyPackets.count']) else: pktcount = 300 msg = 'Enter bpf filter' title = 'L0 - Capture Packets with BPF [SmP]' fieldNames = ["Filter"] fieldValues = [] fieldValues = multenterbox(msg, title, fieldNames) bpf_filter = fieldValues[0] pkts = sniff(iface=interface, count=pktcount, filter=bpf_filter) wrpcap(fileName, pkts) e = pcapFile(fileName) e.outputfld = tmpfolder response += e return response
def dotransform(request, response): folder = request.value file_list = [] file_ext = [".pcap", ".cap"] try: if not os.path.exists(folder): return response + UIMessage("Whoops, that folder doesnt exist") except: pass file_list = glob.glob(folder + "/*") for x in file_list: sha1hash = "" md5hash = "" for s in file_ext: if s in x: fh = open(x, "rb") sha1hash = hashlib.sha1(fh.read()).hexdigest() fh.close() fh = open(x, "rb") md5hash = hashlib.md5(fh.read()).hexdigest() fh.close() e = pcapFile(x) e.sha1hash = sha1hash e.outputfld = folder e.md5hash = md5hash response += e else: pass return response
def dotransform(request, response): pcap = request.fields['pcapsrc'] proto = request.fields['proto'] dstip = request.fields['sniffMyPackets.hostdst'] srcip = request.fields['sniffMyPackets.hostsrc'] sport = request.fields['sniffMyPackets.hostsport'] dport = request.fields['sniffMyPackets.hostdport'] filename = '/tmp/' + str(srcip) + '-' + str(sport) + '.pcap' # Filter the traffic based on the entity values and save the pcap file with new name sharkit = 'tcpdump -r ' + pcap + ' host ' + srcip + ' and port ' + sport + ' -w ' + filename os.system(sharkit) # Count the number of packets in the file pktcount = '' pkts = rdpcap(filename) pktcount = len(pkts) # Hash the file and return a SHA1 sum sha1sum = '' fh = open(filename, 'rb') sha1sum = hashlib.sha1(fh.read()).hexdigest() e = pcapFile(filename) e.sha1hash = sha1sum e += Field('pktcnt', pktcount, displayname='Number of packets', matchingrule='loose') e.linklabel = '# of pkts:' + str(pktcount) e.linkcolor = 0x669900 response += e return response
def dotransform(request, response): pcap = request.fields['pcapsrc'] proto = request.fields['proto'] dstip = request.fields['sniffMyPackets.hostdst'] srcip = request.fields['sniffMyPackets.hostsrc'] sport = request.fields['sniffMyPackets.hostsport'] dport = request.fields['sniffMyPackets.hostdport'] folder = request.fields['sniffMyPackets.outputfld'] filename = folder + '/' + str(request.value) + '-' + str(srcip) + '.pcap' # Filter the traffic based on the entity values and save the pcap file with new name sharkit = 'tcpdump -r ' + pcap + ' host ' + srcip + ' and port ' + sport + ' -w ' + filename os.system(sharkit) # Count the number of packets in the file pktcount = '' pkts = rdpcap(filename) pktcount = len(pkts) # Hash the file and return a SHA1 sum sha1sum = '' fh = open(filename, 'rb') sha1sum = hashlib.sha1(fh.read()).hexdigest() e = pcapFile(filename) e.sha1hash = sha1sum e += Field('pktcnt', pktcount, displayname='Number of packets', matchingrule='loose') e.linklabel = '# of pkts:' + str(pktcount) e.linkcolor = 0x669900 response += e return response
def dotransform(request, response): interface = request.fields['sniffMyPackets.interface'] tmpfolder = request.value tstamp = int(time()) fileName = tmpfolder + '/' +str(tstamp)+ '-filtered.pcap' if 'sniffMyPackets.count' in request.fields: pktcount = int(request.fields['sniffMyPackets.count']) else: pktcount = 300 msg = 'Enter bpf filter' title = 'L0 - Capture Packets with BPF [SmP]' fieldNames = ["Filter"] fieldValues = [] fieldValues = multenterbox(msg, title, fieldNames) bpf_filter = fieldValues[0] pkts = sniff(iface=interface, count=pktcount, filter=bpf_filter) wrpcap(fileName, pkts) e = pcapFile(fileName) e.outputfld = tmpfolder response += e return response
def dotransform(request, response): folder = request.value file_list = [] file_ext = ['.pcap', '.cap'] try: if not os.path.exists(folder): return response + UIMessage('Whoops, that folder doesnt exist') except: pass file_list = glob.glob(folder+'/*') for x in file_list: sha1hash = '' md5hash = '' for s in file_ext: if s in x: fh = open(x, 'rb') sha1hash = hashlib.sha1(fh.read()).hexdigest() fh.close() fh = open(x, 'rb') md5hash = hashlib.md5(fh.read()).hexdigest() fh.close() e = pcapFile(x) e.sha1hash = sha1hash e.outputfld = folder e.md5hash = md5hash response += e else: pass return response
def dotransform(request, response): pcap = request.value usedb = config["working/usedb"] # Check to see if we are using the database or not if usedb == 0: return response + UIMessage("No database support configured, check your config file") else: pass x = mongo_connect() try: r = x.INDEX.find({"PCAP Path": pcap}).count() if r > 0: p = x.INDEX.find({"PCAP Path": pcap}, {"PCAP ID": 1, "_id": 0}) for i in p: sessionid = i["PCAP ID"] else: return response + UIMessage("PCAP not found, is the SessionID correct??") except Exception as e: return response + UIMessage(str(e)) try: s = x.STREAMS.find({"PCAP ID": sessionid}).count() if s > 0: p = x.STREAMS.find({"PCAP ID": sessionid}, {"File Name": 1, "_id": 0}) for i in p: fname = i["File Name"] q = pcapFile(fname) response += q return response else: return response + UIMessage("No streams found for that Session ID") except Exception as e: return response + UIMessage(str(e))
def dotransform(request, response): pcap = request.value filehash = '' fh = open(pcap, 'rb') filehash = hashlib.sha1(fh.read()).hexdigest() e = pcapFile(pcap) e.sha1hash = filehash response += e return response
def dotransform(request, response): pcap = request.value pkts = rdpcap(pcap) folder = request.fields['sniffMyPackets.outputfld'] new_file = folder + '/replay-' + request.value[42:] msg = 'Enter the new IPs to rewrite the pcap file with' title = 'L0 - Rewrite pcap file for replay [SmP]' fieldNames = ["New Source IP", "New Destination IP"] fieldValues = [] fieldValues = multenterbox(msg, title, fieldNames) new_src = fieldValues[0] new_dst = fieldValues[1] old_src = pkts[0][IP].src old_dst = pkts[0][IP].dst for p in pkts: del p[IP].chksum del p[TCP].chksum for p in pkts: if p.haslayer(IP): if p[IP].src == old_src: p[IP].src = new_src p[IP].dst = new_dst if p[IP].dst == old_src: p[IP].src = new_dst p[IP].dst = new_src wrpcap(new_file, pkts) e = pcapFile(new_file) e.linklabel = 'New pcap\nsrc:' + str(new_src) + '\ndst:' + str(new_dst) e.linkcolor = 0x33CC33 e.outputfld = folder e += Field('pcapsrc', request.value, displayname='Original pcap File', matchingrule='loose') response += e return response
def dotransform(request, response): interface = request.fields['sniffMyPackets.interface'] tmpfolder = request.value tstamp = int(time()) fileName = tmpfolder + '/' +str(tstamp)+'.pcap' if 'sniffMyPackets.count' in request.fields: pktcount = int(request.fields['sniffMyPackets.count']) else: pktcount = 300 pkts = sniff(iface=interface, count=pktcount) wrpcap(fileName, pkts) e = pcapFile(fileName) e.outputfld = tmpfolder response += e return response
def dotransform(request, response): pcap = request.value usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb == 0: return response + UIMessage( 'No database support configured, check your config file') else: pass x = mongo_connect() try: r = x.INDEX.find({"PCAP Path": pcap}).count() if r > 0: p = x.INDEX.find({"PCAP Path": pcap}, {"PCAP ID": 1, "_id": 0}) for i in p: sessionid = i['PCAP ID'] else: return response + UIMessage( 'PCAP not found, is the SessionID correct??') except Exception as e: return response + UIMessage(str(e)) try: s = x.STREAMS.find({"PCAP ID": sessionid}).count() if s > 0: p = x.STREAMS.find({"PCAP ID": sessionid}, { "File Name": 1, "_id": 0 }) for i in p: fname = i['File Name'] q = pcapFile(fname) response += q return response else: return response + UIMessage('No streams found for that Session ID') except Exception as e: return response + UIMessage(str(e))
def dotransform(request, response): try: output_file = request.fields['dumpfile'] folder = request.fields['sniffMyPackets.outputfld'] except: return response + UIMessage('No Alert pcap available..sorry.') # Hash the file and return a SHA1 sum fh = open(output_file, 'rb') sha1sum = hashlib.sha1(fh.read()).hexdigest() # Hash the file and return a MD5 sum fh = open(output_file, 'rb') md5sum = hashlib.md5(fh.read()).hexdigest() e = pcapFile(output_file) e.sha1hash = sha1sum e.outputfld = folder e.md5hash = md5sum response += e return response
def dotransform(request, response): sessionid = request.value usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb == 0: return response + UIMessage('No database support configured, check your config file') else: pass x = mongo_connect() try: r = x.INDEX.find({"PCAP ID": sessionid}).count() if r > 0: p = x.INDEX.find({"PCAP ID": sessionid}, {"_id": 0}) for i in p: pcap = i['PCAP Path'] s = pcapFile(pcap) response += s return response else: return response + UIMessage('PCAP not found, is the SessionID correct??') except Exception as e: return response + UIMessage(str(e))
def dotransform(request, response): interface = request.value tstamp = int(time()) fileName = '/tmp/'+str(tstamp)+'.pcap' if 'sniffMyPackets.count' in request.fields: pktcount = int(request.fields['sniffMyPackets.count']) else: pktcount = 300 pkts = sniff(iface=interface, count=pktcount) wrpcap(fileName, pkts) sha1hash = '' fh = open(fileName, 'rb') sha1hash = hashlib.sha1(fh.read()).hexdigest() e = pcapFile(fileName) e.sha1hash = sha1hash response += e return response
def dotransform(request, response): sessionid = request.value usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb == 0: return response + UIMessage( 'No database support configured, check your config file') else: pass x = mongo_connect() try: r = x.INDEX.find({"PCAP ID": sessionid}).count() if r > 0: p = x.INDEX.find({"PCAP ID": sessionid}, {"_id": 0}) for i in p: pcap = i['PCAP Path'] s = pcapFile(pcap) response += s return response else: return response + UIMessage( 'PCAP not found, is the SessionID correct??') except Exception as e: return response + UIMessage(str(e))
def dotransform(request, response): pcap = request.value convos = [] stream_file = [] try: tmpfolder = request.fields['sniffMyPackets.outputfld'] except: return response + UIMessage('No output folder defined, run the L0 - Prepare pcap transform') pkts = rdpcap(pcap) # Find all the UDP streams within the pcap file for p in pkts: s_ip = '' d_ip = '' s_port = '' d_port = '' if p.haslayer(IP) and p.haslayer(UDP): if p[IP].src is not None: s_ip = p[IP].src if p[IP].dst is not None: d_ip = p[IP].dst if p[UDP].sport is not None: s_port = p[UDP].sport if p[UDP].dport is not None: d_port = p[UDP].dport convo = s_ip, s_port, d_ip, d_port duplicate = d_ip, d_port, s_ip, s_port if convo not in convos: convos.append(convo) if duplicate in convos: convos.remove(duplicate) else: pass else: pass # Create the individual pcap files using tshark counter = -1 for s_ip, s_port, d_ip, d_port in convos: counter += 1 dumpfile = tmpfolder + '/udp-stream' + str(counter) + '.dump' cmd = 'tshark -r ' + pcap + ' -R "(ip.addr eq ' + s_ip + ' and ip.addr eq ' + d_ip + ') and (udp.port eq ' + str(s_port) + ' and udp.port eq ' + str(d_port) + ')" -w ' + dumpfile # print cmd if dumpfile not in stream_file: stream_file.append(dumpfile) os.popen(cmd) # print stream_file[0] # Now for the long bit... for s in stream_file: cut = tmpfolder + '/udp-stream' + s[52:-5] + '.pcap' cmd = 'editcap ' + s + ' -F libpcap ' + cut os.popen(cmd) remove = 'rm ' + s os.popen(remove) # Count the number of packets cmd = 'tshark -r ' + cut + ' | wc -l' pktcount = os.popen(cmd).read() # Hash the file and return a SHA1 sum fh = open(cut, 'rb') sha1sum = hashlib.sha1(fh.read()).hexdigest() # Hash the file and return a MD5 sum fh = open(cut, 'rb') md5sum = hashlib.md5(fh.read()).hexdigest() e = pcapFile(cut) e.sha1hash = sha1sum e.outputfld = tmpfolder e.md5hash = md5sum e += Field('pcapsrc', request.value, displayname='Original pcap File', matchingrule='loose') e += Field('pktcnt', pktcount, displayname='Number of packets', matchingrule='loose') e.linklabel = 'UDP - # of pkts:' + str(pktcount) response += e return response
def dotransform(request, response): pcap = request.value folder = '' usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb > 0: # Connect to the database so we can insert the record created below x = mongo_connect() c = x['STREAMS'] # Hash the pcap file try: md5hash = md5_for_file(pcap) d = find_session(md5hash) pcap_id = d[0] folder = d[2] except Exception as e: return response + UIMessage(str(e)) else: w = config['working/directory'].strip('\'') try: if w != '': w = w + '/' + str(uuid.uuid4())[:12].replace('-', '') if not os.path.exists(w): os.makedirs(w) folder = w else: return response + UIMessage( 'No working directory set, check your config file') except Exception as e: return response + UIMessage(e) # Create TCP/UDP stream files s = create_streams(pcap, folder) if usedb > 0: for i in s: # Create StreamID streamid = str(uuid.uuid4())[:8] # Get a count of packets available try: pkcount = packet_count(i) except Exception as e: return response + UIMessage(str(e)) # Get the start/end time of packets try: pcap_time = get_time(i) except Exception as e: return response + UIMessage(str(e)) # Hash the pcap file try: md5hash = md5_for_file(i) sha1hash = sha1_for_file(i) except Exception as e: return response + UIMessage(str(e)) # Pull out the details of the packets l = len(folder) + 1 raw = i[l:-5] pkt = raw.replace('-', ' ').replace(':', ' ').split() # Create the dictonary object to insert into database data = OrderedDict({ 'PCAP ID': pcap_id, 'Stream ID': streamid, 'Folder': folder, 'Packet Count': pkcount, 'File Name': i, 'First Packet': pcap_time[0], 'Last Packet': pcap_time[1], 'MD5 Hash': md5hash, 'SHA1 Hash': sha1hash, 'Packet': { 'Protocol': pkt[0], 'Source IP': pkt[1], 'Source Port': pkt[2], 'Destination IP': pkt[3], 'Destination Port': pkt[4] } }) # Check to see if the record exists try: t = x.STREAMS.find({"File Name": i}).count() if t > 0: pass else: c.insert(data) except Exception as e: return response + UIMessage(str(e)) else: pass # Create Maltego entities for each pcap file for p in s: e = pcapFile(p) response += e return response
def dotransform(request, response): pcap = request.value pkts = rdpcap(pcap) r_pkts = [] folder = request.fields['sniffMyPackets.outputfld'] tstamp = int(time()) new_file = folder + '/search-results-' + str(tstamp) + '.pcap' msg = 'Enter Search Criteria' title = 'L0 - Simple pcap search [SmP]' fieldNames = ["Source", "Destination", "Port", "Free Text"] fieldValues = [] fieldValues = multenterbox(msg, title, fieldNames) s_ip = fieldValues[0] if s_ip == '': s_ip = None d_ip = fieldValues[1] if d_ip == '': d_ip = None port = fieldValues[2] if port == '': port = None text = fieldValues[3] if text == '': text = None if s_ip or d_ip is not None: for p in pkts: if p.haslayer(IP): if p[IP].src == s_ip and not None: r_pkts.append(p) if p[IP].dst == d_ip and not None: r_pkts.append(p) if port is not None: for p in pkts: if p.haslayer(TCP): if int(port) == p[TCP].sport and not None: r_pkts.append(p) if int(port) == p[TCP].dport and not None: r_pkts.append(p) if text is not None: for p in pkts: if p.haslayer(Raw): if text in p[Raw].load and not None: r_pkts.append(p) if len(r_pkts) > 0: wrpcap(new_file, r_pkts) else: return response + UIMessage('Sorry no packets found!!') pktcount = len(r_pkts) e = pcapFile(new_file) e.outputfld = folder e += Field('pcapsrc', request.value, displayname='Original pcap File', matchingrule='loose') e += Field('pktcnt', pktcount, displayname='Number of packets', matchingrule='loose') e.linklabel = 'Search Results' response += e return response
def dotransform(request, response): pcap = request.value stream_index = [] stream_file = [] try: tmpfolder = request.fields['sniffMyPackets.outputfld'] except: return response + UIMessage('No output folder defined, run the L0 - Prepare pcap transform') # Create a list of the streams in the pcap file and save them as an index cmd = 'tshark -r ' + pcap + ' -T fields -e tcp.stream' p = os.popen(cmd).readlines() for x in p: if x not in stream_index: stream_index.append(x) try: for y in stream_index: y = y.strip('\n') dumpfile = tmpfolder + '/tcp-stream' + y + '.dump' if 'tcp-stream.dump' in dumpfile: pass else: cmd = 'tshark -r ' + pcap + ' tcp.stream eq ' + y + ' -w ' + dumpfile if dumpfile not in stream_file: stream_file.append(dumpfile) os.popen(cmd) except: pass # Now for the long bit... for s in stream_file: cut = tmpfolder + '/tcp-stream' + s[52:-5] + '.pcap' cmd = 'editcap ' + s + ' -F libpcap ' + cut os.popen(cmd) remove = 'rm ' + s os.popen(remove) # Count the number of packets cmd = 'tshark -r ' + cut + ' | wc -l' pktcount = os.popen(cmd).read() # Hash the file and return a SHA1 sum fh = open(cut, 'rb') sha1sum = hashlib.sha1(fh.read()).hexdigest() # Hash the file and return a MD5 sum fh = open(cut, 'rb') md5sum = hashlib.md5(fh.read()).hexdigest() e = pcapFile(cut) e.sha1hash = sha1sum e.outputfld = tmpfolder e.md5hash = md5sum e += Field('pcapsrc', request.value, displayname='Original pcap File', matchingrule='loose') e += Field('pktcnt', pktcount, displayname='Number of packets', matchingrule='loose') e.linklabel = 'TCP - # of pkts:' + str(pktcount) response += e return response
def dotransform(request, response): pcap = request.value convos = [] stream_file = [] try: tmpfolder = request.fields['sniffMyPackets.outputfld'] except: return response + UIMessage( 'No output folder defined, run the L0 - Prepare pcap transform') pkts = rdpcap(pcap) # Find all the UDP streams within the pcap file for p in pkts: s_ip = '' d_ip = '' s_port = '' d_port = '' if p.haslayer(IP) and p.haslayer(UDP): if p[IP].src is not None: s_ip = p[IP].src if p[IP].dst is not None: d_ip = p[IP].dst if p[UDP].sport is not None: s_port = p[UDP].sport if p[UDP].dport is not None: d_port = p[UDP].dport convo = s_ip, s_port, d_ip, d_port duplicate = d_ip, d_port, s_ip, s_port if convo not in convos: convos.append(convo) if duplicate in convos: convos.remove(duplicate) else: pass else: pass # Create the individual pcap files using tshark counter = -1 for s_ip, s_port, d_ip, d_port in convos: counter += 1 dumpfile = tmpfolder + '/udp-stream' + str(counter) + '.dump' cmd = 'tshark -r ' + pcap + ' -R "(ip.addr eq ' + s_ip + ' and ip.addr eq ' + d_ip + ') and (udp.port eq ' + str( s_port) + ' and udp.port eq ' + str(d_port) + ')" -w ' + dumpfile # print cmd if dumpfile not in stream_file: stream_file.append(dumpfile) os.popen(cmd) # print stream_file[0] # Now for the long bit... for s in stream_file: cut = tmpfolder + '/udp-stream' + s[52:-5] + '.pcap' cmd = 'editcap ' + s + ' -F libpcap ' + cut os.popen(cmd) remove = 'rm ' + s os.popen(remove) # Count the number of packets cmd = 'tshark -r ' + cut + ' | wc -l' pktcount = os.popen(cmd).read() # Hash the file and return a SHA1 sum fh = open(cut, 'rb') sha1sum = hashlib.sha1(fh.read()).hexdigest() # Hash the file and return a MD5 sum fh = open(cut, 'rb') md5sum = hashlib.md5(fh.read()).hexdigest() e = pcapFile(cut) e.sha1hash = sha1sum e.outputfld = tmpfolder e.md5hash = md5sum e += Field('pcapsrc', request.value, displayname='Original pcap File', matchingrule='loose') e += Field('pktcnt', pktcount, displayname='Number of packets', matchingrule='loose') e.linklabel = 'UDP - # of pkts:' + str(pktcount) response += e return response
def dotransform(request, response): pcap = request.value folder = '' usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb > 0: # Connect to the database so we can insert the record created below x = mongo_connect() c = x['STREAMS'] # Hash the pcap file try: md5hash = md5_for_file(pcap) d = find_session(md5hash) pcap_id = d[0] folder = d[2] except Exception as e: return response + UIMessage(str(e)) else: w = config['working/directory'].strip('\'') try: if w != '': w = w + '/' + str(uuid.uuid4())[:12].replace('-', '') if not os.path.exists(w): os.makedirs(w) folder = w else: return response + UIMessage('No working directory set, check your config file') except Exception as e: return response + UIMessage(e) # Create TCP/UDP stream files s = create_streams(pcap, folder) if usedb > 0: for i in s: # Create StreamID streamid = str(uuid.uuid4())[:8] # Get a count of packets available try: pkcount = packet_count(i) except Exception as e: return response + UIMessage(str(e)) # Get the start/end time of packets try: pcap_time = get_time(i) except Exception as e: return response + UIMessage(str(e)) # Hash the pcap file try: md5hash = md5_for_file(i) sha1hash = sha1_for_file(i) except Exception as e: return response + UIMessage(str(e)) # Pull out the details of the packets l = len(folder) + 1 raw = i[l:-5] pkt = raw.replace('-', ' ').replace(':', ' ').split() # Create the dictonary object to insert into database data = OrderedDict({'PCAP ID': pcap_id, 'Stream ID': streamid, 'Folder': folder, 'Packet Count': pkcount, 'File Name': i, 'First Packet': pcap_time[0], 'Last Packet': pcap_time[1], 'MD5 Hash': md5hash, 'SHA1 Hash': sha1hash, 'Packet': {'Protocol': pkt[0], 'Source IP': pkt[1], 'Source Port': pkt[2], 'Destination IP': pkt[3], 'Destination Port': pkt[4]}}) # Check to see if the record exists try: t = x.STREAMS.find({"File Name": i}).count() if t > 0: pass else: c.insert(data) except Exception as e: return response + UIMessage(str(e)) else: pass # Create Maltego entities for each pcap file for p in s: e = pcapFile(p) response += e return response
def dotransform(request, response): pcap = request.value stream_index = [] stream_file = [] try: tmpfolder = request.fields['sniffMyPackets.outputfld'] except: return response + UIMessage( 'No output folder defined, run the L0 - Prepare pcap transform') # Create a list of the streams in the pcap file and save them as an index cmd = 'tshark -r ' + pcap + ' -T fields -e tcp.stream' p = os.popen(cmd).readlines() for x in p: if x not in stream_index: stream_index.append(x) try: for y in stream_index: y = y.strip('\n') dumpfile = tmpfolder + '/tcp-stream' + y + '.dump' if 'tcp-stream.dump' in dumpfile: pass else: cmd = 'tshark -r ' + pcap + ' tcp.stream eq ' + y + ' -w ' + dumpfile if dumpfile not in stream_file: stream_file.append(dumpfile) os.popen(cmd) except: pass # Now for the long bit... for s in stream_file: cut = tmpfolder + '/tcp-stream' + s[52:-5] + '.pcap' cmd = 'editcap ' + s + ' -F libpcap ' + cut os.popen(cmd) remove = 'rm ' + s os.popen(remove) # Count the number of packets cmd = 'tshark -r ' + cut + ' | wc -l' pktcount = os.popen(cmd).read() # Hash the file and return a SHA1 sum fh = open(cut, 'rb') sha1sum = hashlib.sha1(fh.read()).hexdigest() # Hash the file and return a MD5 sum fh = open(cut, 'rb') md5sum = hashlib.md5(fh.read()).hexdigest() e = pcapFile(cut) e.sha1hash = sha1sum e.outputfld = tmpfolder e.md5hash = md5sum e += Field('pcapsrc', request.value, displayname='Original pcap File', matchingrule='loose') e += Field('pktcnt', pktcount, displayname='Number of packets', matchingrule='loose') e.linklabel = 'TCP - # of pkts:' + str(pktcount) response += e return response