def get_whole_packet_array(pcap_file, proto):
labels = []
arr = get_array_i(pcap_file, proto)
arra = []
pcapa = pcap.pcap(pcap_file)
i = 0
for ts, pkt in pcapa:
i = i + 1
if i not in arr:
continue
try:
ether = Ethernet(pkt)
ip = ether.data
if isinstance(ip, str):
ip = IP(ether.data)
except Exception as e:
try:
ip = IP(pkt)
except:
continue
tcp = ip.data
if isinstance(ip.data, str):
tcp = TCP(ip.data)
#tmparr = []
arra.append(str(pkt).encode("hex"))
return arra
def _packet_parse(self, pktdata):
"""
Parses the protocols in the given packet data and returns the
resulting packet (here, as a dict indexed by the protocol layers
in form of dpkt classes).
"""
layer = Ethernet(pktdata)
pkt = {}
if isinstance(layer.data, IP):
pkt[IP] = layer = layer.data
elif isinstance(layer.data, IP6):
# XXX This does not correctly skip IPv6 extension headers
pkt[IP6] = layer = layer.data
else:
return pkt
if isinstance(layer.data, ICMP):
pkt[ICMP] = layer.data
elif isinstance(layer.data, ICMP6):
pkt[ICMP6] = layer.data
elif isinstance(layer.data, TCP):
pkt[TCP] = layer.data
elif isinstance(layer.data, UDP):
pkt[UDP] = layer.data
elif isinstance(layer.data, SCTP):
pkt[SCTP] = layer.data
return pkt
def get_array(pcap_file, proto):
labels = []
arr = get_array_i(pcap_file, proto)
arra = []
pcapa = pcap.pcap(pcap_file)
i = 0
for ts, pkt in pcapa:
i = i + 1
if i not in arr:
continue
try:
ether = Ethernet(pkt)
ip = ether.data
if isinstance(ip, str):
ip = IP(ether.data)
except Exception as e:
try:
ip = IP(pkt)
except:
continue
tcp = ip.data
if isinstance(ip.data, str):
tcp = TCP(ip.data)
#tmparr = []
arra.append(conv(tcp.data))
labels.append(proto)
return (arra, labels)
def extract_arp(self, packet, timestamp):
'''
Extracts an ARP record from a packet
'''
raw_packet = packet
ethernet_frame = Ethernet(raw_packet)
thetime = time.strftime("%Y%m%d%H%M%S", time.gmtime(timestamp))
arp = ethernet_frame.data
src_mac = hexlify(arp.sha)
src_ip_encoded = hexlify(arp.spa)
dst_ip_encoded = hexlify(arp.tpa)
src_ip = '.'.join(
str(int(i, 16)) for i in ([
src_ip_encoded[i:i + 2]
for i in range(0, len(src_ip_encoded), 2)
]))
dst_ip = '.'.join(
str(int(i, 16)) for i in ([
dst_ip_encoded[i:i + 2]
for i in range(0, len(dst_ip_encoded), 2)
]))
if (self._pba.cfg('debug')):
print src_mac
print src_ip
print dst_ip
record = PBARecordARPRequest(raw_packet, timestamp)
record.assign(thetime, src_mac, src_ip)
return record
def getIp():
global error, totalN
# 取默认网卡
# name = pcap.findalldevs()
try:
dataPack = pcap.pcap(name=NAME, promisc=True, immediate=True)
# dataPack.setfilter('udp port 9991')
# dataPack.setfilter('tcp')
logger.info('连接网卡->%s,开始抓包', NAME)
except Exception as e:
logger.error('连接网卡->%s失败,强制退出,错误信息->%s', NAME, e)
error = True
sys.exit(1)
else:
for ptime, pdata in dataPack:
totalN += 1
# 解包,获得数据链路层包
Ethernet_pack = Ethernet(pdata)
# 扩展dpkt解析ERSPAN数据
Ethernet.set_type(ETH_TYPE_ERSPAN1, Ethernet)
try:
parseTCP(Ethernet_pack)
# dataBase.insert(tags, fields)
except Exception as e:
pass
dataPack.close()
def get_test_array(pcap_file, proto):
labels = []
actuals = []
arra = []
pcapa = pcap.pcap(pcap_file)
i = 0
for ts, pkt in pcapa:
i = i + 1
try:
ether = Ethernet(pkt)
ip = ether.data
if isinstance(ip, str):
ip = IP(ether.data)
except Exception as e:
try:
ip = IP(pkt)
except:
continue
if isinstance(ip.data, str):
tcp = TCP(ip.data)
else:
tcp = ip.data
tmpstr = ""
#tmparr = []
arra.append(conv(tcp.data))
labels.append(proto)
actuals.append(i)
return (arra, labels, actuals)
def shark(file):
"""
Parse pcap (tcpdump) to extract networking info and CA commands.
This function is also accessible via a CLI installed with caproto. Example::
sudo tcpdump -w - | caproto-shark
Parameters
----------
file : buffer
Yields
------
command_context : SimpleNamespace
Contains timestamp, ethernet, src, dst, ip, transport, and command.
"""
banned = set()
for timestamp, buffer in Reader(file):
ethernet = Ethernet(buffer)
ip = ethernet.data
if not isinstance(ip, IP):
continue
transport = ip.data
if not isinstance(transport, (TCP, UDP)):
continue
try:
src = inet_ntoa(ip.src)
dst = inet_ntoa(ip.dst)
if isinstance(transport, TCP):
if (ip.src, transport.sport) in banned:
continue
data = bytearray(transport.data)
while True:
data, command, _ = read_from_bytestream(data)
if command is NEED_DATA:
break
yield SimpleNamespace(timestamp=timestamp,
ethernet=ethernet,
src=src,
dst=dst,
ip=ip,
transport=transport,
command=command)
elif isinstance(transport, UDP):
if (ip.src, transport.sport) in banned:
continue
address = inet_ntoa(ip.src)
for command in read_datagram(transport.data, address):
yield SimpleNamespace(timestamp=timestamp,
ethernet=ethernet,
src=src,
dst=dst,
ip=ip,
transport=transport,
command=command)
except ValidationError:
banned.add((ip.src, transport.sport))
def read_payloads_from_file(file, tokens: list[str]):
"""Read the given pcap file and yield src, dst, and result."""
pcap = dpkt.pcap.Reader(file)
stats: defaultdict[str, Counter] = defaultdict(Counter)
for _ts, pkt in pcap:
eth = Ethernet(pkt)
if eth.type != ETH_TYPE_IP:
continue
ip = eth.ip
if ip.p != 17:
continue
transport = ip.udp
if transport.dport != 54321 and transport.sport != 54321:
continue
data = transport.data
src_addr = str(ip_address(ip.src))
dst_addr = str(ip_address(ip.dst))
decrypted = None
for token in tokens:
try:
decrypted = Message.parse(data, token=bytes.fromhex(token))
break
except BaseException:
continue
if decrypted is None:
continue
stats["stats"]["miio_packets"] += 1
if decrypted.data.length == 0:
stats["stats"]["empty_packets"] += 1
continue
stats["dst_addr"][dst_addr] += 1
stats["src_addr"][src_addr] += 1
payload = decrypted.data.value
if "result" in payload:
stats["stats"]["results"] += 1
if "method" in payload:
method = payload["method"]
stats["commands"][method] += 1
yield src_addr, dst_addr, payload
print(stats) # noqa: T201
def printPcap(pcap):
# 遍历[timestamp, packet]记录的数组
for (ts, buf) in pcap:
try:
# 获取以太网部分数据
Ethernet_pack = Ethernet(buf)
Ethernet.set_type(ETH_TYPE_ERSPAN1, Ethernet)
# v = dpkt.gre.GRE(Ethernet_pack.data.data.data)
parseTCP(Ethernet_pack)
except:
print('出错')
pass
def process(self, name):
self.logger.debug("Snort alert queue contains: " +
str(snort_alert_queue.qsize()) + " entries")
palerts = []
ws = 'http://' + self.args[
1] + ':' + self.options.remote + '/flower/analysis/AlertsService?wsdl'
self.logger.debug('Connecting to web service: ' + ws +
" for Snort alerts")
try:
client = Client(ws)
while (not snort_alert_queue.empty()):
(msg, ts_sec, ts_usec, caplen, pktlen, dlthdr, nethdr,
transhdr, data, val,
pkt) = struct.unpack(fmt, snort_alert_queue.get_nowait())
ethernet = Ethernet(pkt)
ip = ethernet.data
alert = msg.rstrip("\0")
sport = None
dport = None
if (ip.p == 6 or ip.p == 17):
sport = ip.data.sport
dport = ip.data.dport
packet = base64.b64encode(re.sub(r'\x00*$', '', pkt))
palert = client.factory.create("snortAlert")
palert.date = ts_sec
palert.usec = ts_usec
palert.sourceAddress = self.parse_address(ip.src)
palert.destinationAddress = self.parse_address(ip.dst)
palert.sourcePort = sport
palert.destinationPort = dport
palert.alert = alert
palert.packet = packet
palerts.append(palert)
if (client.service.addSnortAlerts(palerts) != len(palerts)):
self.logger.error(
'Number of alerts reported as received by server does not match number sent!'
)
except URLError:
self.logger.error('Failed to connect to Snort alert web service')
if (not self.stop_flag):
self.tasks.enter(15, 1, self.process, ('process', ))
def get_ip_ethernet(buf):
"""Unpack the data within the Ethernet frame (the IP packet)
Pulling out src, dst, length, fragment info, TTL, and Protocol
:param buf: A string buffer containing the entire packet
:type buf: str
:return: ip of type (dpkt.IP)
"""
lp = Ethernet(buf)
lp.unpack(buf)
ip = lp.data
return ip
def iterate(pktlen, pkt, timestamp):
eth = Ethernet(pkt)
if eth.type == ETH_TYPE_IP:
ip = IP(str(eth.data))
if ip.p == IP_PROTO_TCP:
tcp = TCP(str(ip.data))
f = {
'src': ip.src,
'sport': tcp.sport,
'dst': ip.dst,
'dport': tcp.dport
}
if not f in self.streams:
self.streams.append(f)
def read_pcap(filepath):
with open(filepath, "rb") as pcap_file:
filename, file_extension = os.path.splitext(filepath)
if file_extension == ".pcap":
pcap_data = pcap.Reader(pcap_file)
elif file_extension == ".pcapng":
pcap_data = pcapng.Reader(pcap_file)
else:
raise ValueError("pcap and pcapng is supported!")
for ts, buf in pcap_data:
eth = Ethernet(buf)
ip = eth.data
tcp = ip.data
def send_arp(fp):
arp = ARP(op=ARP_OP_REPLY,
sha='\xac\xf7\xf3\x00\x00\x00',
spa=inet_aton('10.12.0.253'),
tha='\xff\xff\xff\xff\xff\xff',
tpa=inet_aton('10.12.255.255'))
eth = Ethernet(src='\xac\xf7\xf3\x00\x00\x00',
dst='\xff\xff\xff\xff\xff\xff',
type=ETH_TYPE_ARP,
data=arp)
packet = str(eth)
if (pcap_sendpacket(fp, build_packet(packet), len(packet)) != 0):
print("Error sending the packet:\n %s" % pcap_geterr(fp))
def send_packet(fp, msg):
http = u"HTTP/1.1 %s\r\n\r\njust for fun" % msg
tcp = TCP(sport=80,
dport=random.uniform(0, 65535), data=http)
ip = IP(src=inet_aton('19.89.6.4'), dst=inet_aton('20.13.9.27'),
p=IP_PROTO_TCP, data=tcp, len=20 + len(str(tcp)))
eth = Ethernet(src='\xac\xf7\xf3\x00\x00\x00',
dst='\x00\x00\x00\x00\x00\x00',
data=ip)
packet = str(eth)
if (pcap_sendpacket(fp, build_packet(packet), len(packet)) != 0):
print("Error sending the packet:\n %s" % pcap_geterr(fp))
def generate_mapped_pcap(self, ip_mappings, output_pcap_file_path):
"""
:param ip_mappings: A dictionary where keys are IP address strings desired to be mapped to value strings
:param mapped_pcap_file_path: The path of output PCAP file.
:return: None
"""
pcap_reader = dpkt.pcap.Reader(open(self.input_pcap_file_path, "rb"))
l2_type = pcap_reader.datalink()
pcap_writer = dpkt.pcap.Writer(open(output_pcap_file_path, "w"),
linktype=l2_type)
for ts, buf in pcap_reader:
l2 = None
# Unpack the data within the Ethernet frame (the IP packet)
# Pulling out src, dst, length, fragment info, TTL, and Protocol
if l2_type == dpkt.pcap.DLT_NULL:
l2 = Loopback(buf)
elif l2_type == dpkt.pcap.DLT_LINUX_SLL:
l2 = SLL(buf)
else:
l2 = Ethernet(buf)
l2.unpack(buf)
modified_ip = l2.data
src_ip_str, dst_ip_str = get_src_dst_ip_str(l2.data)
print 'IP: %s -> %s ' % (src_ip_str, dst_ip_str)
if src_ip_str in ip_mappings:
modified_ip.src = str_to_inet(ip_mappings[src_ip_str])
if dst_ip_str in ip_mappings:
modified_ip.dst = str_to_inet(ip_mappings[dst_ip_str])
modified_ip.len = len(modified_ip)
modified_ip.sum = 0x0000
l2.data = str(modified_ip)
pcap_writer.writepkt(str(l2), ts)
pcap_writer.close()
def extract_nbds(self, packet, timestamp):
'''
Extracts NBDS record from a packet
'''
raw_packet = packet
ethernet_frame = Ethernet(raw_packet)
ethernet_data = ethernet_frame.data
udp_packet = ethernet_data.data
src_mac = hexlify(ethernet_frame['src'])
src_ip = hexlify(ethernet_data['src'])
dst_ip = hexlify(ethernet_data['dst'])
srcip = str(int(src_ip[0:2], 16))
srcip = srcip + '.' + str(int(src_ip[2:4], 16))
srcip = srcip + '.' + str(int(src_ip[4:6], 16))
srcip = srcip + '.' + str(int(src_ip[6:8], 16))
dstip = str(int(dst_ip[0:2], 16))
dstip = dstip + '.' + str(int(dst_ip[2:4], 16))
dstip = dstip + '.' + str(int(dst_ip[4:6], 16))
dstip = dstip + '.' + str(int(dst_ip[6:8], 16))
offset = 0
snn1 = 15 + offset
snn2 = 47 + offset
thetime = time.strftime("%Y%m%d%H%M%S", time.gmtime(timestamp))
nbname = dpkt.netbios.decode_name(udp_packet.data[snn1:snn2])
snbname = udp_packet.data[snn1:snn2]
hnbname = hexlify(udp_packet.data[snn1:snn2])
dnn1 = 49 + offset
dnn2 = 81 + offset
dnbname = dpkt.netbios.decode_name(udp_packet.data[dnn1:dnn2])
sdnbname = udp_packet.data[dnn1:dnn2]
hdnbname = hexlify(udp_packet.data[dnn1:dnn2])
if (self._pba.cfg('debug')):
print hexlify(udp_packet.data)
print hexlify(udp_packet.data[0:14])
print hexlify(udp_packet.data[snn1:snn2])
print hexlify(udp_packet.data[dnn1:dnn2])
print nbname
print dnbname
print snbname
print sdnbname
record = PBARecordNBDS(raw_packet, timestamp)
record.assign(thetime, src_mac, srcip, dstip, nbname, hnbname,
snbname[0:30], dnbname, hdnbname, sdnbname[0:30])
return record
def iterate(pktlen, pkt, timestamp):
eth = Ethernet(pkt)
if eth.type == ETH_TYPE_IP:
ip = IP(str(eth.data))
if ip.p == IP_PROTO_TCP:
tcp = TCP(str(ip.data))
if len(tcp.data) > 0:
if (outgoing is not None
and ip.src == self.stream['src']
and tcp.sport == self.stream['sport']
and ip.dst == self.stream['dst']
and tcp.dport == self.stream['dport']):
outgoing(pktlen, pkt, timestamp)
if (incoming is not None
and ip.src == self.stream['dst']
and tcp.sport == self.stream['dport']
and ip.dst == self.stream['src']
and tcp.dport == self.stream['sport']):
incoming(pktlen, pkt, timestamp)
def read_payloads_from_file(file):
"""Read the given pcap file and yield json payloads."""
pcap = dpkt.pcap.Reader(file)
for ts, pkt in pcap:
eth = Ethernet(pkt)
if eth.type != ETH_TYPE_IP:
continue
ip = eth.ip
if ip.p == 6:
transport = ip.tcp
elif ip == 17:
transport = ip.udp
else:
continue
if transport.sport != 9999 and transport.dport != 9999:
continue
data = transport.data
try:
decrypted = TPLinkSmartHomeProtocol.decrypt(data[4:])
except Exception as ex:
click.echo(
click.style(f"Unable to decrypt the data, ignoring: {ex}", fg="red")
)
continue
try:
json_payload = json.loads(decrypted)
except Exception as ex:
click.echo(
click.style(f"Unable to parse payload, ignoring: {ex}", fg="red")
)
continue
if not json_payload: # ignore empty payloads
click.echo(click.style("Got empty payload, ignoring", fg="red"))
continue
yield json_payload
def get_sender_ip(self, flow):
senderIp = None
for dumpPath in [self.senderDumps[flow], self.receiverDumps[flow]]:
try:
with open(dumpPath, 'rb') as dumpFile:
reader = Reader(dumpFile)
try:
packet = next(iter(reader))[1]
ip = Ethernet(packet).data
leftIp = min(ip.src, ip.dst)
rightIp = max(ip.src, ip.dst)
senderIp = leftIp if self.directions[
flow] == RIGHTWARD else rightIp
break # switch to the next flow
except StopIteration:
pass
except IOError as error:
raise AnalysisError("Failed to read dump %s:\n%s" %
(dumpPath, error))
return senderIp
def analysis_normal(packet, uid):
try:
proto_data = ProtoData()
proto_data.uid = uid
if isinstance(packet, tuple):
p_header, p_data = packet
analy_ts(proto_data, p_header) # 解析时间
p = Ethernet(p_data)
if isinstance(p.data, dpkt.ip.IP):
ip_data = p.data
analy_ip(proto_data, ip_data)
if isinstance(ip_data.data, dpkt.tcp.TCP):
tcp_data = ip_data.data
if tcp_data.data[:3] == "GET" or tcp_data.data[:
4] == "POST":
analy_http(proto_data, tcp_data)
if isinstance(ip_data.data, dpkt.udp.UDP):
udp_data = ip_data.data
if udp_data.dport == 53 or udp_data.sport == 53:
analy_dns(proto_data, udp_data)
return proto_data
except Exception as error:
raise Exception("{}".format(error))
def xDPIsession(scan_path):
data = []
try:
from datetime import datetime
from dpkt.pcap import Reader
from dpkt.ethernet import Ethernet
from socket import inet_ntoa
with open(scan_path, 'rb') as pf:
dpkt_file_object = False
try:
dpkt_file_object = Reader(pf)
except Exception as err:
dpkt_file_object = False
#print("[-] pcap corruption detected : {}".format(pcap_path))
if dpkt_file_object:
#print("[+] pcap's health fine : {}".format(pcap_path))
for ts, payload in dpkt_file_object:
t1, p = ts, payload
t = datetime.fromtimestamp(t1).strftime(
"%Y-%m-%d %H:%M:%S")
eth = False
try:
eth = Ethernet(payload)
except:
eth = False
if eth:
if eth.type == 2048:
ip = eth.data
src_ip = inet_ntoa(ip.src)
dst_ip = inet_ntoa(ip.dst)
data.append({
'src_ip': src_ip,
'dst_ip': dst_ip,
})
except Exception as err:
print(err)
return data
def parse(self, packet, timestamp):
'''
It parses filtered broadcast packets and encapsulates them in well formed
records
Implements two type of records:
- ARP
- NBDS
'''
self._packet = packet
record = None
raw_packet = packet
ethernet_frame = Ethernet(raw_packet)
ethernet_data = ethernet_frame.data
udp_packet = ethernet_data.data
print ethernet_frame.__dict__
if ('arp' in ethernet_frame.__dict__):
record = self.extract_arp(packet, timestamp)
else:
dst_mac = hexlify(ethernet_frame['dst'])
if (udp_packet['sport'] == 138):
if dst_mac == 'ffffffffffff':
record = self.extract_nbds(packet, timestamp)
return record
def get_ip_ethernet(buf):
lp = Ethernet(buf)
lp.unpack(buf)
ip = lp.data
return ip
def __init__(self, packet: Packet, ts, packet_number):
self.packet = packet
self.dict = {'timestamp': ts, 'num': packet_number}
eth = Ethernet(self.packet)
self.dict['smac'] = str(eth.src)
self.dict['dmac'] = str(eth.dst)
if isinstance(eth.data, IP):
ip = eth.data
self.dict['sip'] = str(ip.src)
self.dict['dip'] = str(ip.dst)
self.dict['ttl'] = ip.ttl
self.dict['ipid'] = ip.id
self.dict['ipv'] = ip.v
self.dict['prot'] = ip.p
self.dict['dfrag'] = ip.df
if isinstance(ip.data, TCP):
tcp = ip.data
self.dict['sport'] = tcp.sport
self.dict['dport'] = tcp.dport
self.dict['tcpwin'] = tcp.win
self.dict['tcpopts'] = str(tcp.opts)
# Parse options:
# self.dict['tcpopts'] = [(opt[0], str(opt[1])) for opt in parse_opts(tcp.opts)]
self.dict['tcpflags'] = tcp.flags
self.dict['tcpackn'] = tcp.ack
self.dict['tcpseq'] = tcp.seq
self.dict['tcpoff'] = tcp.off
if self.dict['dport'] == 80:
try:
http = HTTPRequest(tcp.data)
try:
self.dict['host'] = http.headers['host']
except (AttributeError, KeyError):
pass
try:
self.dict['user-agent'] = http.headers['user-agent']
except (AttributeError, KeyError):
pass
try:
self.dict['cookie'] = http.headers['cookie']
except (AttributeError, KeyError):
pass
try:
self.dict['uri'] = http.uri
except AttributeError:
pass
except (UnpackError, NeedData):
pass
elif self.dict['sport'] == 80:
try:
http = HTTPResponse(tcp.data)
try:
self.dict['setcookie'] = http.headers['set-cookie']
except (AttributeError, KeyError):
pass
except (UnpackError, NeedData):
pass
elif isinstance(ip.data, UDP):
udp = ip.data
self.dict['sport'] = udp.sport
self.dict['dport'] = udp.dport
def passiveSession(pcap_path):
data = {'healthy_sessions': [], 'corrupt_sessions': []}
sessions = {}
complete = []
with open(pcap_path, 'rb') as pf:
pcap_file_name = pcap_path
dpkt_file_object = False
try:
dpkt_file_object = Reader(pf)
except Exception as err:
dpkt_file_object = False
print("[-] pcap corruption detected : {}".format(pcap_path))
if dpkt_file_object:
print("[+] pcap's health fine : {}".format(pcap_path))
for ts, payload in dpkt_file_object:
t1, p = ts, payload
t = datetime.fromtimestamp(t1).strftime("%Y-%m-%d %H:%M:%S")
eth = False
try:
eth = Ethernet(payload)
except:
eth = False
if eth:
if eth.type == 2048:
ip = eth.data
src_ip = inet_ntoa(ip.src)
dst_ip = inet_ntoa(ip.dst)
if ip.p == 6:
tcp_pkt_header = False
tcp = ip.data
try:
tcp_pkt_header = tcp.__hdr__
except:
tcp_pkt_header = False
if tcp_pkt_header:
tcp_packet_data = {}
tcp_packet_data[
'pcap_file_name'] = pcap_path.split(
os.sep)[-1]
tcp_packet_data['src_ip'], tcp_packet_data[
'dst_ip'], tcp_packet_data[
'pkts_num'] = src_ip, dst_ip, 1
tcp_src_port, tcp_dst_port = tcp.sport, tcp.dport
tcp_packet_data['src_port'], tcp_packet_data[
'dst_port'] = tcp_src_port, tcp_dst_port
flags = flagScanner(tcp)
tcp_packet_data[
'pkts_size'] = tcp.data.__len__()
uni_key = '{}{}{}{}'.format(
tcp_packet_data['src_ip'],
tcp_packet_data['src_port'],
tcp_packet_data['dst_ip'],
tcp_packet_data['dst_port'])
if 'syn' in flags:
if uni_key in sessions:
del sessions[uni_key]
tcp_packet_data['start_time'] = t
tcp_packet_data['end_time'] = t
tcp_packet_data['session'] = False
tcp_packet_data['dns_data'] = False
#if tcp_packet_data['src_ip'] in domains:
# tcp_packet_data['dns_data'] = domains[tcp_packet_data['src_ip']]
#if tcp_packet_data['dst_ip'] in domains:
# tcp_packet_data['dns_data'] = domains[tcp_packet_data['dst_ip']]
sessions[uni_key] = tcp_packet_data
elif 'fin' in flags:
if uni_key in sessions:
sessions[uni_key][
'pkts_num'] += tcp_packet_data[
'pkts_num']
sessions[uni_key][
'pkts_size'] += tcp_packet_data[
'pkts_size']
sessions[uni_key]['session'] = True
sessions[uni_key]['end_time'] = t
complete_session = sessions[uni_key]
data["healthy_sessions"].append(
complete_session)
del sessions[uni_key]
else:
if uni_key in sessions:
sessions[uni_key][
'pkts_num'] += tcp_packet_data[
'pkts_num']
sessions[uni_key][
'pkts_size'] += tcp_packet_data[
'pkts_size']
sessions[uni_key]['end_time'] = t
for session in sessions:
data['corrupt_sessions'].append(sessions[session])
return data
def passiveDns(pcap_path):
data = {'dns_requests': [], 'dns_responses': []}
sessions = {}
complete = []
with open(pcap_path, 'rb') as pf:
pcap_file_name = pcap_path
dpkt_file_object = False
try:
dpkt_file_object = Reader(pf)
except Exception as err:
dpkt_file_object = False
print("[-] pcap corruption detected : {}".format(pcap_path))
if dpkt_file_object:
print("[+] pcap's health fine : {}".format(pcap_path))
for ts, payload in dpkt_file_object:
t1, p = ts, payload
t = datetime.fromtimestamp(t1).strftime("%Y-%m-%d %H:%M:%S")
eth = False
try:
eth = Ethernet(payload)
except:
eth = False
if eth:
if eth.type == 2048:
ip = eth.data
src_ip = inet_ntoa(ip.src)
dst_ip = inet_ntoa(ip.dst)
if ip.p == 17:
udp_pkt_header = False
udp = ip.data
try:
udp_pkt_header = udp.__hdr__
except:
udp_pkt_header = False
if udp_pkt_header:
udp_src_port, udp_dst_port = udp.sport, udp.dport
if udp_src_port == 53:
dns_response_data = DnsResponseParser(udp)
dns_response_data[
'src_ip'], dns_response_data[
'dst_ip'] = src_ip, dst_ip
dns_response_data[
'src_port'], dns_response_data[
'dst_port'] = udp_src_port, udp_dst_port
dns_response_data['dns_time'] = t
#dns_response_data['upload_id'] = upload_id
data['dns_responses'].append(
dns_response_data)
elif udp_dst_port == 53:
dns_request_data = DnsRequestParser(udp)
dns_request_data[
'src_ip'], dns_request_data[
'dst_ip'] = src_ip, dst_ip
dns_request_data[
'src_port'], dns_request_data[
'dst_port'] = udp_src_port, udp_dst_port
dns_request_data['dns_time'] = t
#dns_request_data['upload_id'] = upload_id
data['dns_requests'].append(
dns_request_data)
return data
def worker(pcap, filter, index, label, out):
f = open(pcap, "rb")
mime = magic.from_file(pcap, mime=True)
if mime == PCAP:
pkts = dpkt.pcap.Reader(f)
elif mime == PCAPNG:
pkts = dpkt.pcapng.Reader(f)
else:
raise ValueError("Argument pcap must be pcap or pcapng")
id_to_index = {IP_PROTO_TCP: {}, IP_PROTO_UDP: {}}
flows = {IP_PROTO_TCP: {}, IP_PROTO_UDP: {}}
data = [Feature.col]
length = 0
for i, (ts, buf) in enumerate(pkts):
eth = Ethernet(buf)
if eth.type != ETH_TYPE_IP:
continue
ip = eth.data
if ip.p == IP_PROTO_TCP: # Handle TCP
tcp = ip.data
# Create new id to index mapping
id = get_pkt_id(ip.src, tcp.sport, ip.dst, tcp.dport, ip.p, ip.v)
if id not in id_to_index[ip.p]:
id_to_index[ip.p][id] = length
length += 1
# Check requirement
# if index["tcp"] is not None and idx not in index["tcp"]:
# continue
# Create new flow
idx = id_to_index[ip.p][id]
if idx not in flows[ip.p]:
flows[ip.p][idx] = TCPFlow(id, ts, tcp, i)
else:
if tcp.flags == 2: # [TCP Port numbers reused]
if index["tcp"] is None or idx in index["tcp"]:
source = "{}-{}-{}".format(pcap, ip.p, idx)
data.append(flows[ip.p][idx].to_list(source, label))
flows[ip.p].pop(idx, None)
id_to_index[ip.p][id] = length
flows[ip.p][length] = TCPFlow(id, ts, tcp, i)
length += 1
else:
flows[ip.p][idx].upd_flow(ts, tcp, i)
elif ip.p == IP_PROTO_UDP: # Handle UDP
udp = ip.data
# TODO
f.close()
print("{} prepare to write".format(pcap))
for p in [IP_PROTO_TCP, IP_PROTO_UDP]:
for idx, flow in flows[p].items():
if index["tcp"] is None or idx in index["tcp"]:
source = "{}-{}-{}".format(pcap, p, idx)
data.append(flow.to_list(source, label))
with open(out, "w", newline="") as f:
writer = csv.writer(f)
writer.writerows(data)
print("{}: {} lines".format(pcap, len(data) - 1))
return out
def PacketDiessector(pcap_path):
def flagScanner(tcp):
result = []
if (tcp.flags & TH_FIN) != 0:
result.append('fin')
if (tcp.flags & TH_SYN) != 0:
result.append('syn')
if (tcp.flags & TH_RST) != 0:
result.append('rst')
if (tcp.flags & TH_PUSH) != 0:
result.append('psh')
if (tcp.flags & TH_ACK) != 0:
result.append('ack')
if (tcp.flags & TH_URG) != 0:
result.append('urg')
if (tcp.flags & TH_ECE) != 0:
result.append('ece')
if (tcp.flags & TH_CWR) != 0:
result.append('cwr')
return result
print "[+] scanning : {}".format(pcap_path)
sessions = {}
d = {}
for ts, payload in Reader(open(pcap_path, 'rb')):
t, p = ts, payload
eth = Ethernet(payload.__str__())
packet = {}
if eth.type == ETH_TYPE_IP:
ip = eth.data
packet['source_ip'] = inet_ntoa(ip.src)
packet['destination_ip'] = inet_ntoa(ip.dst)
if ip.p == IP_PROTO_TCP:
tcp = ip.data
if tcp.dport == 25:
packet['source_port'] = tcp.sport
packet['destination_port'] = tcp.dport
packet['flags'] = flagScanner(tcp)
packet['pkts_num'] = 1
packet['pkts_size'] = tcp.data.__len__()
packet['data'] = tcp.data
uni_key = '{}:{}-->{}:{}'.format(
packet['source_ip'], packet['source_port'],
packet['destination_ip'], packet['destination_port'])
if 'syn' in packet['flags']:
if uni_key in sessions:
del sessions[uni_key]
sessions[uni_key] = packet
elif 'fin' in packet['flags']:
if uni_key in sessions:
#sessions[uni_key]['flags'].extend(packet['flags'])
#sessions[uni_key]['pkts_num']+=packet['pkts_num']
#sessions[uni_key]['pkts_size']+=packet['pkts_size']
sessions[uni_key]['source_port'] += packet[
'source_port']
sessions[uni_key]['destination_port'] += packet[
'destination_port']
sessions[uni_key]['data'] += packet['data']
complete_session = sessions[uni_key]
body = complete_session['data']
port_source = complete_session['source_port']
port_dest = complete_session['destination_port']
sd = str(inet_ntoa(ip.src)) + ':' + str(
port_source) + '-->' + inet_ntoa(
ip.dst) + ': ' + str(port_dest)
if 'AUTH PLAIN' in complete_session['data']:
pass
j = complete_session['data'][
complete_session['data'].find('AUTH PLAIN'
):200]
dump(j, sd)
#print '*'*50
if 'AUTH LOGIN' in complete_session['data']:
pass
k = complete_session['data'][
complete_session['data'].find('AUTH LOGIN'
):200]
#print k
#print k
dump(k, sd)
#print '*'*50
else:
if uni_key in sessions:
#sessions[uni_key]['flags'].extend(packet['flags'])
#sessions[uni_key]['pkts_num']+=packet['pkts_num']
#sessions[uni_key]['pkts_size']+=packet['pkts_size']
sessions[uni_key]['source_port'] += packet[
'source_port']
sessions[uni_key]['destination_port'] += packet[
'destination_port']
sessions[uni_key]['data'] += packet['data']
def PacketDiessector(pcap_path, upload_id):
def flagScanner(tcp):
result = []
if (tcp.flags & TH_FIN) != 0:
result.append('fin')
if (tcp.flags & TH_SYN) != 0:
result.append('syn')
if (tcp.flags & TH_RST) != 0:
result.append('rst')
if (tcp.flags & TH_PUSH) != 0:
result.append('psh')
if (tcp.flags & TH_ACK) != 0:
result.append('ack')
if (tcp.flags & TH_URG) != 0:
result.append('urg')
if (tcp.flags & TH_ECE) != 0:
result.append('ece')
if (tcp.flags & TH_CWR) != 0:
result.append('cwr')
return result
#print("[+] scanning : {}".format(pcap_path))
domains = {}
sessions = {}
complete = []
#incomplete = []
with open(pcap_path, 'rb') as pf:
pcap_file_name = pcap_path
dpkt_file_object = False
try:
dpkt_file_object = Reader(pf)
except Exception as err:
dpkt_file_object = False
#print("[-] pcap corruption detected : {}".format(pcap_path))
if dpkt_file_object:
#print("[+] pcap's health fine : {}".format(pcap_path))
for ts, payload in dpkt_file_object:
t1, p = ts, payload
t = datetime.fromtimestamp(t1).strftime("%Y-%m-%d %H:%M:%S")
eth = False
try:
eth = Ethernet(payload)
except:
eth = False
if eth:
if eth.type == 2048:
ip = eth.data
src_ip = inet_ntoa(ip.src)
dst_ip = inet_ntoa(ip.dst)
if ip.p == 17:
udp_pkt_header = False
udp = ip.data
try:
udp_pkt_header = udp.__hdr__
except:
udp_pkt_header = False
if udp_pkt_header:
udp_src_port, udp_dst_port = udp.sport, udp.dport
if udp_src_port == 53:
dns_response_data = DnsResponseParser(udp)
dns_response_data[
'src_ip'], dns_response_data[
'dst_ip'] = src_ip, dst_ip
dns_response_data[
'src_port'], dns_response_data[
'dst_port'] = udp_src_port, udp_dst_port
dns_response_data['dns_time'] = t
dns_response_data['upload_id'] = upload_id
domains[dst_ip] = dns_response_data
elif udp_dst_port == 53:
dns_request_data = DnsRequestParser(udp)
dns_request_data[
'src_ip'], dns_request_data[
'dst_ip'] = src_ip, dst_ip
dns_request_data[
'src_port'], dns_request_data[
'dst_port'] = udp_src_port, udp_dst_port
dns_request_data['dns_time'] = t
dns_request_data['upload_id'] = upload_id
domains[src_ip] = dns_request_data
elif ip.p == 6:
tcp_pkt_header = False
tcp = ip.data
try:
tcp_pkt_header = udp.__hdr__
except:
tcp_pkt_header = False
if tcp_pkt_header:
tcp_packet_data = {}
tcp_packet_data['upload_id'] = upload_id
tcp_packet_data[
'pcap_file_path'] = pcap_file_name.split(
'media')[-1]
tcp_packet_data['src_ip'], tcp_packet_data[
'dst_ip'], tcp_packet_data[
'pkts_num'] = src_ip, dst_ip, 1
tcp_src_port, tcp_dst_port = tcp.sport, tcp.dport
tcp_packet_data['src_port'], tcp_packet_data[
'dst_port'] = tcp_src_port, tcp_dst_port
flags = flagScanner(tcp)
tcp_packet_data[
'pkts_size'] = tcp.data.__len__()
uni_key = '{}{}{}{}'.format(
tcp_packet_data['src_ip'],
tcp_packet_data['src_port'],
tcp_packet_data['dst_ip'],
tcp_packet_data['dst_port'])
if 'syn' in flags:
if uni_key in sessions:
del sessions[uni_key]
tcp_packet_data['start_time'] = t
tcp_packet_data['end_time'] = t
tcp_packet_data['session'] = False
tcp_packet_data['dns_data'] = False
if tcp_packet_data['src_ip'] in domains:
tcp_packet_data['dns_data'] = domains[
tcp_packet_data['src_ip']]
if tcp_packet_data['dst_ip'] in domains:
tcp_packet_data['dns_data'] = domains[
tcp_packet_data['dst_ip']]
sessions[uni_key] = tcp_packet_data
elif 'fin' in flags:
if uni_key in sessions:
sessions[uni_key][
'pkts_num'] += tcp_packet_data[
'pkts_num']
sessions[uni_key][
'pkts_size'] += tcp_packet_data[
'pkts_size']
sessions[uni_key]['session'] = True
sessions[uni_key]['end_time'] = t
complete_session = sessions[uni_key]
complete.append(complete_session)
del sessions[uni_key]
else:
if uni_key in sessions:
sessions[uni_key][
'pkts_num'] += tcp_packet_data[
'pkts_num']
sessions[uni_key][
'pkts_size'] += tcp_packet_data[
'pkts_size']
sessions[uni_key]['end_time'] = t
for session in sessions:
complete.append(sessions[session])
for sess in complete:
# phase one scan
sess['phase_one_scan'] = False
detected_subnets = []
src_subnets = all_matching_cidrs(sess['src_ip'], subnets)
dst_subnets = all_matching_cidrs(sess['dst_ip'], subnets)
if src_subnets: detected_subnets.append(str(src_subnets[0]))
if dst_subnets: detected_subnets.append(str(dst_subnets[0]))
if detected_subnets:
detected_subnet = detected_subnets[0]
sess['phase_one_scan'] = subnet_config.loc[
subnet_config['subnet'] == detected_subnet].to_dict()
ddf = subnet_config.loc[subnet_config['subnet'] ==
detected_subnet].to_dict()
sess['phase_one_scan'] = {
'subnet': list(ddf['subnet'].values())[0].strip(),
'application': list(ddf['application'].values())[0].strip(),
'activity': list(ddf['activity'].values())[0].strip(),
'category': list(ddf['category'].values())[0].strip()
}
# phase two scan
sess['phase_two_scan'] = False
if sess['dns_data']:
sess['phase_two_scan'] = False
detected_dnss = []
if 'domain' in sess['dns_data']:
domain = sess['dns_data']['domain']
for item in dns_list:
if item in domain:
detected_dnss.append(item.strip())
if detected_dnss:
df = dns_config.loc[dns_config['domain'] ==
detected_dnss[0]].to_dict()
sess['phase_two_scan'] = {
'domain': list(df['domain'].values())[0].strip(),
'application':
list(df['application'].values())[0].strip(),
'activity': list(df['activity'].values())[0].strip(),
'category': list(df['category'].values())[0].strip()
}
sess['hash'] = hashlib.md5(str(
sess.values()).encode('utf-8')).hexdigest()
return complete