def isIP(p): ether_packet = ImpactDecoder.EthDecoder().decode(p) eth_type = hex(ether_packet.get_ether_type()) if getNameProtocolEthernet(eth_type) == "IPv4": return True else: return False
def decodeLayer2(self, header, payload): def formatMacAddress(arrayMac): return ":".join("{0:0>2}".format(hex(b)[2:]) for b in arrayMac.tolist()) if self.datalink == pcapy.DLT_EN10MB: l2Decoder = Decoders.EthDecoder() l2Proto = "Ethernet" layer2 = l2Decoder.decode(payload) l2SrcAddr = formatMacAddress(layer2.get_ether_shost()) l2DstAddr = formatMacAddress(layer2.get_ether_dhost()) l2Payload = payload[layer2.get_header_size():] etherType = layer2.get_ether_type() elif self.datalink == pcapy.DLT_LINUX_SLL: l2Decoder = Decoders.LinuxSLLDecoder() l2Proto = "Linux SLL" layer2 = l2Decoder.decode(payload) l2SrcAddr = layer2.get_addr() l2DstAddr = None l2Payload = payload[layer2.get_header_size():] etherType = layer2.get_ether_type() elif self.datalink == PCAPImporter.PROTOCOL201: l2Proto = "Protocol 201" hdr = payload.encode('hex')[0:8] if hdr[6:] == "01": l2SrcAddr = "Received" else: l2SrcAddr = "Sent" l2DstAddr = None l2Payload = payload[8:] etherType = payload[4:6] return (l2Proto, l2SrcAddr, l2DstAddr, l2Payload, etherType)
def collector(self, buffer): """ The collector method for OFTGPacket plugin is responsible for analyzing collected packet data for OFTG-Ninja payloads. The collector method MUST use the decoder() method to analyze extracted data. :return: Dict, as returned by decoder() """ try: decoder = ImpactDecoder.EthDecoder() packet = decoder.decode(buffer) if packet.get_ether_type() == ImpactPacket.IP.ethertype: ip = packet.child() if ip and ip.get_ip_p() == ImpactPacket.ICMP.protocol: icmppacket = ip.child() data = icmppacket.get_data_as_string() result = self.decoder(data) if result: # self.logger.debug('%s got a payload from %s' % (self.__class__.__name__, ip.get_ip_src())) result['Source Host'] = ip.get_ip_src() result['Protocol Subtype'] = 'ICMP Type' result['Subtype'] = str(icmppacket.get_icmp_type()) return result else: return else: return except Exception as e: raise return
def parse_packet(self, header, frame): decoder = ImpactDecoder.EthDecoder() ether = decoder.decode(frame) ready_indices = [] if ether.get_ether_type() == ImpactPacket.IP.ethertype: self.lock.acquire() for i in range(0, len(self.connection_list)): buffered_packets = self.connection_list[i] if buffered_packets.add_frame( ether): #if there's an existing flow self.lock.release() if len(ready_indices) > 0: self.move_ready_packets(ready_indices) return if buffered_packets.ready: ready_indices.append(i) buffered_packets = BufferedPackets(header, ether) self.connection_list.append(buffered_packets) self.lock.release() if len(ready_indices) > 0: self.move_ready_packets(ready_indices)
def parse(models, header, packet): length_groups = [500, 1500] decoder = ImpactDecoder.EthDecoder() ether = decoder.decode(packet) #print str(ether.get_ether_type()) + " " + str(ImpactPacket.IP.ethertype) if ether.get_ether_type() == ImpactPacket.IP.ethertype: iphdr = ether.child() transporthdr = iphdr.child() if transporthdr.get_data_as_string() != '' and isinstance(transporthdr, ImpactPacket.TCP): s_addr = iphdr.get_ip_src() d_addr = iphdr.get_ip_dst() s_port = transporthdr.get_th_sport() d_port = transporthdr.get_th_dport() d_length = transporthdr.get_size() payload = transporthdr.get_data_as_string() grams = get_byte_freq(payload, d_length) group_length = length_groups[len(length_groups)-1] for i in range(0, len(length_groups) - 1): if d_length <= length_groups[i]: group_length = length_groups[i] group = str(d_port) + "-" + str(group_length) if group in models: models[group].add_grams(grams) else: models[group] = PaylModel(d_port, group_length) models[group].add_grams(grams)
def pcap_to_object(pcap_file, obj_file): """Create a Python serialized graph object. Read the pcap file given in parameter, extracts source and destination IP and write a serialized graph object. """ reader = pcapy.open_offline(pcap_file) print reader.datalink() print pcapy.DLT_LINUX_SLL eth_decoder = Decoders.EthDecoder() sll_decoder = Decoders.LinuxSLLDecoder() ip_decoder = Decoders.IPDecoder() dic_ip = ip_dict() tts_min = 1000 tts_max = 2000 if options.verbose: print "Reading pcap file..." while True: try: (header, payload) = reader.next() if True: #tts_min <= header.getts()[0] <= tts_max: #ethernet = eth_decoder.decode(payload) sll = sll_decoder.decode(payload) if sll.get_ether_type() == Packets.IP.ethertype: #ip = ip_decoder.decode(payload[ethernet.get_header_size():]) ip_src = sll.child().get_ip_src() ip_dst = sll.child().get_ip_dst() dic_ip[ip_src][ip_dst] += 1 except Packets.ImpactPacketException, e: print e except:
def collector(self, buffer): try: decoder = ImpactDecoder.EthDecoder() packet = decoder.decode(buffer) if packet.get_ether_type() == ImpactPacket.IP.ethertype: ip = packet.child() if ip and ip.get_ip_p() == ImpactPacket.UDP.protocol: udppacket = ip.child() data = udppacket.get_data_as_string() payload = self.decoder(data) if payload: self.logger.debug( '%s got a payload from %s' % (self.__class__.__name__, ip.get_ip_src())) # print '%s got a payload from %s' % (self.__class__.__name__, ip.get_ip_src()) result = payload result['Source Host'] = ip.get_ip_src() result['Protocol Subtype'] = 'Port' result['Subtype'] = str(udppacket.get_uh_dport()) return result else: return except Exception as e: # If the decoding fails, it just wasn't meant to be. pass return
def create_test_sock(pcap_filename): rospy.sleep(0.1) import pcapy from StringIO import StringIO from impacket import ImpactDecoder body_list = [] cap = pcapy.open_offline(pcap_filename) decoder = ImpactDecoder.EthDecoder() while True: header, payload = cap.next() if not header: break udp = decoder.decode(payload).child().child() body_list.append(udp.child().get_packet()) data_io = StringIO(''.join(body_list)) class MockSocket(object): def recv(self, byte_count): rospy.sleep(0.0001) data = data_io.read(byte_count) if data == "": rospy.signal_shutdown("Test completed.") return data def settimeout(self, timeout): pass return MockSocket()
def getMessageDetails(self, messageID): if not messageID in self._payloadDict: errorMessage = "Message ID: {0} not found in importer message list".format(messageID) logging.error(errorMessage) raise NetzobImportException("PCAP", errorMessage, ERROR) decoder = Decoders.EthDecoder() payload = self._payloadDict[messageID] return decoder.decode(payload)
def parse_packet(flabels, labels, header, packet): decoder = ImpactDecoder.EthDecoder() ether = decoder.decode(packet) #print str(ether.get_ether_type()) + " " + str(ImpactPacket.IP.ethertype) if ether.get_ether_type() == ImpactPacket.IP.ethertype: iphdr = ether.child() transporthdr = iphdr.child() s_addr = iphdr.get_ip_src() d_addr = iphdr.get_ip_dst() if isinstance(transporthdr, ImpactPacket.TCP): s_port = transporthdr.get_th_sport() d_port = transporthdr.get_th_dport() seq_num = transporthdr.get_th_seq() d_length = len(transporthdr.get_data_as_string()) protocol = "tcp_ip" elif isinstance(transporthdr, ImpactPacket.UDP): s_port = transporthdr.get_uh_sport() d_port = transporthdr.get_uh_dport() seq_num = 0 d_length = transporthdr.get_uh_ulen() protocol = "udp_ip" elif isinstance(transporthdr, ImpactPacket.ICMP): s_port = 0 d_port = 0 seq_num = 0 d_length = 0 protocol = "icmp" elif isinstance(transporthdr, ImpactPacket.IGMP): s_port = 0 d_port = 0 seq_num = 0 d_length = 0 protocol = "igmp" else: s_port = 0 d_port = 0 seq_num = 0 d_length = -1 protocol = transporthdr.__class__ if d_length == 0 and (protocol == "tcp_ip" or protocol == "udp_ip"): return id = "{}-{}-{}-{}-{}".format(s_addr, s_port, d_addr, d_port, protocol) if labels.has_key(id): flabels.write("{},{},{},{},{},{},{},{}\n".format( s_addr, s_port, d_addr, d_port, protocol, seq_num, d_length, labels[id])) else: flabels.write("{},{},{},{},{},{},{},{}\n".format( s_addr, s_port, d_addr, d_port, protocol, seq_num, d_length, "Normal-0"))
def parse(fdataset, header, packet): decoder = ImpactDecoder.EthDecoder() ether = decoder.decode(packet) #print str(ether.get_ether_type()) + " " + str(ImpactPacket.IP.ethertype) if ether.get_ether_type() == ImpactPacket.IP.ethertype: iphdr = ether.child() transporthdr = iphdr.child() if transporthdr.get_data_as_string() != '' and isinstance( transporthdr, ImpactPacket.TCP): s_addr = iphdr.get_ip_src() d_addr = iphdr.get_ip_dst() if isinstance(transporthdr, ImpactPacket.TCP): s_port = transporthdr.get_th_sport() d_port = transporthdr.get_th_dport() seq_num = transporthdr.get_th_seq() d_length = len(transporthdr.get_data_as_string()) protocol = "tcp_ip" elif isinstance(transporthdr, ImpactPacket.UDP): s_port = transporthdr.get_uh_sport() d_port = transporthdr.get_uh_dport() seq_num = 0 d_length = transporthdr.get_uh_ulen() protocol = "udp_ip" elif isinstance(transporthdr, ImpactPacket.ICMP): s_port = 0 d_port = 0 seq_num = 0 d_length = 0 protocol = "icmp" elif isinstance(transporthdr, ImpactPacket.IGMP): s_port = 0 d_port = 0 seq_num = 0 d_length = 0 protocol = "igmp" else: s_port = 0 d_port = 0 seq_num = 0 d_length = -1 protocol = transporthdr.__class__ payload = transporthdr.get_data_as_string() grams = payl.get_byte_freq(payload, d_length) line = "{},{},{},{},{},{},{}".format(s_addr, s_port, d_addr, d_port, protocol, seq_num, d_length) for value in grams.itervalues(): line += ",{}".format(round(value, 3)) fdataset.write(line + "\n")
def callback(header, data): src_ip = None dst_ip = None src_port = None dst_port = None layer4Type = "" output = "" payloadSize = 0 extract = ExtractData() #Parse packet decoder = ImpactDecoder.EthDecoder() packet = decoder.decode(data) #Parse IP packet inside ethernet one iphdr = packet.child() if isinstance(iphdr, IP): #Parse TCP packet inside IP one hdr = iphdr.child() if isinstance(hdr, TCP) or isinstance(hdr, UDP): if isinstance(hdr, TCP): layer4Type = "TCP" #Only look at SYN packets, not ACK ones if hdr.get_SYN() and not hdr.get_ACK(): #Get src and dest IPs src_ip = iphdr.get_ip_src() dst_ip = iphdr.get_ip_dst() src_port = hdr.get_th_dport() dst_port = hdr.get_th_sport() payloadSize = hdr.get_size() - hdr.get_header_size() elif isinstance(hdr, UDP): layer4Type = "UDP" #Get src and dest IPs src_ip = iphdr.get_ip_src() dst_ip = iphdr.get_ip_dst() src_port = hdr.get_th_dport() dst_port = hdr.get_th_sport() payloadSize = hdr.get_size() - hdr.get_header_size() #Results are printed output = "(%s) Connection attempted from: %s:%s to: %s:%s\n" % ( layer4Type, src_ip, src_port, dst_ip, dst_port) if (payloadSize != 0): output += "\nPayload size: %d\n----%s----\n----\n" % ( payloadSize, hdr.get_data_as_string()) print output if (src_ip and dst_ip): extract.writeToFile("packetOutput.txt", output, "a") else: print "\nIP header doesn't exist.\n" iphdr = None
def tcpipfilter_in(packet): """Function filtering incoming traffic (FD: 3 -> 1) with immidiate IP-src manipulation.""" # Store the original packet, for the case where no match occurs orgpacket = packet # Cut the VDE internal length information packet = packet[2:] # Decode the packet for easy header inspection. decpacket = ImpactDecoder.EthDecoder().decode(packet) content = decpacket.child() # Identify IP packets: if content.ethertype == ImpactPacket.IP.ethertype: child = content.child() dstip = content.get_ip_dst() # Test for IP-dest hits. if not content.get_ip_src() == s.newTargetIp: return orgpacket, 1 else: if isinstance(child, ImpactPacket.TCP): content.set_ip_src(s.l34srcdstmap[child.get_th_dport()]) child.set_th_sport(int(s.portfilter[s.ipfilter[0]][0])) child.set_th_sum(0) child.auto_checksum = 1 elif isinstance(child, ImpactPacket.UDP): content.set_ip_src(s.l34srcdstmap[child.get_uh_dport()]) child.set_uh_sport(int(s.portfilter[s.ipfilter[0]][0])) child.set_uh_sum(0) child.auto_checksum = 1 content.auto_checksum = 1 packet = decpacket.get_packet() packet = vdepad(packet) return packet, 1 # Identify ARP packets: elif content.ethertype == ImpactPacket.ARP.ethertype: sourceip = str(content.as_pro(content.get_ar_spa())) # Test for IP-dest hits. if not sourceip == s.newTargetIp or content.get_ar_op() != 2: return orgpacket, 1 else: if s.verbosity: s.logfile.write("ARP packet from targetip fetched." + " ARP poisoning..\n") for filterip in s.ipfilter: content.set_ar_spa(map(int, filterip.split("."))) packet = decpacket.get_packet() packet = vdepad(packet) TCPConnection.stdout.write(packet) TCPConnection.stdout.flush() return orgpacket, 1 # This case should not happen to often, there are not many packets # which are neither ARP nor IP. else: return orgpacket, 1
def create_test_sock(pcap_filename): rospy.sleep(0.1) try: import pcapy except ImportError: import pure_pcapy as pcapy from StringIO import StringIO from impacket import ImpactDecoder body_list = [] if pcap_filename.endswith("gz"): # From: http://projects.honeynet.org/honeysnap/changeset/35/trunk/honeysnap/__init__.py import tempfile import gzip tmph, tmpf = tempfile.mkstemp() tmph = open(tmpf, 'wb') gfile = gzip.open(pcap_filename) tmph.write(gfile.read()) gfile.close() tmph.close() pcap_filename = tmpf cap = pcapy.open_offline(pcap_filename) decoder = ImpactDecoder.EthDecoder() while True: header, payload = cap.next() if not header: break try: tcp = decoder.decode(payload).child().child() body_list.append(tcp.child().get_packet()) except AttributeError: print(decoder.decode(payload)) raise data_io = StringIO(''.join(body_list)) class MockSocket(object): def recv(self, byte_count): # rospy.sleep(0.002) data = data_io.read(byte_count) if data == "": rospy.signal_shutdown("Test completed.") exit(0) return data def settimeout(self, timeout): pass return MockSocket()
def __init__(self, emmulating, interface, ipAddress, macAddress, openTCPPorts = [], openUDPPorts = [], nmapOSDB = 'nmap-os-db'): self.interface = interface self.ipAddress = ipAddress self.macAddress = macAddress self.responders = [] self.decoder = ImpactDecoder.EthDecoder() self.initPcap() self.initFingerprint(emmulating, nmapOSDB) self.initSequenceGenerators() self.openTCPPorts = openTCPPorts self.openUDPPorts = openUDPPorts print(self)
def main(): import sys f_in = pcapy.open_offline(sys.argv[1]) try: f_out = f_in.dump_open(sys.argv[2]) f_out.write(str(PCapFileHeader())) except: f_out = None hdr = PCapFileHeader() hdr.fromString(f_in.read(len(hdr))) hdr.dump() decoder = ImpactDecoder.EthDecoder() while 1: pkt = PCapFilePacket() try: pkt.fromString(f_in.read(len(pkt))) except: break pkt['data'] = f_in.read(pkt['savedLength']) hdr['packets'].append(pkt) p = self.pcap.next() try: in_onion = [self.decoder.decode(p[1])] except: in_onion = [self.decoder.decode(p[0])] try: while 1: in_onion.append(in_onion[-1].child()) except: pass process(in_onion) #pkt.dump() #print "%r" % str(pkt) if f_out: #print eth pkt_out = PCapFilePacket() pkt_out['data'] = str(eth.get_packet()) #pkt_out.dump() f_out.write(str(pkt_out))
def parse_packet(self, header, frame): # pcap语法分析 datalink = self.pcap.datalink() if datalink == pcapy.DLT_EN10MB: decoder = ImpactDecoder.EthDecoder() elif datalink == pcapy.DLT_LINUX_SLL: decoder = ImpactDecoder.LinuxSLLDecoder() else: raise Exception("Datalink not supported") ether = decoder.decode(frame) # 每个数据包的数据 ts = float(str(header.getts()[0]) + "." + str(header.getts()[1])) # packet的时间戳 self.last_timestamp = ts if ether.get_ether_type() == ImpactPacket.IP.ethertype: (id, tcp_tuple) = generate_id(ether) if id == False: return (rev_id, tcp_tuple) = generate_reverse_id(ether) # print("Buffer", self.tcp_buffer) # print(threading.current_thread().name + "in",) self.acquire_lock("parse") # print(threading.current_thread().name + "out") if id in self.tcp_buffer: tcp_stream = self.tcp_buffer[id] to_server = True # print("[fwd] ID: " + id + ";" + str(ts)) elif rev_id in self.tcp_buffer: tcp_stream = self.tcp_buffer[rev_id] to_server = False # print("[rev] ID: " + id + ";" + str(ts)) else: # 读到的数据包属于新的一个流 # a new stream has appeared tcp_stream = TcpStream(id, ts, self) self.tcp_buffer[id] = tcp_stream to_server = True packet = ether.child() segment = packet.child() tcp_stream.start() # print("[new] ID: " + id + ";" + str(ts)) tcp_stream.add_packet(ts, to_server, ether) # 数据包加到tcp流中 # if tcp_stream.state in end_states: # tcp_stream.finish() # self.move_stream(tcp_stream.id) self.packet_counter += 1 self.release_lock("parse")
def getMessageDetails(message): """Decode a raw network message and print the content of each encapsulated layer. :param filePathList: the messages to cluster. :type filePathList: a list of :class:`str` :param bpfFilter: a string representing a BPF filter. :type bpfFilter: :class:`str` :param importLayer: an integer representing the protocol layer to start importing. :type importLayer: :class:`int` """ decoder = Decoders.EthDecoder() return decoder.decode( TypeConverter.convert(message.data, HexaString, Raw))
def __init__(self, interface, network, default, elements, loggers, tunnels): """Function initialized the dipatcher Args: interface : name of the network interface to listen network : networkx graph representation of the network default : default template elements : elements of the network loggers : instances of the logger modules tunnels : tunnel configuration """ self.interface = interface self.mac = netifaces.ifaddresses( self.interface)[netifaces.AF_LINK][0]['addr'] self.network = network try: post('http://localhost:8080/network', json=dumps(json_graph.node_link_data(self.network))) except: logger.exception('Exception: Cannot connect to local server.') self.default = default self.devices, self.routes, self.externals = elements self.hpfeeds, self.dblogger = loggers self.tunnels = tunnels self.packet_queue = dict() self.entry_points = list() self.unreach_list = list() self.pcapy_object = pcapy.open_live(self.interface, 65535, 1, 10) self.decoder = ImpactDecoder.EthDecoder() self.ip_decoder = ImpactDecoder.IPDecoder() self.ip_icmp_decoder = ImpactDecoder.IPDecoderForICMP() self.mac_set = set([self.mac]) for d in self.devices: if len(d.mac): self.mac_set.add(d.mac) for r in self.routes: if r.entry: self.entry_points.append(r) self.unreach_list.extend(r.unreach_list) logger.info('Started dispatcher listening on interface %s', self.interface) while True: try: (hdr, pkt) = self.pcapy_object.next() self.callback(hdr, pkt) except KeyboardInterrupt: return
def decodePayload(self, payload): """Decode a payload from the parser and returns an array of lines """ decoder = Decoders.EthDecoder() eth = decoder.decode(payload) ip = eth.child() tcp = ip.child() try: if tcp.get_RST()!=1: data = tcp.get_data_as_string() # raw data data = data.replace('\r\n', '\r\n###~~~###') arrline = data.split('\r\n') return arrline else: return None except: return None
def callback(header, data): global current decoder = ImpactDecoder.EthDecoder() ethernet_pck = decoder.decode(data) ip_hdr = ethernet_pck.child() tcp_hdr = ip_hdr.child() source_ip = ip_hdr.get_ip_src() dest_ip = ip_hdr.get_ip_dst() if tcp_hdr.get_RST(): print "TCP Reset Received: Around IP: [ttl: %s] (Scanning: %s)" % ( source_ip, ip_hdr.get_ip_ttl(), current.address) print tcp_hdr return '''
def __init__(self, packet, use_datalink_layer=None): # If arp packet arrives, and we are using ARPDecoder, there is a bug in impacket and the packet won't be parsed # well, so we'll always parse the packet's child. This solution works for this project beause we always need # just the layer above the ethernet layer. If you want to use Ethernet properties, please # use_datalink_layer=True # TODO: Get parameter that mention the wanted layer number instead of this patch or push bugfix to impacket. ethernet_decoder = ImpactDecoder.EthDecoder() decoded_packet = ethernet_decoder.decode(packet) if not use_datalink_layer: self.packet = decoded_packet.child() else: self.packet = decoded_packet if type(self.packet) not in self.packet_type_to_handler_class: # TODO: Write to log file. pass else: self.packet_type_handler = self.packet_type_to_handler_class[type(self.packet)](self.packet) assert (isinstance(self.packet_type_handler, ImpactPacketRepresentation))
def detect(models, header, packet, fresult): global anomalies global packet_counter length_groups = [500, 1500] threshold = 256 decoder = ImpactDecoder.EthDecoder() try: ether = decoder.decode(packet) except ImpactPacket.ImpactPacketException as e: print "truncated packet" return # print str(ether.get_ether_type()) + " " + str(ImpactPacket.IP.ethertype) if ether.get_ether_type() == ImpactPacket.IP.ethertype: iphdr = ether.child() transporthdr = iphdr.child() if transporthdr.get_data_as_string() != '' and isinstance(transporthdr, ImpactPacket.TCP): s_addr = iphdr.get_ip_src() d_addr = iphdr.get_ip_dst() s_port = transporthdr.get_th_sport() d_port = transporthdr.get_th_dport() d_length = transporthdr.get_size() seq_num = transporthdr.get_th_seq() payload = transporthdr.get_data_as_string() grams = get_byte_freq(payload, d_length) group_length = length_groups[len(length_groups)-1] for i in range(0, len(length_groups) - 1): if d_length <= length_groups[i]: group_length = length_groups[i] group = str(d_port) + "-" + str(group_length) packet_counter += 1 if group in models: dist = models[group].distance(grams) fresult.write("{},{},{},{},{},{},{}\n".format(s_addr, s_port, d_addr, d_port, seq_num, d_length, dist)) if dist > threshold: anomalies += 1 else: fresult.write("{},{},{},{},{},{},{}\n".format(s_addr, s_port, d_addr, d_port, seq_num, d_length, 1000)) print "No matching model : port {}, length {}".format(d_port, d_length)
def Process(header, data): decoder = ImpactDecoder.EthDecoder() ether = decoder.decode(data) ipHeader = ether.child() packetType = ipHeader.child().protocol tcpHeader = '' if packetType == 6: tcpHeader = ipHeader.child() print "{:15}[{:5}] ----> {:15}[{:5}] [-{}-{}-{}-{}-{}-]".format( ipHeader.get_ip_src(), tcpHeader.get_th_sport(), ipHeader.get_ip_dst(), tcpHeader.get_th_dport(), ("S" if tcpHeader.get_SYN() else " "), ("A" if tcpHeader.get_ACK() else " "), ("U" if tcpHeader.get_URG() else " "), ("P" if tcpHeader.get_PSH() else " "), ("R" if tcpHeader.get_RST() else " ")) payload = getPayload(tcpHeader) return
def parse_packet(header, packet, port, fresult): decoder = ImpactDecoder.EthDecoder() ether = decoder.decode(packet) #print str(ether.get_ether_type()) + " " + str(ImpactPacket.IP.ethertype) if ether.get_ether_type() == ImpactPacket.IP.ethertype: iphdr = ether.child() transporthdr = iphdr.child() s_addr = iphdr.get_ip_src() d_addr = iphdr.get_ip_dst() if isinstance(transporthdr, ImpactPacket.TCP): s_port = transporthdr.get_th_sport() d_port = transporthdr.get_th_dport() seq_num = transporthdr.get_th_seq() d_length = len(transporthdr.get_data_as_string()) protocol = "tcp_ip" v_protocol = "1,0" elif isinstance(transporthdr, ImpactPacket.UDP): s_port = transporthdr.get_uh_sport() d_port = transporthdr.get_uh_dport() seq_num = 0 d_length = transporthdr.get_uh_ulen() protocol = "udp_ip" v_protocol = "0,1" else: return None if d_length <= seq_length: return None if (d_port != port) and (s_port != port): return None fresult.write("{}, {}, {}, {}, {}, {}, {},".format( s_addr, s_port, d_addr, d_port, protocol, seq_num, d_length)) payload = str(transporthdr.get_data_as_string()).lower() ascii_payload = [ord(c) for c in payload] return ascii_payload
def decodeLayer2(self, header, payload): def formatMacAddress(arrayMac): return ":".join("{0:0>2}".format( hex(b)[2:]) for b in arrayMac.tolist()) if self.datalink == pcapy.DLT_EN10MB: l2Decoder = Decoders.EthDecoder() l2Proto = "Ethernet" layer2 = l2Decoder.decode(payload) l2SrcAddr = formatMacAddress(layer2.get_ether_shost()) l2DstAddr = formatMacAddress(layer2.get_ether_dhost()) elif self.datalink == pcapy.DLT_LINUX_SLL: l2Decoder = Decoders.LinuxSLLDecoder() l2Proto = "Linux SLL" layer2 = l2Decoder.decode(payload) l2SrcAddr = layer2.get_addr() l2DstAddr = None l2Payload = payload[layer2.get_header_size():] etherType = layer2.get_ether_type() return (l2Proto, l2SrcAddr, l2DstAddr, l2Payload, etherType)
def parse_packet(flabels, att_id, header, packet): decoder = ImpactDecoder.EthDecoder() ether = decoder.decode(packet) #print str(ether.get_ether_type()) + " " + str(ImpactPacket.IP.ethertype) if ether.get_ether_type() == ImpactPacket.IP.ethertype: iphdr = ether.child() transporthdr = iphdr.child() if transporthdr.get_data_as_string() != '' and isinstance( transporthdr, ImpactPacket.TCP): s_addr = iphdr.get_ip_src() d_addr = iphdr.get_ip_dst() s_port = transporthdr.get_th_sport() d_port = transporthdr.get_th_dport() d_length = transporthdr.get_size() seq_num = transporthdr.get_th_seq() flabels.write("{},{},{},{},{},{},{}\n".format( s_addr, s_port, d_addr, d_port, seq_num, d_length, att_id))
def callback(hdr, data): # Parse the Ethernet packet decoder = ImpactDecoder.EthDecoder() ether = decoder.decode(data) # Parse the IP packet inside the Ethernet packet iphdr = ether.child() # Parse the TCP packet inside the IP packet tcphdr = iphdr.child() # Only process SYN packets if tcphdr.get_SYN() and not tcphdr.get_ACK(): # Get the source and destination IP addresses src_ip = iphdr.get_ip_src() dst_ip = iphdr.get_ip_dst() # Print the results print "Connection attempt %s -> %s" % (src_ip, dst_ip)
def parse_packet(dumper, ports, header, packet): decoder = ImpactDecoder.EthDecoder() ether = decoder.decode(packet) #print str(ether.get_ether_type()) + " " + str(ImpactPacket.IP.ethertype) if ether.get_ether_type() == ImpactPacket.IP.ethertype: iphdr = ether.child() transporthdr = iphdr.child() if isinstance(transporthdr, ImpactPacket.TCP): d_port = transporthdr.get_th_dport() elif isinstance(transporthdr, ImpactPacket.UDP): d_port = transporthdr.get_uh_dport() else: return if d_port not in ports: return dumper[d_port].dump(header, packet)
def __init__(self, interface): self._cap = pcapy.open_live(interface, 0xFFFF, 0, 0) os.setgid(1000) os.setuid(1000) self._cap.setfilter('ip proto \\tcp') self._decoder = ImpactDecoder.EthDecoder() self._jobs = [] self._next = False self._sorter = Sorter() self._sorter.start() print "Listening." try: self._cap.loop(-1, self._got_packet) except KeyboardInterrupt: while len(self._sorter._files) > 0: time.sleep(1) print "Exit!" self._sorter._exit = True self._sorter.join() sys.exit()