def ExtractIPPacketsFromFile(filenamePCAP, filenamesRawData, options):
naft_uf.LogLine('Start')
if options.ouitxt == '':
oFrames = naft_pfef.cFrames()
else:
oFrames = naft_pfef.cFrames(options.ouitxt)
countProcessedFiles = 0
for filenameRawData in filenamesRawData:
if options.buffer:
naft_uf.LogLine('Buffering file %s' % filenameRawData)
oBufferFile = naft_uf.cBufferFile(filenameRawData, options.buffersize * 1024 * 1024, options.bufferoverlapsize * 1024 * 1024)
while oBufferFile.Read():
naft_uf.LogLine('Processing buffer 0x%x size %d MB %d%%' % (oBufferFile.index, len(oBufferFile.buffer) / 1024 / 1024, oBufferFile.Progress()))
naft_uf.LogLine('Searching for IPv4 packets')
naft_pfef.ExtractIPPackets(oFrames, oBufferFile.index, oBufferFile.buffer, options.options, options.duplicates, True, filenameRawData)
naft_uf.LogLine('Searching for ARP Ethernet frames')
naft_pfef.ExtractARPFrames(oFrames, oBufferFile.index, oBufferFile.buffer, options.duplicates, True, filenameRawData)
if oBufferFile.error == MemoryError:
naft_uf.LogLine('Data is too large to fit in memory, use smaller buffer')
elif oBufferFile.error:
naft_uf.LogLine('Error reading file')
countProcessedFiles += 1
else:
naft_uf.LogLine('Reading file %s' % filenameRawData)
rawData = naft_uf.File2Data(filenameRawData)
if rawData == None:
naft_uf.LogLine('Error reading file')
if rawData == MemoryError:
naft_uf.LogLine('File is too large to fit in memory')
else:
naft_uf.LogLine('Searching for IPv4 packets')
naft_pfef.ExtractIPPackets(oFrames, 0, rawData, options.options, options.duplicates, True, filenameRawData)
naft_uf.LogLine('Searching for ARP Ethernet frames')
naft_pfef.ExtractARPFrames(oFrames, 0, rawData, options.duplicates, True, filenameRawData)
countProcessedFiles += 1
if countProcessedFiles > 0:
naft_uf.LogLine('Writing PCAP file %s' % filenamePCAP)
if not oFrames.WritePCAP(filenamePCAP):
naft_uf.LogLine('Error writing PCAP file')
naft_uf.LogLine('Number of identified frames: %5d' % oFrames.countFrames)
naft_uf.LogLine('Number of identified packets: %5d' % oFrames.countPackets)
naft_uf.LogLine('Number of frames in PCAP file: %5d' % len(oFrames.frames))
if options.template:
naft_uf.LogLine('Writing 010 template file %s' % options.template)
if not oFrames.Write010Template(options.template):
naft_uf.LogLine('Error writing 010 template file')
naft_uf.LogLine('Done')
def IOSFrames(coredumpFilename, filenameIOMEM, filenamePCAP, options):
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
print(oIOSCoreDump.error)
return
addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP()
if memoryHeap == None:
print('Heap region not found')
return
oIOSMemoryParserHeap = naft_impf.cIOSMemoryParser(memoryHeap)
oIOSMemoryParserHeap.ResolveNames(oIOSCoreDump)
dataIOMEM = naft_uf.File2Data(filenameIOMEM)
oIOSMemoryParserIOMEM = naft_impf.cIOSMemoryParser(dataIOMEM)
addressIOMEM = oIOSMemoryParserIOMEM.baseAddress
if addressIOMEM == None:
print('Error parsing IOMEM')
return
oFrames = naft_pfef.cFrames()
print(naft_impf.cIOSMemoryBlockHeader.ShowHeader)
for oIOSMemoryBlockHeader in oIOSMemoryParserHeap.Headers:
if oIOSMemoryBlockHeader.AllocNameResolved == '*Packet Header*':
frameAddress = struct.unpack('>I', oIOSMemoryBlockHeader.GetData()[40:44])[0]
frameSize = struct.unpack('>H', oIOSMemoryBlockHeader.GetData()[72:74])[0]
if frameAddress != 0 and frameSize != 0:
print(oIOSMemoryBlockHeader.ShowLine())
naft_uf.DumpBytes(dataIOMEM[frameAddress - addressIOMEM : frameAddress - addressIOMEM + frameSize], frameAddress)
oFrames.AddFrame(frameAddress - addressIOMEM, dataIOMEM[frameAddress - addressIOMEM : frameAddress - addressIOMEM + frameSize], True)
oFrames.WritePCAP(filenamePCAP)
def IOSFrames(coredumpFilename, filenameIOMEM, filenamePCAP, options):
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
print(oIOSCoreDump.error)
return
addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP()
if memoryHeap == None:
print('Heap region not found')
return
oIOSMemoryParserHeap = naft_impf.cIOSMemoryParser(memoryHeap)
oIOSMemoryParserHeap.ResolveNames(oIOSCoreDump)
dataIOMEM = naft_uf.File2Data(filenameIOMEM)
oIOSMemoryParserIOMEM = naft_impf.cIOSMemoryParser(dataIOMEM)
addressIOMEM = oIOSMemoryParserIOMEM.baseAddress
if addressIOMEM == None:
print('Error parsing IOMEM')
return
oFrames = naft_pfef.cFrames()
print(naft_impf.cIOSMemoryBlockHeader.ShowHeader)
for oIOSMemoryBlockHeader in oIOSMemoryParserHeap.Headers:
if oIOSMemoryBlockHeader.AllocNameResolved == '*Packet Header*':
frameAddress = struct.unpack(
'>I',
oIOSMemoryBlockHeader.GetData()[40:44])[0]
frameSize = struct.unpack(
'>H',
oIOSMemoryBlockHeader.GetData()[72:74])[0]
if frameSize <= 1:
frameSize = struct.unpack(
'>H',
oIOSMemoryBlockHeader.GetData()[68:70])[0]
if frameAddress != 0 and frameSize != 0:
print(oIOSMemoryBlockHeader.ShowLine())
naft_uf.DumpBytes(
dataIOMEM[frameAddress - addressIOMEM:frameAddress -
addressIOMEM + frameSize], frameAddress)
oFrames.AddFrame(
frameAddress - addressIOMEM,
dataIOMEM[frameAddress - addressIOMEM:frameAddress -
addressIOMEM + frameSize], True)
oFrames.WritePCAP(filenamePCAP)