def _pcap_process(pkt_queue): """ Continuously adds captured packet tuples (time, src_port, dst_port) into the queue. """ # Captures the first 64 bytes of all Redis SYN-SYNACK traffic. This is # sufficient for us to decipher the TCP src and dst ports. client_po = pcap.pcapObject() client_po.open_live(async_redis.CLIENT_INTERFACE, 64, 0, 100) client_po.setfilter("(tcp[13] & 2 == 2) and (dst port %d)" % REDIS_PORT, 0, 0) server_po = pcap.pcapObject() server_po.open_live(async_redis.SERVER_INTERFACE, 64, 0, 100) server_po.setfilter("(tcp[13] & 2 == 2) and (src port %d)" % REDIS_PORT, 0, 0) # Keep reading from pcap while True: for po in (client_po, server_po): pkt = po.next() if pkt: (_, data, timestamp) = pkt (src_port, dst_port) = _get_tcp_src_dst_ports(data) pkt_queue.put((timestamp, src_port, dst_port))
def decode_file(fname,res): if interface != None: try: p = pcap.pcapObject() net, mask = pcap.lookupnet(interface) p.open_live(interface, 1600, 0, 100) Message = " live capture started, using:%s\nStarting timestamp (%s) corresponds to %s"%(interface, time.time(), time.strftime('%x %X')) print Message #l.warning(Message) while 1: p.dispatch(1, Print_Packet_Tcpdump) except (KeyboardInterrupt, SystemExit): print '\n\nCRTL-C hit...\nCleaning up...' sys.exit() else: try: p = pcap.pcapObject() p.open_offline(fname) #l.warning('\n\n started, using:%s file'%(fname)) Version = IsCookedPcap(res) if Version == 1: thread = Thread(target = p.dispatch, args = (0, Print_Packet_Cooked)) thread.daemon=True thread.start() try: while thread.is_alive(): thread.join(timeout=1) except (KeyboardInterrupt, SystemExit): print '\n\nCRTL-C hit..Cleaning up...' threading.Event().set() if Version == 2: thread = Thread(target = p.dispatch, args = (0, Print_Packet_Cooked)) thread.daemon=True thread.start() try: while thread.is_alive(): thread.join(timeout=1) except (KeyboardInterrupt, SystemExit): print '\n\nCRTL-C hit..Cleaning up...' threading.Event().set() if Version == 3: thread = Thread(target = p.dispatch, args = (0, Print_Packet_Tcpdump)) thread.daemon=True thread.start() try: while thread.is_alive(): thread.join(timeout=1) except (KeyboardInterrupt, SystemExit): print '\n\nCRTL-C hit..Cleaning up...' threading.Event().set() except Exception: print 'Can\'t parse %s'%(fname)
def openLiveSniff(self, dev, filter=None): """ open up a libpcap object def = mon mode interface as string aka wlan0 return object and radio tap boolen """ packet = None try: self.lp = pcap.pcapObject() except AttributeError: print "You have the wrong pypcap installed" print "Use https://github.com/signed0/pylibpcap.git" # check what these numbers mean self.lp.open_live(dev, 1600, 0 ,100) if filter is not None: self.lp.setfilter(filter, 0, 0) if self.lp.datalink() == 127: rth = True # snag a packet to look at header, this should always be a # packet that wasnt injected so should have a rt header while packet is None: frame = self.lp.next() if frame is not None: packet = frame[1] # set known header size headsize = struct.unpack('h', packet[2:4])[0] else: rth = False return (rth, headsize)
def openTun(self): """ open up a tuntap interface path is /dev/net/tun in TAP (ether) mode returns false if failed """ path = "/dev/net/tun" if self.checkTun(path) is not False: self.tun = os.open(path, os.O_RDWR) # ifr = struct.pack("16sH", "tun%d", self.IFF_TAP | self.IFF_NO_PI) ifr = struct.pack("16sH", "tun%d", self.IFF_TAP) ifs = fcntl.ioctl(self.tun, self.TUNSETIFF, ifr) #fcntl.ioctl(self.tun, self.TUNSETOWNER, 1000) # return interface name ifname = ifs[:16].strip("\x00") # commented out... for now! print "Interface %s created. Configure it and use it" % ifname # put interface up os.system("ifconfig %s up" %(ifname)) # return interface name try: self.lp = pcap.pcapObject() self.lp.open_live(ifname, 1526, 0 ,100) except AttributeError: print "You have the wrong pypcap installed" print "Use https://github.com/signed0/pylibpcap.git" return ifname else: return False
def main() : global mode if len(sys.argv) < 2: print 'usage: %s <interface> ' % sys.argv[0] sys.exit(0) # MAIN PROGRAM if (len(sys.argv) >= 3) : if sys.argv[2] == 'ymsg' : mode = CAP_YMSG elif sys.argv[2] == 'post' : mode = CAP_POST elif sys.argv[2] == 'ftp' : mode = CAP_FTP p = pcap.pcapObject() dev = sys.argv[1] net, mask = pcap.lookupnet(sys.argv[1]) p.open_live(dev, 1600, 1, 100) p.setfilter('tcp', 0, 0) p.setnonblock(1) p.loop(0, print_packet)
def load_pcap(self, filename, layer=TRANSPORT_LAYER, strict=False): """Loads a pcap file and returns a list of Message objects containing the reassembled messages for the specified OSI layer. Usage: >>> import pcap_reassembler >>> reassembler = pcap_reassembler.PcapReassembler() >>> msgs = reassembler.load_pcap('http.cap') >>> msgs[0].payload 'GET /download.html ...' """ if not DATA_LINK_LAYER <= layer <= TRANSPORT_LAYER: raise ValueError("Specified OSI layer is not supported.") self._tcp_stream = {} self._msgs = [] self._count = 1 self._layer = layer self._strict_policy = strict p = pcap.pcapObject() p.open_offline(filename) # process all packets try: p.dispatch(-1, self._process_eth) except Exception as e: print e # flush all TCP connections for remaining messages for socks in self._tcp_stream: self._tcp_flush(socks) self._msgs.sort(key=lambda x: x.number) return self._msgs
def sniff(recent, interface): def save_packet(pktlen, data, timestamp): # from http://pylibpcap.sourceforge.net/ if not data: return if data[12:14]=='\x08\x00': decoded=decode_ip_packet(data[14:]) decoded['original_length'] = pktlen recent.add(timestamp, decoded) p = pcap.pcapObject() try: p.open_live(interface, 1600, 0, 100) except Exception: import traceback traceback.print_exc() os.abort() p.setnonblock(True) try: while 1: numRead = p.dispatch(1, save_packet) if numRead == 0: time.sleep(.01) except: os.abort()
def __init__(self): ''' device: interface to do the scan host_list: host_list to build the filter to scan net_list: net_list to build the filter to scan timeout: timeout to read (s) capture_file: capture filename promisc_mode: set the interface in promiscuous mode ''' threading.Thread.__init__(self) self.__device = '' self.__host_list = [] self.__net_list = [] self.__status = SnifferStatus.STOPPED_OK self.__last_error = '' self.__pcapobj = pcap.pcapObject() self.__timeout = 0 self.__setpromisc_mode = False self.__capture_file = '' self.__convertToPDML = False self.__data = '' self.__keep_working = True self.__capture_size = 0 #For current status: self.__elapsedTime = 0 self.__currentPackets = 0; self.__mustStop = False '''
def decode_file(fname): """Given the name of a pcap file, open it, decode the contents and yield each packet.""" if _debug: decode_file._debug("decode_file %r", fname) if not pcap: raise RuntimeError, "failed to import pcap" # create a pcap object p = pcap.pcapObject() p.open_offline(fname) i = 0 while 1: # the object acts like an iterator pkt = p.next() if not pkt: break # returns a tuple pktlen, data, timestamp = pkt pkt = decode_packet(data) if not pkt: continue # save the index and timestamp in the packet pkt._index = i pkt._timestamp = timestamp yield pkt i += 1
def issueRequest(serverip, serverport, timeout, req): global break_wait global res # Reset the global vars we will use here break_wait = 0 res = None client = DhcpClient(client_listen_port=67, server_listen_port=serverport) client.dhcp_socket.settimeout(timeout) if serverip == '0.0.0.0': req.SetOption('flags',[128, 0]) req_type = req.GetOption('dhcp_message_type')[0] pcap_obj = pcap.pcapObject() dev = pcap.lookupdev() pcap_obj.open_live(dev, 1600, 0, 100) pcap_obj.setfilter("udp port 67", 0, 0) sent = 0 while break_wait < 1: if(sent < 1): sent = 1 client.SendDhcpPacketTo(req,serverip,serverport) if req_type == 3 or req_type == 7: return pcap_obj.dispatch(1, get_packet) return res
def run(self): p = pcap.pcapObject() #dev = pcap.lookupdev() #dev = sys.argv[1] while 1: for i in dev p.open_live(i, 1600, 0, 100) try: while 1: p.dispatch(1, print_arp_packet) sleep(10) # specify 'None' to dump to dumpfile, assuming you have called # the dump_open method # p.dispatch(0, None) # the loop method is another way of doing things # p.loop(1, print_packet) # as is the next() method # p.next() returns a (pktlen, data, timestamp) tuple # apply(print_packet,p.next()) except KeyboardInterrupt: print '%s' % sys.exc_type print 'shutting down' print '%d packets received, %d packets dropped, %d packets dropped by interface' % p.stats()
def __init__(self, interface, filters=None): pcap.lookupnet(interface) self.pc = pcap.pcapObject() self.pc.open_live(interface, 3200, False, 0) BasePcapWrapper.__init__(self, filters)
def _open_next_file(self): # In the past, python-libpcap did not clean up its fds. In # 0.6.4-1 it does though and the following is a no-op. self.pcap = None # Are we done? if not self.filenames: raise StopIteration() # Next file! self.filename = self.filenames.pop(0) # There is no pcap_fopen_offline(3pcap) call, so we'll # have to use a temp-file if the file was zipped. filename, is_tempfile = extract_to_tempfile(self.filename) try: self.pcap = pcap.pcapObject except AttributeError: # pcapy self.pcap = pcap.open_offline(filename) else: # pylibpcap self.pcap = pcap.pcapObject() self.pcap.open_offline(filename) if is_tempfile: os.unlink(filename) if self.pcap_filter: self.pcap.setfilter(self.pcap_filter, 0, 0) # Set link type, needed below self.link_type = self.pcap.datalink()
def pcap_to_sqlite(pcap_file, sqlite_file): """Generate the SQLite base. Read the pcap file given in parameter, extracts source and destination IP and create the SQLite base. """ reader = pcap.pcapObject() reader.open_offline(pcap_file) conn = sqlite3.connect(sqlite_file) c = conn.cursor() if options.verbose: print("Creating table.") c.execute('''create table ip_link (tts real, ip_src text, ip_dst text)''') if options.verbose: print("Reading pcap and inserting values in the table...") while True: try: (_, payload, tts) = next(reader) except: break if payload[12:14] == '\x08\x00': decoded_ip_packet = decode_ip_packet(payload[14:]) c.execute('insert into ip_link values (?,?,?)', \ (str(tts), \ decoded_ip_packet['source_address'], \ decoded_ip_packet['destination_address'])) conn.commit() c.close()
def capture(): p = pcap.pcapObject() if len(sys.argv) == 2: if sys.argv[1] == '-d' or sys.argv[1] == '--dev': finddev.print_all_devs() elif sys.argv[1] == '-h' or sys.argv[1] == '--help': finddev.print_help() else: print '[-] Wrong order " %s' % sys.argv[1:], '"' print_help() elif len(sys.argv) == 4: if sys.argv[1] == '-c': dev = sys.argv[2] net, mask = pcap.lookupnet(dev) p.open_live(dev, 1600, 0, 100) p.setfilter(string.join(sys.argv[3:], ' '), 0, 0) try: while True: p.dispatch(1, show_packet) except KeyboardInterrupt: print '[-] %s' % sys.exc_type print '[-] shutting down' print '[+] %d packets received, %d packets dropped, %d packets dropped by interface' % p.stats() else: print '[-] Wrong order " %s' % sys.argv[1:], '"' print_help()
def _setup_libpcap(self, device, port): """Setup the pcap object and return the handle for it. :returns: pcap.pcapObject """ # Validate the device if not self._validate_device(device): raise ValueError('Can not validate the device: %s' % device) # Create the pcap object pcap_object = pcap.pcapObject() # Open the device in promiscuous mode try: pcap_object.open_live(device, _SNAPSHOT_LENGTH, True, _TIMEOUT) self._logger.info('Opened %s', device) except Exception as error: raise OSError('Permission error opening device %s' % error) # Set our filter up filter = 'dst port %i' % port # Create our pcap filter looking for ip packets for the memcached server pcap_object.setfilter(filter, 1, 0) self._logger.info('Filter set to: %s', filter) # Set our operation to non-blocking pcap_object.setnonblock(1) # Return the handle to the pcap object return pcap_object
def main(): sc = sniff() sc.toggleconnect() if len(sys.argv) < 3: print ('usage: sniff.py <interface> <expr>') sys.exit(0) p = pcap.pcapObject() dev = sys.argv[1] net, mask = pcap.lookupnet(dev) # note: to_ms does nothing on linux p.open_live(dev, 1600, 0, 100) #p.dump_open('dumpfile') p.setfilter(string.join(sys.argv[2:],' '), 0, 0) # try-except block to catch keyboard interrupt. Failure to shut # down cleanly can result in the interface not being taken out of promisc. # mode #p.setnonblock(1) try: while 1: p.dispatch(1, sc.print_packet) except KeyboardInterrupt: sc.toggleconnect() print ('%s' % sys.exc_type) print ('shutting down') print ('%d packets received, %d packets dropped, %d packets dropped by interface' % p.stats()) '''#open session
def load_pcap(filename, layer=TRANSPORT_LAYER, strict=False): """Loads a pcap file and returns a list of Message objects containing the reassembled messages for the specified OSI layer. Usage: >>> import pcap_reassembler >>> msgs = pcap_reassembler.load_pcap('http.cap') >>> msgs[0].payload 'GET /download.html ...' """ global _tcp_stream, _msgs, _count, _layer, _strict_policy if not DATA_LINK_LAYER <= layer <= TRANSPORT_LAYER: raise ValueError("Specified OSI layer is not supported.") _tcp_stream = {} _msgs = [] _count = 1 _layer = layer _strict_policy = strict p = pcap.pcapObject() p.open_offline(filename) # process all packets p.dispatch(-1, _process_eth) # flush all TCP connections for remaining messages for socks in _tcp_stream: _tcp_flush(socks) _msgs.sort(key=lambda x: x.number) return _msgs
def __init__(self, parent, iface = 'any', filter = None, snaplen = 65535, promisc = False, timeout = 10): self.parent = parent self.pcap = pcap.pcapObject() self.pcap.open_live(iface, snaplen, promisc, 0) if filter is not None: self.pcap.setfilter(filter, 1, 0) self.pcap.setnonblock(True) reactor.addReader(self)
def prepare(self, interface): sniffer = pcap.pcapObject() net, mask = pcap.lookupnet(interface) sniffer.open_live(interface, 1600, 0, 100) sniffer.setfilter('tcp port 80', 0, 0) self.sniffer = sniffer
def setupPort(port): p = pcap.pcapObject() dev = "eth0" net, mask = pcap.lookupnet(dev) p.open_live(dev, 1600, 0, 100) filterString = "port " + str(port) p.setfilter(filterString, 0, 0) return p
def open_eths(eths): devs = [] for (id, eth) in enumerate(eths): dev = pcap.pcapObject() dev.open_live(eth, 1500, 1, 0) devs.append({"dev": dev, "eth": eth}) eventlet.spawn(handle_eth, id) return devs
def start(self, iface): self.stop() # stop previous sniffing session self._pcap = pcap.pcapObject() self._pcap.open_live(iface, 1600, 0, 100) # pcap.setfilter self.l2_prefix = 14 if self._pcap.datalink() else 4 # BSD DLT_NULL !!! self.thread = Thread(target=self.sniff) self.thread.daemon = True self.thread.start()
def run(self): p = pcap.pcapObject() dev = "eth0" net, mask = pcap.lookupnet(dev) p.open_live(dev, 1600, 0, 100) p.setfilter("tcp port 8000", 0, 0) while not self.thread_stop: p.dispatch(1, self.print_packet)
def __init__(self, analyser, filename): """ constructor :param analyser: the uninstantiated analyser class :param filename: filename of the capture file """ packet_source.__init__(self,analyser) self.p = pcap.pcapObject() self.p.open_offline(filename)
def startListener(self): p = pcap.pcapObject() p.open_live(self.getInterfaceName(), 1600, 0, 100) out.verbose("legitHost listener started") try: while True: p.dispatch(1, self.handlePackets) except KeyboardInterrupt: out.error("Got keyboard interrupt.") self.stop()
def pcapopen(fn = None): from pcap import pcapObject p = pcapObject() try: if fn: p.open_offline(fn) else: p.open_live('any' , 200, False, 100) p.dispatch(-1,cb) except Exception as e: print bold(red('error:')),red(str(e)) pass
def rdpcapng(filename): tempf=TEMP_DIR+"/"+str(hash(filename))+".cap" pc = pcap.pcapObject() pc.open_offline(filename) pc.dump_open(tempf) pc.loop(0,None) sniffed = rdpcap(tempf) os.remove(tempf) sniffed.listname=filename return sniffed
def __init__(self, callback, interface='en0'): super(Scrobbify, self).__init__() self._stop = threading.Event() self.callback = callback self.p = pcap.pcapObject() net, mask = pcap.lookupnet(interface) self.p.open_live(interface, 1600, 0, 100) self.p.setfilter(self.expr, 0, 0)
def __init__(self, *args, **kargs): self.pcap = pcap.pcapObject() if sys.platform == 'darwin' and 'pcap_set_rfmon' not in dir(self.pcap): warning("Mac OS WiFI monitor mode not supported unless python-libpcap patched for OS X is used.") if sys.platform == 'darwin': self.pcap.pcap_set_rfmon(args[0], 1) self.pcap.pcap_activate() else: self.pcap.open_live(*args, **kargs)
def consolemain(opts, args): """consolemain(opts,args) depending on command line arguments and options creates the packet handler and flowtable/identification objects and runs the simulations in an interactive console. """ flist = [] # check args if opts.vfile != '' or opts.nfile != '': verify = picverification(vfile=opts.vfile, nfile=opts.nfile) flowhandler = flowverifier(verify) else: verify = None flowhandler = flowdestroyer() if opts.dumpfile != '': flowhandler = flowserializer(fname=opts.dumpfile) # check if we got a single file to process if opts.ifile != '': flist += [opts.ifile] # check if we got a path to process if opts.ipath != '': if not opts.ipath.endswith(os.sep): opts.ipath += os.sep flist += [add(opts.ipath, x) for x in os.listdir(opts.ipath)] # check if we got a file list to process if opts.ilist != '': ilist = open(opts.ilist, 'r') flist += ilist.read().split('\n') ilist.close() # create flowtable, identifier ftab = picflowtable(A=opts.A, handler=flowhandler) ident = picidentifier(dshort=opts.short, dlong=opts.long, P=opts.P, B=opts.B) # changed to support flist processing start = time.time() if len(flist) > 0: for f in flist: print "Process file: %s" % (f) pcapo = pcap.pcapObject() pcapo.open_offline(f) pcapo.setfilter(' '.join(args), 0, 0) pcaphandler = packethandler(opts=opts, DLT=pcapo.datalink(), ftab=ftab, ident=ident) # do it until EOF or SIGINT try: pcapo.loop(0, pcaphandler) except KeyboardInterrupt: break else: pcapo = pcap.pcapObject() pcapo.open_live(opts.dev, opts.snaplen, opts.promisc, opts.to_ms) pcapo.setfilter(' '.join(args), 0, 0) pcaphandler = packethandler(opts=opts, DLT=pcapo.datalink(), ftab=ftab, ident=ident) try: pcapo.loop(0, pcaphandler) except KeyboardInterrupt: pass # shut down print 'shutting down' print '%d packets received, %d packets dropped, %d packets dropped by interface' % pcapo.stats( ) print 'processed in %s' % (time.time() - start) if opts.ofile != '': handler.writer.close() if verify and opts.dumpfile != '': verify.verifyfile(opts.dumpfile) return ftab, ident, pcapo, verify
self, oid, value, nohex=True) if plainTag != textTag: context['hextag'], context['hexvalue'] = textTag, textValue else: textTag, textValue = plainTag, plainValue textOid, textTag, textValue = context['variationModule']['record']( textOid, textTag, textValue, **context) elif 'stopFlag' in context and context['stopFlag']: raise error.NoDataNotification() return textOid, textTag, textValue pcapObj = pcap.pcapObject() if listenInterface: if verboseFlag: log.msg('Listening on interface %s in %spromiscuous mode' % (listenInterface, promiscuousMode is False and 'non-' or '')) try: pcapObj.open_live(listenInterface, 65536, promiscuousMode, 1000) except Exception: log.msg('Error opening interface %s for snooping: %s' % (listenInterface, sys.exc_info()[1])) sys.exit(-1) elif captureFile: if verboseFlag: log.msg('Opening capture file %s' % captureFile) try:
def __init__(self, *args, **kargs): self.pcap = pcap.pcapObject() self.pcap.open_live(*args, **kargs)
def __init__(self, iface, pktlen): self.pc = pcap.pcapObject() self.pc.open_live(iface, pktlen, 1, 0) self.packet_count = 0 self.output = {}
def pcapReader(q, exitSignal, infile=None, interface=None, thrsh=0): if not infile and not interface: # FIXME: write warning here return if infile: pc = pcap.pcapObject() try: pc.open_offline(infile) except IOError: #log("could not open pcap interface "+str(input_interface)+"\n") pass if interface: pc = pcap.pcapObject() try: #pc.open_live(interface, snaplen, promisc, read_timeout) pc.open_live(interface, 1600, 0, 100) except IOError: #log("could not open pcap interface "+str(input_interface)+"\n") pass except Exception: # most likely we got no permission to open the interface sys.stderr.write('could not open interface. insufficient ' 'permissions?\n') q.put(None) return pc.setfilter('udp', 0, 0) basets = 0 newMappings = dict() while True: if exitSignal.is_set(): break try: packet = pc.next() if not packet: if infile: # end of file break elif interface: # read timeout continue payload = packet[1] timestamp = int(packet[2]) # make sure we are dealing with IP traffic # ref: http://www.iana.org/assignments/ethernet-numbers try: eth = dpkt.ethernet.Ethernet(payload) except: continue if eth.type != 2048: continue # make sure we are dealing with UDP # ref: http://www.iana.org/assignments/protocol-numbers/ try: ip = eth.data except: continue if ip.p != 17: continue # filter on UDP assigned ports for DNS # ref: http://www.iana.org/assignments/port-numbers try: udp = ip.data except: continue if udp.sport != 53 and udp.dport != 53: continue # make the dns object out of the udp data and check for it being a RR (answer) # and for opcode QUERY (I know, counter-intuitive) try: dns = dpkt.dns.DNS(udp.data) except: continue if dns.qr != dpkt.dns.DNS_R: continue if dns.opcode != dpkt.dns.DNS_QUERY: continue if dns.rcode != dpkt.dns.DNS_RCODE_NOERR: continue if len(dns.an) < 1: continue if len(dns.qd) == 0: continue aRecords = set() queriedName = dns.qd[0].name if not '.' in queriedName: continue #lastCname=queriedName for answer in dns.an: """ FIXME: this doesn't work for multiple queries in one DNS packet """ #if answer.type == dpkt.dns.DNS_CNAME: # lastCname=answer.cname if answer.type == dpkt.dns.DNS_A: ip = socket.inet_ntoa(answer.rdata) try: addr = IPAddress(ip) except netaddr.AddrFormatError: continue else: if (addr.is_unicast() and not addr.is_private() and not addr.is_reserved() and not addr.is_loopback()): aRecords.add(addr) if thrsh: if (timestamp - basets) > thrsh: basets = timestamp newMappings.clear() newIps = checkMapping(newMappings, queriedName, aRecords) aRecords = newIps if not aRecords: continue data = ((queriedName, ip.dst, aRecords), timestamp) queued = False while not queued: try: q.put_nowait(data) except Queue.Full: # we saturated the queue, let's give the reading # process some time to empty it again, where we don't # try to put something in the queue and thereby lock it # continuously time.sleep(sleeptime) if q.empty(): sleeptime *= 0.5 elif q.qsize() >= q._maxsize: sleeptime *= 2 if sleeptime > maxSleeptime: sleeptime = maxSleeptime else: queued = True except KeyboardInterrupt: break """ send shutdown signal """ q.put(None)
def main(): p = pcap.pcapObject() filename = sys.argv[1] p.open_offline(filename) p.dispatch(-1, packet_handler)
def run(self): """Sniffer main function""" # Get logger logger = logging.getLogger() logger.info("Sniffer %i : Capture started on %s" % (self.id, self.dev)) # Init last_update_t = time() last_save_t = time() capture = False # Optimizations db_on = self.database["on"] lmod = self.lmod term = self.terminated pipe_send_fnt = self.pipe_sender.send lfnt_pkthandle = list() lfnt_trigger_update = list() lfnt_trigger_save = list() for mod in lmod: lfnt_pkthandle.append(mod.pkt_handler) lfnt_trigger_update.append(mod.trigger_data_update) lfnt_trigger_save.append(mod.trigger_db_save) # List loaded module for mod in self.lmod: logger.info( "Sniffer %i : Load network module - websocket subprotocol " % (self.id) + mod.__str__()) # Mysql database mydb = self.database["class"]( host=self.database["conf"]["host"], user=self.database["conf"]["user"], passwd=self.database["conf"]["passwd"], database=self.database["conf"]["database"], port=self.database["conf"]["port"]) if db_on: # connection to database mydb.connection() if mydb.is_connect(): for mod in lmod: mod.database_init(mydb) mydb.commit() # Get device informations if possible (IP address assigned) try: net, mask = pcap.lookupnet(self.dev) except: net, mask = "192.168.1.0", "255.255.255.0" # Create new pcap capture object p = pcap.pcapObject() try: # (Dev, buffer, promiscuous mode, timeout) p.open_live(self.dev, PCAP_PACKET_MAX_LEN, PCAP_PROMISCUOUS_MODE, PCAP_SNIFFER_TIMEOUT) # keep it in an available object GetSniffer().set_sniffer(p) capture = True # Handler loop # tt = (0, 0) while not term.value: pkt = p.next() if pkt is not None: # Decode packet pktdec = Packet(pkt[0], pkt[1], pkt[2]) # a = time() # send pkt to modules map(lambda x: x(pktdec), lfnt_pkthandle) # res = time() - a # a, b = tt # tt = (a+res, b+1) # if tt[1] > 100: # print "Time sniff :", tt[0]/tt[1], "Time Tot :", tt[0] # tt = (0,0) # Modules update call if time() - last_update_t > MIN_TIME_MOD_UPDATE: last_update_t = time() l_res = list() for mod in lmod: data = mod.trigger_data_update() if data is not None: l_res.append((mod.protocol, data)) # Data to send with websocket if len(l_res) > 0: pipe_send_fnt(l_res) # Modules save call if db_on and mydb.connect is not None: if time() - last_save_t > MIN_TIME_DB_UPDATE: last_save_t = time() map(lambda x: x(mydb), lfnt_trigger_save) mydb.commit() except KeyboardInterrupt: logger.info("Sniffer %i : Interruption signal" % self.id) except Exception as e: logger.debug("Sniffer %i :" % self.id, exc_info=True) # logger.error("Sniffer %i : %s" % (self.id, e.strerror)) print e finally: if capture: if db_on: mydb.close() logger.info("Sniffer %i : Capture stopped..." % self.id) pkt_recv, pkt_drop, pkt_devdrop = p.stats() if pkt_recv > 0: lost = pkt_drop / (pkt_recv * 1.0) * 100 else: lost = 0.0 logger.info( 'Sniffer %i : %i packets received, %i packets dropped, %i packets dropped by interface - %d%%' % (self.id, pkt_recv, pkt_drop, pkt_devdrop, lost))
def main(args): global __dbconnection global __dbconnect if '-h' in args or '--help' in args: print('Usage: {}'.format(args[0])) script_path = os.path.dirname(args[0]) config = ConfigParser.RawConfigParser() try: config.read(os.path.join(script_path, 'config')) except: logging.error("Couldn't read configuration file") return if not check_config(config): logging.error("Configuration files is missing one or more values") return def create_dbconnect(): dsn = config.get('dnsstatd', 'db_dsn') def dbc(): global __dbconnection __dbconnection = psycopg2.connect(dsn) logging.info("Database connection established") return dbc __dbconnect = create_dbconnect() try: __dbconnect() except psycopg2.DatabaseError as dbe: logging.error("Error connecting to database: %s", dbe.message) return addrs = [] cap_dev = 'any' ifaces = config.get('dnsstatd', 'dev').split(',') if len(ifaces) == 1: cap_dev = ifaces[0] if ifaces[0] == 'any': ifaces = netifaces.interfaces() for iface in ifaces: for addr in netifaces.ifaddresses(iface).get(netifaces.AF_INET, []): addrs.append(addr['addr']) for addr in netifaces.ifaddresses(iface).get(netifaces.AF_INET6, []): if not '%' in addr['addr']: addrs.append(addr['addr']) pcap_filter = 'src port 53 and ({})'.format(' or '.join( ['src ' + x for x in addrs])) p = pcap.pcapObject() p.open_live(cap_dev, 8192, 0, 100) p.setfilter(pcap_filter, 0, 0) p.setnonblock(0) logging.info("Listening on {} using filter \"{}\"".format( cap_dev, pcap_filter)) logging.warning( "python-libpcap will not release after SIGTERM until receieving one more packet" ) try: p.loop(0, handle_packet) except KeyboardInterrupt: logging.info('Caught signal, shutting down') logging.info('{} packets, {} dropped, {} dropped by interface'.format( *p.stats()))
def prepare(self): ''' ''' self.p = pcap.pcapObject() self.p.open_live(self.dev, 1500, 0, 100) self.p.setfilter("port %d" % self.port, 0, 0)
def fpcap(): p = pcap.pcapObject() p.open_live("eth1", 1600, 1, 750) return p
plaintext = rc4.decrypt(frag.data, ip.src, ip.dst, header.objectid, frag.iv, frag.crc) # decrypt if plaintext != None: h = ObjectHeader(plaintext) h.parse() # print '\tobject content:\n\t\t'+str2hex(h.data) if not (header.objectid in myObjects.keys()): myObjects[header.objectid] = '' myObjects[header.objectid] += h.data if last: print '\treassembled content:\n\t\t' + str2hex( myObjects[header.objectid]) else: print 'UNKNOWN (' + hex(t) + '), ' + str(len( header.data)) + ' bytes follow' print counter += 1 try: fname = sys.argv[1] except: fname = 'SkypeIRC.cap' p = pcapObject() p.open_offline(fname) p.loop(0, iterate)