def test_spb_snap_lengths():
"""
Simple Packet Blocks present a unique challenge in parsing. The packet does not
contain an explicit "captured length" indicator, only the original observed
packet length; one must consult the capturing network interface's snap length
in order to determine whether the packet may have been truncated.
The block interface was designed to take care of most of this for the developer,
both for reading and writing. For reading, the :py:method:`captured_len` is
a property that works out its value from the capturing interface and the original
packet length. For writing, packet data will be truncated to the capturing
interface's snap length if it would be too big.
"""
# Binary data to write/test
data = bytes(range(0, 256))
# First session: no snap length
o_shb = blocks.SectionHeader()
o_idb = o_shb.new_member(blocks.InterfaceDescription) # noqa: F841
o_blk1 = o_shb.new_member(blocks.SimplePacket, packet_data=data)
fake_file = io.BytesIO()
writer = FileWriter(fake_file, o_shb)
writer.write_block(o_blk1)
fake_file.seek(0)
(i_shb, i_idb, i_blk1) = list(FileScanner(fake_file))
assert i_blk1.captured_len == len(data)
assert i_blk1.packet_len == len(data)
assert i_blk1.packet_data == data
# Second session: with snap length
o_shb = blocks.SectionHeader()
o_idb = o_shb.new_member(blocks.InterfaceDescription,
snaplen=32) # noqa: F841
o_blk1 = o_shb.new_member(blocks.SimplePacket, packet_data=data[:16])
o_blk2 = o_shb.new_member(blocks.SimplePacket, packet_data=data[:32])
o_blk3 = o_shb.new_member(blocks.SimplePacket, packet_data=data[:33])
fake_file = io.BytesIO()
writer = FileWriter(fake_file, o_shb)
writer.write_block(o_blk1)
writer.write_block(o_blk2)
writer.write_block(o_blk3)
fake_file.seek(0)
(i_shb, i_idb, i_blk1, i_blk2, i_blk3) = list(FileScanner(fake_file))
assert i_blk1.captured_len == 16
assert i_blk1.packet_len == 16
assert i_blk1.packet_data == data[:16]
assert i_blk2.captured_len == 32
assert i_blk2.packet_len == 32
assert i_blk2.packet_data == data[:32]
assert i_blk3.captured_len == 32
assert i_blk3.packet_len == 33
assert i_blk3.packet_data == data[:32]
def get_pcap_packet_blocks(filename):
packet_blocks = []
with open(filename, 'rb') as fp:
scanner = FileScanner(fp)
for block in scanner:
if isinstance(block, blocks.EnhancedPacket):
packet_blocks.append(block)
return packet_blocks
def get_pcap_packet_blocks(filename):
"""
Reads a pcap file and creates a list of EnhancedPacket blocks from the file.
"""
packet_blocks = []
with open(filename, 'rb') as fp:
scanner = FileScanner(fp)
for block in scanner:
if isinstance(block, blocks.EnhancedPacket):
packet_blocks.append(block)
return packet_blocks
def main(args):
try:
pcap = list(FileScanner(args.input_file))
if args.mode == "read":
pacp_reader(pcap, args.packet_number)
if args.mode == "write":
pcap_writer(pcap, args.packet_number, args.output_file,
args.comment)
except ValueError:
print("Could not open input file "
"- please specify a currect pcapng file")
def get_pacpng_packet_blocks(filename):
"""
Reads a pcapng file and creates a list of EnhancedPacket Blocks from the file
"""
i = 0
packet_blocks = []
with open(filename, 'rb') as fp: #open as read binary
scanner = FileScanner(fp)
for block in scanner:
if isinstance(block, blocks.EnhancedPacket):
packet_blocks.append(block)
#if i < 6:
# print(packet_blocks)
# i=i+1
return packet_blocks
def load_data(filename):
with open(filename, "rb") as file:
scanner = list(FileScanner(file))
packet_sizes = []
packet_arrival_durations = []
cnt = 0
start_timestamp = 0
for block in scanner:
if str(block).startswith("<EnhancedPacket"):
if cnt >= 5000:
break
packet_sizes.append(block.captured_len)
timestamp = block.timestamp
packet_arrival_durations.append(timestamp - start_timestamp)
start_timestamp = timestamp
cnt += 1
# first value is an outlier which we discard
packet_arrival_durations = packet_arrival_durations[1:]
return packet_sizes, packet_arrival_durations
def sniff():
iface = 'wlan0'
basepath = Path(__file__).parent.absolute()
filepath = str((basepath / "packet_captures/{}.pcap".format(
datetime.now().strftime("%Y-%m-%d %H:%M:%S"))).resolve()).replace(
" ", "_")
args = []
args.append(iface)
args.append(filepath)
sniffer = PacketSniffer()
sniffer.run(args)
print("Sniffer thread initialised.")
time.sleep(30)
cmd = "tshark -r " + filepath
run_args = shlex.split(cmd)
txt_file = filepath[:-4] + "txt"
f = open(txt_file, "w+")
file_lines = 0
count = 0
with open(filepath, 'rb') as fp:
scanner = FileScanner(fp)
for block in scanner:
print(block.PacketDataField)
#tshark = subprocess.Popen(run_args, stdout=subprocess.PIPE)
#for line in io.TextIOWrapper(tshark.stdout, encoding="utf-8"):
#print("test: %s" % line.rstrip())
#f.write(line.rstrip() + "\n")
#count = len(scanner.readlines())
#print("COUNT: ", count)
#if (file_lines == count):
#time.sleep(5)
return jsonify(filepath[:4])
print("-" * 60)
def human_number(num, k=1000):
powers = [""] + list("kMGTPEY")
assert isinstance(num, int)
for i, suffix in enumerate(powers):
if (num < (k**(i + 1))) or (i == len(powers) - 1):
return "{0:d}{1}".format(int(round(num / (k**i))), suffix)
raise AssertionError("Should never reach this")
if __name__ == "__main__":
import sys
rdr = FileScanner(sys.stdin)
ip_src_count = Counter()
ip_dst_count = Counter()
ip_src_size = Counter()
ip_dst_size = Counter()
tcp_src_count = Counter()
tcp_dst_count = Counter()
tcp_src_size = Counter()
tcp_dst_size = Counter()
for block in rdr:
# print(repr(block))
if isinstance(block, EnhancedPacket):
def test_write_read_all_blocks(endianness):
# Track the blocks we're writing
out_blocks = []
# Build our original/output session
o_shb = blocks.SectionHeader(
endianness=endianness,
options={
"shb_hardware": "pytest",
"shb_os": "python",
"shb_userappl": "python-pcapng",
},
)
out_blocks.append(o_shb)
o_idb = o_shb.new_member(
blocks.InterfaceDescription,
link_type=1,
snaplen=65535,
options={
"if_name": "Interface Zero",
"if_description": "Test interface",
"if_os": "python",
"if_hardware": "whatever",
"if_filter": [(0, b"tcp port 23 and host 192.0.2.5")],
},
)
out_blocks.append(o_idb)
# The SHB and IDBs will be written right away here.
fake_file = io.BytesIO()
writer = FileWriter(fake_file, o_shb)
# Add blocks to the output
# epb
blk = o_shb.new_member(blocks.EnhancedPacket)
blk.packet_data = b"Test data 123 XYZ"
writer.write_block(blk)
out_blocks.append(blk)
# spb
blk = o_shb.new_member(blocks.SimplePacket)
blk.packet_data = b"Test data 123 XYZ"
writer.write_block(blk)
out_blocks.append(blk)
# pb (which is obsolete)
set_strictness(Strictness.FORBID)
blk = o_shb.new_member(blocks.ObsoletePacket)
blk.packet_data = b"Test data 123 XYZ"
with pytest.raises(PcapngStrictnessError, match="obsolete"):
# Should prevent writing by default
writer.write_block(blk)
# Set to warning mode and try again
set_strictness(Strictness.WARN)
with pytest.warns(PcapngStrictnessWarning, match="obsolete"):
# Should write the obsolete block now
writer.write_block(blk)
out_blocks.append(blk)
# Set to fix mode and try again
set_strictness(Strictness.FIX)
with pytest.warns(PcapngStrictnessWarning, match="obsolete"):
# Should write an enhanced block now
writer.write_block(blk)
out_blocks.append(blk.enhanced())
set_strictness(Strictness.FORBID)
# nrb
blk = o_shb.new_member(
blocks.NameResolution,
records=[
{
"type": 1,
"address": "127.0.0.1",
"names": ["localhost", "localhost.localdomain"],
},
{
"type": 2,
"address": "::1",
"names": ["localhost", "localhost.localdomain"],
},
],
)
writer.write_block(blk)
out_blocks.append(blk)
# isb
blk = o_shb.new_member(
blocks.InterfaceStatistics,
interface_id=0,
timestamp_high=0x01234567,
timestamp_low=0x89ABCDEF,
options={
"isb_starttime": 0x0123456789ABCD00,
"isb_endtime": 0x0123456789ABCDEF,
"isb_usrdeliv": 50,
},
)
writer.write_block(blk)
out_blocks.append(blk)
# Done writing blocks.
# Now get back what we wrote and see if things line up.
fake_file.seek(0)
in_blocks = list(FileScanner(fake_file))
compare_blocklists(in_blocks, out_blocks)
from __future__ import print_function, division
from collections import Counter
from scapy.layers.l2 import Ether
from scapy.layers.inet import IP, TCP
from pcapng import FileScanner
from pcapng.blocks import EnhancedPacket
import sys
if __name__ == '__main__':
fp = open(sys.argv[1], 'rb')
rdr = FileScanner(fp)
ip_src_count = Counter()
ip_dst_count = Counter()
ip_src_size = Counter()
ip_dst_size = Counter()
tcp_src_count = Counter()
tcp_dst_count = Counter()
tcp_src_size = Counter()
tcp_dst_size = Counter()
for block in rdr:
# print(repr(block))
if isinstance(block, EnhancedPacket):
pcap_filename = cli_args.pcap_filename
print("pcap_json_converter {} started.".format(pcap_filename))
# Read and parse pcap file, extract tcp raw data
cpp_filename = pcap_filename + ".cpp"
json_filename = pcap_filename + ".json"
if os.path.isfile(cpp_filename):
os.remove(cpp_filename)
if os.path.isfile(json_filename):
os.remove(json_filename)
start_timestamp = -1.0
payload = b''
payload_completed = False
cola_ascii = False # default: cola binary
with open(pcap_filename, 'rb') as pcap_file:
pcap_scanner = FileScanner(pcap_file)
for block_cnt, block in enumerate(pcap_scanner):
if isinstance(block, EnhancedPacket):
# Decode a single pcap block
if block.captured_len != block.packet_len:
print(
"## pcap_json_converter block {}: {} byte block truncated to {} bytes"
.format(block_cnt, block.packet_len,
block.captured_len))
block_data = Ether(block.packet_data)
block_decoded = block_data
for n in range(0, 10):
if isinstance(block_decoded.payload, scapy.packet.Raw):
break
elif isinstance(block_decoded.payload,
l = "|"
for p in lines[0]:
l += "I....... "
print l+"|"
for line in lines:
for pixel in line:
ascii += format(pixel, '08b').strip().replace('0',' ').replace('1',chr(219))+"."
ascii += "|\n|"
print ascii
with open(sys.argv[1]) as fp:
stream = bytearray("")
print fp
scanner = FileScanner(fp)
for block in scanner:
try:
blockb = bytearray(block.packet_data)
if len(blockb[27:])>0:
print block
#strip off USB stuff
stream += blockb[27:]
except AttributeError:
pass
# work with bytearray stream
print len(stream)
commands = parse(stream)
help="File name to write decrypted output too",
required=True)
args = parser.parse_args()
pcap_filename = args.pcapng
write_filename = args.output
def xor_decrypt(message, key):
return ''.join(chr(ord(c) ^ ord(k)) for c, k in izip(message, cycle(key)))
xor_key = None
with open(pcap_filename, 'rb') as read_fp, open(write_filename,
'wb') as write_fp:
scanner = FileScanner(read_fp)
for block in scanner:
if isinstance(block, EnhancedPacket):
# Check for SMB packet signature and reserved word plus SESSION_SETUP bytes
if "\xffSMB" in block.packet_data and "\x00\x0e\x00" in block.packet_data:
offset = block.packet_data.index("\x00\x0e\x00") + 6
header = block.packet_data[offset:offset + 12]
data = block.packet_data[offset + 12:]
# Filter out blank ping packets
if header != "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00":
# Set XOR key based on NULL bytes revealing key in first header packet
if xor_key is None:
xor_key = header[8:12]