def test_spb_snap_lengths(): """ Simple Packet Blocks present a unique challenge in parsing. The packet does not contain an explicit "captured length" indicator, only the original observed packet length; one must consult the capturing network interface's snap length in order to determine whether the packet may have been truncated. The block interface was designed to take care of most of this for the developer, both for reading and writing. For reading, the :py:method:`captured_len` is a property that works out its value from the capturing interface and the original packet length. For writing, packet data will be truncated to the capturing interface's snap length if it would be too big. """ # Binary data to write/test data = bytes(range(0, 256)) # First session: no snap length o_shb = blocks.SectionHeader() o_idb = o_shb.new_member(blocks.InterfaceDescription) # noqa: F841 o_blk1 = o_shb.new_member(blocks.SimplePacket, packet_data=data) fake_file = io.BytesIO() writer = FileWriter(fake_file, o_shb) writer.write_block(o_blk1) fake_file.seek(0) (i_shb, i_idb, i_blk1) = list(FileScanner(fake_file)) assert i_blk1.captured_len == len(data) assert i_blk1.packet_len == len(data) assert i_blk1.packet_data == data # Second session: with snap length o_shb = blocks.SectionHeader() o_idb = o_shb.new_member(blocks.InterfaceDescription, snaplen=32) # noqa: F841 o_blk1 = o_shb.new_member(blocks.SimplePacket, packet_data=data[:16]) o_blk2 = o_shb.new_member(blocks.SimplePacket, packet_data=data[:32]) o_blk3 = o_shb.new_member(blocks.SimplePacket, packet_data=data[:33]) fake_file = io.BytesIO() writer = FileWriter(fake_file, o_shb) writer.write_block(o_blk1) writer.write_block(o_blk2) writer.write_block(o_blk3) fake_file.seek(0) (i_shb, i_idb, i_blk1, i_blk2, i_blk3) = list(FileScanner(fake_file)) assert i_blk1.captured_len == 16 assert i_blk1.packet_len == 16 assert i_blk1.packet_data == data[:16] assert i_blk2.captured_len == 32 assert i_blk2.packet_len == 32 assert i_blk2.packet_data == data[:32] assert i_blk3.captured_len == 32 assert i_blk3.packet_len == 33 assert i_blk3.packet_data == data[:32]
def get_pcap_packet_blocks(filename): packet_blocks = [] with open(filename, 'rb') as fp: scanner = FileScanner(fp) for block in scanner: if isinstance(block, blocks.EnhancedPacket): packet_blocks.append(block) return packet_blocks
def get_pcap_packet_blocks(filename): """ Reads a pcap file and creates a list of EnhancedPacket blocks from the file. """ packet_blocks = [] with open(filename, 'rb') as fp: scanner = FileScanner(fp) for block in scanner: if isinstance(block, blocks.EnhancedPacket): packet_blocks.append(block) return packet_blocks
def main(args): try: pcap = list(FileScanner(args.input_file)) if args.mode == "read": pacp_reader(pcap, args.packet_number) if args.mode == "write": pcap_writer(pcap, args.packet_number, args.output_file, args.comment) except ValueError: print("Could not open input file " "- please specify a currect pcapng file")
def get_pacpng_packet_blocks(filename): """ Reads a pcapng file and creates a list of EnhancedPacket Blocks from the file """ i = 0 packet_blocks = [] with open(filename, 'rb') as fp: #open as read binary scanner = FileScanner(fp) for block in scanner: if isinstance(block, blocks.EnhancedPacket): packet_blocks.append(block) #if i < 6: # print(packet_blocks) # i=i+1 return packet_blocks
def load_data(filename): with open(filename, "rb") as file: scanner = list(FileScanner(file)) packet_sizes = [] packet_arrival_durations = [] cnt = 0 start_timestamp = 0 for block in scanner: if str(block).startswith("<EnhancedPacket"): if cnt >= 5000: break packet_sizes.append(block.captured_len) timestamp = block.timestamp packet_arrival_durations.append(timestamp - start_timestamp) start_timestamp = timestamp cnt += 1 # first value is an outlier which we discard packet_arrival_durations = packet_arrival_durations[1:] return packet_sizes, packet_arrival_durations
def sniff(): iface = 'wlan0' basepath = Path(__file__).parent.absolute() filepath = str((basepath / "packet_captures/{}.pcap".format( datetime.now().strftime("%Y-%m-%d %H:%M:%S"))).resolve()).replace( " ", "_") args = [] args.append(iface) args.append(filepath) sniffer = PacketSniffer() sniffer.run(args) print("Sniffer thread initialised.") time.sleep(30) cmd = "tshark -r " + filepath run_args = shlex.split(cmd) txt_file = filepath[:-4] + "txt" f = open(txt_file, "w+") file_lines = 0 count = 0 with open(filepath, 'rb') as fp: scanner = FileScanner(fp) for block in scanner: print(block.PacketDataField) #tshark = subprocess.Popen(run_args, stdout=subprocess.PIPE) #for line in io.TextIOWrapper(tshark.stdout, encoding="utf-8"): #print("test: %s" % line.rstrip()) #f.write(line.rstrip() + "\n") #count = len(scanner.readlines()) #print("COUNT: ", count) #if (file_lines == count): #time.sleep(5) return jsonify(filepath[:4])
print("-" * 60) def human_number(num, k=1000): powers = [""] + list("kMGTPEY") assert isinstance(num, int) for i, suffix in enumerate(powers): if (num < (k**(i + 1))) or (i == len(powers) - 1): return "{0:d}{1}".format(int(round(num / (k**i))), suffix) raise AssertionError("Should never reach this") if __name__ == "__main__": import sys rdr = FileScanner(sys.stdin) ip_src_count = Counter() ip_dst_count = Counter() ip_src_size = Counter() ip_dst_size = Counter() tcp_src_count = Counter() tcp_dst_count = Counter() tcp_src_size = Counter() tcp_dst_size = Counter() for block in rdr: # print(repr(block)) if isinstance(block, EnhancedPacket):
def test_write_read_all_blocks(endianness): # Track the blocks we're writing out_blocks = [] # Build our original/output session o_shb = blocks.SectionHeader( endianness=endianness, options={ "shb_hardware": "pytest", "shb_os": "python", "shb_userappl": "python-pcapng", }, ) out_blocks.append(o_shb) o_idb = o_shb.new_member( blocks.InterfaceDescription, link_type=1, snaplen=65535, options={ "if_name": "Interface Zero", "if_description": "Test interface", "if_os": "python", "if_hardware": "whatever", "if_filter": [(0, b"tcp port 23 and host 192.0.2.5")], }, ) out_blocks.append(o_idb) # The SHB and IDBs will be written right away here. fake_file = io.BytesIO() writer = FileWriter(fake_file, o_shb) # Add blocks to the output # epb blk = o_shb.new_member(blocks.EnhancedPacket) blk.packet_data = b"Test data 123 XYZ" writer.write_block(blk) out_blocks.append(blk) # spb blk = o_shb.new_member(blocks.SimplePacket) blk.packet_data = b"Test data 123 XYZ" writer.write_block(blk) out_blocks.append(blk) # pb (which is obsolete) set_strictness(Strictness.FORBID) blk = o_shb.new_member(blocks.ObsoletePacket) blk.packet_data = b"Test data 123 XYZ" with pytest.raises(PcapngStrictnessError, match="obsolete"): # Should prevent writing by default writer.write_block(blk) # Set to warning mode and try again set_strictness(Strictness.WARN) with pytest.warns(PcapngStrictnessWarning, match="obsolete"): # Should write the obsolete block now writer.write_block(blk) out_blocks.append(blk) # Set to fix mode and try again set_strictness(Strictness.FIX) with pytest.warns(PcapngStrictnessWarning, match="obsolete"): # Should write an enhanced block now writer.write_block(blk) out_blocks.append(blk.enhanced()) set_strictness(Strictness.FORBID) # nrb blk = o_shb.new_member( blocks.NameResolution, records=[ { "type": 1, "address": "127.0.0.1", "names": ["localhost", "localhost.localdomain"], }, { "type": 2, "address": "::1", "names": ["localhost", "localhost.localdomain"], }, ], ) writer.write_block(blk) out_blocks.append(blk) # isb blk = o_shb.new_member( blocks.InterfaceStatistics, interface_id=0, timestamp_high=0x01234567, timestamp_low=0x89ABCDEF, options={ "isb_starttime": 0x0123456789ABCD00, "isb_endtime": 0x0123456789ABCDEF, "isb_usrdeliv": 50, }, ) writer.write_block(blk) out_blocks.append(blk) # Done writing blocks. # Now get back what we wrote and see if things line up. fake_file.seek(0) in_blocks = list(FileScanner(fake_file)) compare_blocklists(in_blocks, out_blocks)
from __future__ import print_function, division from collections import Counter from scapy.layers.l2 import Ether from scapy.layers.inet import IP, TCP from pcapng import FileScanner from pcapng.blocks import EnhancedPacket import sys if __name__ == '__main__': fp = open(sys.argv[1], 'rb') rdr = FileScanner(fp) ip_src_count = Counter() ip_dst_count = Counter() ip_src_size = Counter() ip_dst_size = Counter() tcp_src_count = Counter() tcp_dst_count = Counter() tcp_src_size = Counter() tcp_dst_size = Counter() for block in rdr: # print(repr(block)) if isinstance(block, EnhancedPacket):
pcap_filename = cli_args.pcap_filename print("pcap_json_converter {} started.".format(pcap_filename)) # Read and parse pcap file, extract tcp raw data cpp_filename = pcap_filename + ".cpp" json_filename = pcap_filename + ".json" if os.path.isfile(cpp_filename): os.remove(cpp_filename) if os.path.isfile(json_filename): os.remove(json_filename) start_timestamp = -1.0 payload = b'' payload_completed = False cola_ascii = False # default: cola binary with open(pcap_filename, 'rb') as pcap_file: pcap_scanner = FileScanner(pcap_file) for block_cnt, block in enumerate(pcap_scanner): if isinstance(block, EnhancedPacket): # Decode a single pcap block if block.captured_len != block.packet_len: print( "## pcap_json_converter block {}: {} byte block truncated to {} bytes" .format(block_cnt, block.packet_len, block.captured_len)) block_data = Ether(block.packet_data) block_decoded = block_data for n in range(0, 10): if isinstance(block_decoded.payload, scapy.packet.Raw): break elif isinstance(block_decoded.payload,
l = "|" for p in lines[0]: l += "I....... " print l+"|" for line in lines: for pixel in line: ascii += format(pixel, '08b').strip().replace('0',' ').replace('1',chr(219))+"." ascii += "|\n|" print ascii with open(sys.argv[1]) as fp: stream = bytearray("") print fp scanner = FileScanner(fp) for block in scanner: try: blockb = bytearray(block.packet_data) if len(blockb[27:])>0: print block #strip off USB stuff stream += blockb[27:] except AttributeError: pass # work with bytearray stream print len(stream) commands = parse(stream)
help="File name to write decrypted output too", required=True) args = parser.parse_args() pcap_filename = args.pcapng write_filename = args.output def xor_decrypt(message, key): return ''.join(chr(ord(c) ^ ord(k)) for c, k in izip(message, cycle(key))) xor_key = None with open(pcap_filename, 'rb') as read_fp, open(write_filename, 'wb') as write_fp: scanner = FileScanner(read_fp) for block in scanner: if isinstance(block, EnhancedPacket): # Check for SMB packet signature and reserved word plus SESSION_SETUP bytes if "\xffSMB" in block.packet_data and "\x00\x0e\x00" in block.packet_data: offset = block.packet_data.index("\x00\x0e\x00") + 6 header = block.packet_data[offset:offset + 12] data = block.packet_data[offset + 12:] # Filter out blank ping packets if header != "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00": # Set XOR key based on NULL bytes revealing key in first header packet if xor_key is None: xor_key = header[8:12]