def load_data(self):
import os
import os.path as path
import numpy as np
import scapy.all as sp
import h5py as hp
from tqdm import tqdm
if self.h5db_path is None:
with sp.PcapReader(self.pcap_path) as reader:
return reader.read_all(self.max_packets)
if path.exists(self.h5db_path):
if self.verbose:
print(f"Loading: pcap='{self.pcap_path}' h5='{self.h5db_path}'")
self.h5db = hp.File(self.h5db_path, "r")
return self.h5db[self.h5ds_name]
dirpath = path.dirname(self.h5db_path)
if len(dirpath) == 0:
dirpath = "."
os.makedirs(dirpath, exist_ok=True)
with hp.File(self.h5db_path, "w") as db, sp.PcapReader(self.pcap_path) as packets:
if self.verbose:
print(f"Caching: pcap='{self.pcap_path}' h5='{self.h5db_path}'")
cache = None
processed_packets = 0
iterable = enumerate(packets)
if self.verbose:
iterable = tqdm(iterable)
for idx, packet in iterable:
if self.max_packets and processed_packets >= self.max_packets:
break
packet_numpy = self.preprocess(packet)
if packet_numpy is None:
continue
processed_packets += 1
if cache is None:
dims = packet_numpy.shape
cache = db.create_dataset(self.h5ds_name, shape=(1, *dims), maxshape=(None, *dims), dtype=np.int, chunks=True)
if processed_packets >= len(cache):
cache.resize(processed_packets + 1, axis=0)
cache[processed_packets] = packet_numpy
self.h5db = hp.File(self.h5db_path, "r")
return self.h5db[self.h5ds_name]
def _pcap_reader_instance(self, bpf_filter):
if sys.platform == "darwin":
self._warning_logger("Need tcpdump from Brew for filter to work")
if bpf_filter:
return scapy.PcapReader(
scapy.tcpdump(self._pcap_filepath,
args=["-w", "-", bpf_filter],
getfd=True))
else:
return scapy.PcapReader(self._pcap_filepath)
def compare(x, y):
xr = scapy.PcapReader(str(x))
yr = scapy.PcapReader(str(y))
n = 0
xp = xr.read_packet()
yp = yr.read_packet()
while xp and yp:
packet_crawl(xp, yp, n)
xp = xr.read_packet()
yp = yr.read_packet()
n = +1
assert not xp and not yp, "Unequal pcap length"
def export_signal_strength(self, src_ip, save_path):
is_all = src_ip == 'all'
with open(save_path, 'w') as f:
f.write(
"Src IP,Transmit Mac, Transmit IP, Dst IP,"
"Signal Strength, Time of the day, Raw time (seconds), Micros\n"
)
for packet in sp.PcapReader(self.path):
dels_sec = packet.time - self.exp_day
dels_mins = dels_sec / 60
secs = dels_sec % 60
micro = int((secs - int(secs)) * 10**6)
secs = int(secs)
mins = int(dels_mins % 60) + self.ist_mins
hours = int(dels_mins / 60) + self.ist_hour
timestamp = dt.datetime(year=2018,
month=10,
day=13,
hour=hours,
minute=mins,
second=int(secs),
microsecond=micro)
if packet.haslayer(sp.IP) and packet.haslayer(sp.RadioTap):
if packet[sp.Dot11].fields['addr2'] == self.IP_Mac_Map[
src_ip] or is_all:
f.write(
packet[sp.IP].fields['src'] + "," +
packet[sp.Dot11].fields['addr2'] + "," + src_ip +
"," + packet[sp.IP].fields['dst'] + "," +
str(packet[sp.RadioTap].fields['dBm_AntSignal']) +
"," + str(timestamp) + "," + str(packet.time) +
"," + str(int(micro)) + "\n")
def export_inter_arrival_time(self, save_path):
old = 0
with open(save_path, 'w') as f:
f.write(
"Time (milli), Time of the day, Raw time (seconds), Micros\n")
for packet in sp.PcapReader(self.path):
dels_sec = packet.time - self.exp_day
dels_mins = dels_sec / 60
secs = dels_sec % 60
micro = int((secs - int(secs)) * 10**6)
secs = int(secs)
mins = int(dels_mins % 60) + self.ist_mins
hours = int(dels_mins / 60) + self.ist_hour
timestamp = dt.datetime(year=2018,
month=10,
day=13,
hour=hours,
minute=mins,
second=int(secs),
microsecond=micro)
delta = packet.time - old
delta = delta * 1000
old = packet.time
f.write(
str(delta) + "," + str(timestamp) + "," +
str(packet.time) + "," + str(int(micro)) + "\n")
def analyse_pcap(pcap_file, ip_addr):
prev = 0
for packet in scapy.PcapReader(pcap_file):
# Weed out everything which is not a TCP SYN segment.
if (not scapy.TCP in packet) or (not packet[scapy.TCP].flags == 2):
continue
# Add timestamp and port for our reference IP address.
if packet[scapy.IP].src == ip_addr:
if prev == 0: prev = packet.time
decoy_conns[packet[scapy.TCP].dport] = packet.time
print int(packet.time) - int(prev)
prev = packet.time
continue
# Figure out time delta.
time = decoy_conns.get(packet[scapy.TCP].dport)
if time is not None:
delta = packet.time - time
del decoy_conns[packet[scapy.TCP].dport]
time_deltas[packet[scapy.TCP].dport] = delta
# Dump CSV to stdout.
print "delay, port"
ports = time_deltas.keys()
for port in ports:
print "%.3f, %d" % (time_deltas[port], port)
def extract_data(path):
print('------ extracting data:')
raw_datas = []
with scapy.PcapReader(path) as pcap_reader:
i = 0
for p in pcap_reader:
ip = None
if p.haslayer(scapy.IP):
ip = p.getlayer(scapy.IP)
item = {
"no": i + 1,
"time": p.time,
"src": (ip and ip.src) or p.src,
"sport": 0,
"dst": (ip and ip.dst) or p.dst,
"dport": 0
# "len": len(scapy.corrupt_bytes(p)),
# "protocal": p.summary().split('/')[2].split(' ')[1]
}
if ip and (p.haslayer(scapy.TCP) or p.haslayer(scapy.UDP)):
item["sport"] = ip.sport
item["dport"] = ip.dport
raw_datas.append(item)
i = i + 1
if (i % 10000 == 1):
print('extracting count: ', i)
return np.array(raw_datas)
def export_arrival_rate(self, save_path):
count = 0
old_time = 0
with open(save_path, 'w') as f:
f.write("Start Time,Rate\n")
for packet in sp.PcapReader(self.path):
dels_sec = packet.time - self.exp_day
dels_mins = dels_sec / 60
secs = dels_sec % 60
micro = int((secs - int(secs)) * 10**6)
secs = int(secs)
mins = int(dels_mins % 60) + self.ist_mins
hours = int(dels_mins / 60) + self.ist_hour
timestamp = dt.datetime(year=2018,
month=10,
day=13,
hour=hours,
minute=mins,
second=secs,
microsecond=micro)
if old_time == 0:
old_time = timestamp
count = 1
continue
else:
if (timestamp - old_time) > dt.timedelta(seconds=1):
f.write(str(old_time) + "," + str(count) + "\n")
old_time = timestamp
count = 1
else:
count += 1
def split_pcap(filename, session_list, parent_thread = None):
protocol_map = {"00000006" : "tcp", "00000011" : "udp"}
files = {}
cap_dir = "captures"
if not os.path.exists(cap_dir):
os.makedirs(cap_dir)
for session_tuple in session_list:
sip = hex_to_ipv4(session_tuple[0])
sp = hex_to_port(session_tuple[1])
dip = hex_to_ipv4(session_tuple[2])
dp = hex_to_port(session_tuple[3])
prot = protocol_map[session_tuple[4]]
files[session_tuple] = [cap_dir, f"{prot}_{sip}.{sp}-{dip}.{dp}.pcap"]
size_counter = 24 # PCAP file header
pcap_size = os.stat(filename).st_size
analyzed_percent = 0
with scapy.PcapReader(filename) as packets:
for packet in packets:
size_counter += 16 # PCAP packet header
size_counter += len(packet)
if parent_thread:
current_percent = int(size_counter * 100 // pcap_size)
if current_percent > analyzed_percent:
analyzed_percent = current_percent
parent_thread.update_progress(analyzed_percent)
if packet.haslayer(scapy.TCP) and packet.haslayer(scapy.IP):
ip1 = ipv4_to_hex(packet[scapy.IP].src)
ip2 = ipv4_to_hex(packet[scapy.IP].dst)
p1 = port_to_hex(packet[scapy.TCP].sport)
p2 = port_to_hex(packet[scapy.TCP].dport)
proto = "00000006"
session1 = (ip1, p1, ip2, p2, proto)
session2 = (ip2, p2, ip1, p1, proto)
if session1 in files.keys():
filename = pathlib.PurePath(files[session1][0], files[session1][1])
scapy.wrpcap(filename, packet, append=True)
elif session2 in files.keys():
filename = pathlib.PurePath(files[session2][0], files[session2][1])
scapy.wrpcap(filename, packet, append=True)
elif packet.haslayer(scapy.UDP) and packet.haslayer(scapy.IP):
ip1 = ipv4_to_hex(packet[scapy.IP].src)
ip2 = ipv4_to_hex(packet[scapy.IP].dst)
p1 = port_to_hex(packet[scapy.UDP].sport)
p2 = port_to_hex(packet[scapy.UDP].dport)
proto = "00000011"
session1 = (ip1, p1, ip2, p2, proto)
session2 = (ip2, p2, ip1, p1, proto)
if session1 in files.keys():
filename = pathlib.PurePath(files[session1][0], files[session1][1])
scapy.wrpcap(filename, packet, append=True)
elif session2 in files.keys():
filename = pathlib.PurePath(files[session2][0], files[session2][1])
scapy.wrpcap(filename, packet, append=True)
return files
def read_pcap(self):
"""Load a pcap. The state is set to scapy
Returns:
Chepy: The Chepy object.
"""
pcap_path = str(self._abs_path(self.state))
self._pcap_read = scapy.PcapReader(pcap_path)
pcap_file = scapy.rdpcap(pcap_path)
self.state = GREEN("Pcap loaded")
self._pcap_sessions = pcap_file.sessions(full_duplex)
return self
def ip_scrape(pcap, outfile):
"""
Scrapes pcap and outputs data in yaml format
:param pcap: path to pcap
:type pcap: Path
:param outfile: path to output yaml
:type outfile: Path
"""
pcap=str(pcap)
## Build up crawlers
ipd = IPDetector()
mpd = MacAssociations()
_George = Bush()
_George.fs += [ipd, mpd] ## Crawlers like to hide in bushes
_TCPnator = TCPTimestampMapper()
packets = scapy.PcapReader(pcap)
# packet = packets.read_packet() # read next packet
pnum=0
for packet in packets: # empty packet == None
_TCPnator(packet,pnum)
crawl(packet, _George, pnum=pnum) ## Crawl
# packet = packets.read_packet() # read next packet
_George.next() ## cleanup
pnum+=1
packets.close()
## Filter the ignored addresses
for m in ignored_macs:
mpd.mac_ip_map.pop(m, None)
for i in ignored_ips:
ipd.ip_protocol_map.pop(i, None)
## Build up output
ipd.ips = list(ipd.ip_protocol_map.keys()) ## keys are set of all ips
output = {
'ip.groups' : {
'source' : []
,'intermediate' : ipd.ips
, 'destination' : []
}
, 'tcp.timestamp.min' : [{'ip':key, 'min':val} for key,val in _TCPnator.min_map.items()]
, 'ip.searched_protocols' : [ {'ip':key, 'protocols':list(val)} for key,val in ipd.ip_protocol_map.items() ]
#### Black magic to move key from {key:value} into into value
, 'ip.occurrences' : [val for key, val in ipd.ip_pktnum_map.items() if (lambda x,y : x.update(ip=y))(val, key) is None ]
, 'mac.associations' : [{'mac' : key, 'ips' : list(val)} for key, val in mpd.mac_ip_map.items()]
# , 'mac.orphaned' : list(set(ipd.orphaned_mac))
}
with outfile.open('w') as ff:
yaml.dump(output, ff)
def read_pcap(path, lfilter=None):
"""Read pcap file and yields packets.
Args:
path (str): path to pcap file
lfilter (function, optional): function to filter returned packets. By
default all packets will be returned.
Yields:
obj: packet
"""
with scapy.PcapReader(path) as reader:
for packet in filter(lfilter, reader):
yield packet
def analyse_pcap(pcap_file):
print "x, y"
for packet in scapy.PcapReader(pcap_file):
# Weed out SYN retransmissions.
if is_retransmission(packet):
continue
for opt_name, opt_val in packet[scapy.TCP].options:
if opt_name == "Timestamp":
print packet.time, opt_val[0]
def main():
try:
pcap_file = sys.argv[1]
except Exception:
return 'Argument: [pcap_file]'
sys.exit(1)
reader = sc.PcapReader(pcap_file)
for pkt in reader:
parsed = parse_packet(pkt)
if parsed:
print json.dumps(parsed)
def main():
itr_list = []
for pcap_file in sys.argv[1:]:
itr_list.append(sc.PcapReader(pcap_file))
while itr_list:
itr = itr_list.pop(0)
try:
pkt = itr.next()
except StopIteration:
continue
itr_list.append(itr)
rewrite_pkt(pkt)
def pcap_usb_keyboard(self, layout: str = "qwerty"):
"""Decode usb keyboard pcap
Args:
layout (str, optional): Layout of the keyboard. Defaults to "qwerty".
Raises:
TypeError: If layout is not qwerty or dvorak
Returns:
Chepy: The Chepy object.
"""
if layout == "qwerty":
key_map = PcapUSB.qwerty_map
shift_modifier = PcapUSB.qwerty_modifier
elif layout == "dvorak": # pragma: no cover
key_map = PcapUSB.dvorak
shift_modifier = PcapUSB.dvorak_modifier
else: # pragma: no cover
raise TypeError("Valid layouts are qwerty and dvorak")
packets = scapy.PcapReader(self._pcap_filepath)
hold = []
for packet in packets:
if not scapy.Raw in packet: # pragma: no cover
continue
load = packet.getlayer("Raw").load
key_press = binascii.hexlify(load)[-16:]
if key_press == "0000000000000000": # pragma: no cover
continue
shift, _, key = re.findall(b".{2}", key_press)[0:3]
shift_pressed = bool(shift == b"02")
pressed = key_map.get(key.decode())
if shift_pressed:
special = shift_modifier.get(key.decode())
if special:
hold.append(special)
elif pressed:
hold.append(pressed.upper())
elif pressed:
hold.append(pressed)
self.state = "".join(hold)
return self
def pcap_to_X(pcapFile):
pkts = scapy.rdpcap(pcapFile)
X_tmp = np.empty((len(pkts), 230, 90))
i = 0
with scapy.PcapReader(pcapFile) as pcap_reader:
for pkt in pcap_reader:
http_payload = get_http_payload(pkt)
http_payload.remove_payload()
tmp = str(bytes(http_payload), encoding='utf-8')
# 不足230个字符的以空格填充
tmp = tmp.ljust(230, ' ')
# 取前230个字符
tmp = tmp[:230]
encoded = onehot_encode(tmp)
np_encoded = np.array(encoded)
X_tmp[i] = np_encoded
i += 1
print(i)
return X_tmp
def split_pcap(self, filename, rate):
package_pr = scapy.PcapReader(filename)
package_one = []
i = 1
while (True):
package = package_pr.read_packet()
if package is None:
break
package_one.append(package)
package_pr.close()
length = len(package_one)
i = 0
final_len = int(length * length)
t_writer = PcapWriter('/home/wxw/data/Ethernetip/' + 'modbus_pure' +
'.pcap',
append=True)
for p in package_one[0:final_len]:
t_writer.write(p)
t_writer.flush()
t_writer.close()
def get_youtube_ips(pcap_file):
with sp.PcapReader(pcap_file) as trace:
for packet in trace:
# DNS Packet
if packet.haslayer(sp.UDP) and packet[sp.UDP].sport == 53:
# Get DNS data
raw = sp.raw(packet[sp.UDP].payload)
# Process the DNS query
dns = dnslib.DNSRecord.parse(raw)
# Iterate over answers
for a in dns.rr:
# Check if it's a domain of interest (domain.com)
question = str(a.rname)
if any(s in question for s in YT_DOMAINS):
# Check if it's an answer
if a.rtype == 1 or a.rtype == 28:
print(
"Query {} is a Youtube one. Appending IP {} to Youtube IPs"
.format(question, a.rdata))
youtube_ips.append(str(a.rdata))
# youtube_ips object:
print("Youtube IPs: {}".format(youtube_ips))
return youtube_ips
def analyse_pcap(pcap_file):
old_port = 0
for packet in scapy.PcapReader(pcap_file):
# Weed out SYN retransmissions.
if (not scapy.TCP in packet) or (not packet[scapy.TCP].flags == 2):
continue
if packet[scapy.IP].src == "211.155.86.135":
continue
print packet[scapy.IP].src
continue
if is_retransmission(packet):
continue
t = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime(packet.time))
#diff = packet[scapy.TCP].sport - old_port
#if diff < 0:
# diff = 65535 - abs(diff)
#print diff
#old_port = packet[scapy.TCP].sport
#for opt_name, opt_val in packet[scapy.TCP].options:
# if opt_name == "Timestamp":
#print packet.time, opt_val[0]
if packet[scapy.IP].src == "211.155.86.135":
print "%s, %d, 1" % (t, packet[scapy.TCP].dport)
else:
print "%s, %d, 0" % (t, packet[scapy.TCP].dport)
def get(self):
"""
:param bad_filename: 数据包存储位置,需要是csv格式
:param bad_pcap_filename: pcap包读取位置
:param num: 读取数据包的数量
:return: None
"""
PD = PcapDecode()
scapy.load_layer('tls')
with open(self.bad_filename, 'a') as f:
with scapy.PcapReader(self.bad_pcap_filename) as packets:
for i, pkt in enumerate(packets):
data = PD.ether_decode(pkt)
[
f.write("{},".format(value))
for key, value in data.items()
]
# [f.write("{}:{}, ".format(key, value)) for key, value in data.items()]
f.write("bad\n")
# if (i % 200 == 0):
# print("目前已处理{0}个数据包.".format(i))
if i == self.num:
print("已经处理{}个恶意文件数据包".format(i))
return True
def noise_remove(self, filename, protocolname, t_lo):
package_two = FileCapture(filename)
package_pr = scapy.PcapReader(filename)
package_one = []
i = 1
while (True):
package = package_pr.read_packet()
if package is None:
break
package_one.append(package)
package_pr.close()
package_three = []
length = len(package_one)
i = 0
while (i < length):
if package_two[i].layers[t_lo].layer_name == protocolname:
package_three.append(package_one[i])
i = i + 1
t_writer = PcapWriter('/home/wxw/data/' + 'modbus_pure' + '.pcap',
append=True)
for p in package_three:
t_writer.write(p)
t_writer.flush()
t_writer.close()
def get_flow_traffic_corrected(pcap_file, youtube_ips):
traffic_data = []
interval = 1.0
with sp.PcapReader(pcap_file) as trace:
start_time = 0
end_time = -1
slot_dict = {"start": start_time, "end": end_time, "flows": {}}
print("Processing slot {}-{}".format(start_time, end_time))
for packet in trace:
if not packet.haslayer(sp.IP):
continue
if packet[sp.IP].time > end_time:
#reset your countes
traffic_data.append(slot_dict)
if start_time == 0:
start_time = packet[sp.IP].time
else:
start_time = end_time
end_time = start_time + interval
slot_dict = {"start": start_time, "end": end_time, "flows": {}}
print("Processing slot {}-{}".format(start_time, end_time))
# If it belongs to Youtube's traffic
if packet.haslayer(sp.TCP) and (packet[sp.IP].src in youtube_ips or
packet[sp.IP].dst in youtube_ips):
key = ''
# identify the direction
if packet[sp.IP].src in youtube_ips:
dir = 1
key = "{}:{}:{}:{}:TCP".format(packet[sp.IP].src,
packet[sp.TCP].sport,
packet[sp.IP].dst,
packet[sp.TCP].dport)
elif packet[sp.IP].dst in youtube_ips:
dir = 0
key = "{}:{}:{}:{}:TCP".format(packet[sp.IP].dst,
packet[sp.TCP].dport,
packet[sp.IP].src,
packet[sp.TCP].sport)
# UPD traffic:
if packet.haslayer(sp.UDP) and (packet[sp.IP].src in youtube_ips or
packet[sp.IP].dst in youtube_ips):
key = ''
# identify the direction
if packet[sp.IP].src in youtube_ips:
dir = 1
key = "{}:{}:{}:{}:UDP".format(packet[sp.IP].src,
packet[sp.UDP].sport,
packet[sp.IP].dst,
packet[sp.UDP].dport)
elif packet[sp.IP].dst in youtube_ips:
dir = 0
key = "{}:{}:{}:{}:UDP".format(packet[sp.IP].dst,
packet[sp.UDP].dport,
packet[sp.IP].src,
packet[sp.UDP].sport)
if key not in slot_dict["flows"]:
slot_dict["flows"][key] = counters()
if dir == 1:
slot_dict["flows"][key]['in_pkts'] += 1
slot_dict["flows"][key]['in_bytes'] += packet[sp.IP].len
else:
slot_dict["flows"][key]['out_pkts'] += 1
slot_dict["flows"][key]['out_bytes'] += packet[sp.IP].len
return traffic_data
def rewrapping(pcap, res_path, param_dict, rewrap, timestamp_next_pkt,
timestamp):
"""
Parsing and rewrapping (and writing) of attack pcap.
:param attack: Mix
:param param_dict: parsed config, dict
:param rewrap: Rewrapper
"""
## check for readwrite mode
readwrite = None
rw = param_dict.get('read.write')
if rw:
readwrite = rw
else: ## default
readwrite = 'sequence'
## Create empty starting file
scapy.wrpcap(res_path, [])
## read & write all at once
pkt_num = 0
pkt_end = 0
pkt_ts = []
if readwrite == 'bulk':
## read all packets
packets = scapy.rdpcap(pcap)
res_packets = []
## timestamp shift based on first packet and input param
if timestamp is None:
rewrap.set_timestamp_shift(timestamp_next_pkt - packets[0].time)
else:
rewrap.set_timestamp_shift(timestamp_next_pkt - timestamp)
## rewrapp packets
for packet in packets:
try:
rewrap.digest(packet, recursive=True)
except Exception as e:
print('Error while digesting packet num {}'.format(pkt_num))
raise e
res_packets.append(packet)
pkt_num += 1
pkt_num = len(res_packets)
pkt_end = res_packets[-1].time
pkt_ts = [i.time for i in res_packets]
scapy.wrpcap(res_path, res_packets)
## read & write packet by packet
elif readwrite == 'sequence':
## create packet reader
packets = scapy.PcapReader(pcap)
## temporary list, avoid recreating lists for writing
tmp_l = [0]
pkt_num = 0
# packet = packets.read_packet() # read next packet
pktdump = None
pkt_ts = []
for packet in packets: # empty packet == None
tmp_l[0] = packet # store current packet for writing
try:
if pkt_num == 0: # first packet
if timestamp is None:
rewrap.set_timestamp_shift(timestamp_next_pkt -
packet.time)
else:
rewrap.set_timestamp_shift(timestamp_next_pkt -
timestamp)
rewrap.digest(packet, recursive=True)
## Create new pcap
scapy.wrpcap(res_path, packet)
else:
rewrap.digest(packet, recursive=True)
## Apend to existing pcap
scapy.wrpcap(res_path, packet, append=True)
except Exception as e:
print('Error while digesting packet num {}'.format(pkt_num))
raise e
pkt_num += 1
pkt_end = packet.time
pkt_ts.append(pkt_end)
# packet = packets.read_packet() # read next packet
return {
'packets.count': pkt_num,
'packets.start': 0,
'packets.end': pkt_end
# , 'packets.timestamps' : pkt_ts
}
def processCap(fileName, filename2):
print(time.strftime("%Y-%m-%d %H:%M:%S", time.localtime()))
rawTuple_read = open(filename2, "r")
rawTuple_dic = json.load(rawTuple_read)
#print("CCCCCCCC")
global check_dic
global length
myreader = scapy.PcapReader(fileName)
#pkts = scapy.rdpcap(fileName)
for key in rawTuple_dic:
dic_ = {}
dic_["client_sessionID"] = None
dic_["server_sessionID"] = None
dic_["sessionID_eq"] = None
dic_["ssl_state"] = rawTuple_dic[key]["ssl_dic"]["sslConnection"]
dic_["conn_state"] = rawTuple_dic[key]["conn_dic"]["connectionState"]
dic_["certificate"] = "F"
dic_["serverKey"] = "F"
dic_["serverChangeCipherSpec"] = "F"
check_dic[key] = dic_
print("************************************************")
#only process client hello packet
#for pkt in pkts:
i = 0
while True:
try:
pkt = myreader.read_packet()
if pkt is None:
break
# i = i + 1
# print(i)
if pkt.haslayer("IP"):
srcIP = pkt["IP"].src
dstIP = pkt["IP"].dst
if srcIP == "10.0.2.15":
if pkt.haslayer("TCP"):
sport = pkt["TCP"].sport
dport = pkt["TCP"].dport
key = srcIP + "/" + str(
sport) + "/" + dstIP + "/" + str(dport)
if pkt.haslayer(TLSClientHello):
clienthello = pkt.getlayer(TLSClientHello)
id_length = clienthello.session_id_length
if id_length != 0:
check_dic[key][
"client_sessionID"] = clienthello.session_id
elif dstIP == "10.0.2.15":
srcIP = pkt["IP"].src
dstIP = pkt["IP"].dst
if dstIP == "10.0.2.15":
if pkt.haslayer(TCP):
sport = pkt["TCP"].sport
dport = pkt["TCP"].dport
key = dstIP + "/" + str(
dport) + "/" + srcIP + "/" + str(sport)
if pkt.haslayer(TLSRecord):
layer1 = pkt.getlayer(TLSCiphertext)
layer1.display()
# print(layer2)
print("AAAAA")
handshakes = pkt.getlayer(TLSHandshakes)
for handshake in handshakes:
if handshake.haslayer(TLSServerHello):
print("aaa")
serverhello = pkt.getlayer(
TLSServerHello)
id_length = serverhello.session_id_length
if id_length != 0:
check_dic[key][
"server_sessionID"] = serverhello.session_id
elif pkt.haslayer(TLSCertificate):
print("bbbb")
check_dic[key]["certificate"] = "T"
elif pkt.haslayer(TLSServerKeyExchange):
print("cccccccc")
check_dic[key]["serverKey"] = "T"
elif pkt.haslayer(TLSChangeCipherSpec):
check_dic[key][
"serverChangeCipherSpec"] = "T"
else:
pass
else:
pass
except:
break
def rewrapping(attack, param_dict, rewrap, timestamp_next_pkt):
"""
Parsing and rewrapping (and writing) of attack pcap.
:param attack: Mix
:param param_dict: parsed config, dict
:param rewrap: Rewrapper
"""
## check for readwrite mode
rw = param_dict.get('read.write')
if rw:
attack.readwrite = rw
else: ## default
attack.readwrite = 'sequence'
## read & write all at once
if attack.readwrite == 'bulk':
## read all packets
packets = scapy.rdpcap(attack.attack_file)
## timestamp shift based on first packet and input param
rewrap.set_timestamp_shift(timestamp_next_pkt - packets[0].time)
## rewrapp packets
for packet in packets:
rewrap.digest(packet)
attack.packets.append(packet)
attack.pkt_num = len(attack.packets)
## read & write packet by packet
elif attack.readwrite == 'sequence':
## create packet reader
packets = scapy.PcapReader(attack.attack_file)
## temporary list, avoid recreating lists for writing
tmp_l = [0]
attack.pkt_num = 0
# packet = packets.read_packet() # read next packet
for packet in packets: # empty packet == None
tmp_l[0] = packet # store current packet for writing
if attack.pkt_num == 0: # first packet
rewrap.set_timestamp_shift(timestamp_next_pkt - packet.time)
rewrap.digest(packet)
attack.attack_start_utime = packet.time
## Create new pcap
attack.path_attack_pcap = attack.write_attack_pcap(
packets=tmp_l)
else:
rewrap.digest(packet)
attack.attack_end_utime = packet.time
## Apend to existing pcap
attack.write_attack_pcap(
packets=tmp_l,
append_flag=True,
destination_path=attack.path_attack_pcap)
attack.pkt_num += 1
def get_session_list(filename, parent_thread = None):
log = logging.getLogger("splitter.analyze")
log.info(f"Trying to analyze {filename} file")
sessions = {}
size_counter = 24 # PCAP file header
pcap_size = os.stat(filename).st_size
log.info(f"{pcap_size} bytes received")
analyzed_percent = 0
with scapy.PcapReader(filename) as packets:
for packet in packets:
size_counter += 16 # PCAP packet header
size_counter += len(packet)
if parent_thread:
current_percent = int(size_counter * 100 // pcap_size)
if current_percent > analyzed_percent:
analyzed_percent = current_percent
parent_thread.update_progress(analyzed_percent)
if packet.haslayer(scapy.TCP) and packet.haslayer(scapy.IP):
payload_size = len(packet[scapy.TCP].payload)
packet_size = len(packet.payload)
ip1 = ipv4_to_hex(packet[scapy.IP].src)
ip2 = ipv4_to_hex(packet[scapy.IP].dst)
p1 = port_to_hex(packet[scapy.TCP].sport)
p2 = port_to_hex(packet[scapy.TCP].dport)
proto = "00000006" # TCP
flags = "{0:012b}".format(packet[scapy.TCP].flags)
if int(flags[10]) and not int(flags[7]): # SYN with no ACK
session = (ip1, p1, ip2, p2, proto)
if session in sessions.keys():
if sessions[session][2:4] == [True, True]:
sessions[session][5] = True
elif sessions[session][4]:
sessions[session][5] = True
else:
sessions[session] = [True, False, False, False, False, False, packet_size, 1, payload_size]
elif int(flags[10]) and int(flags[7]): # SYN-ACK
session = (ip2, p2, ip1, p1, proto)
if session in sessions.keys():
if sessions[session][1] or sessions[session][2] or sessions[session][3]:
if sessions[session][1:5] == [True, False, False, False]:
pass
else:
print(f"SYN-ACK {sessions[session]}")
else:
sessions[session][1] = True
sessions[session][6] += packet_size
sessions[session][7] += 1
sessions[session][8] += payload_size
elif int(flags[11]): # FIN
session1 = (ip1, p1, ip2, p2, proto)
session2 = (ip2, p2, ip1, p1, proto)
if session1 in sessions.keys():
sessions[session1][6] += packet_size
sessions[session1][7] += 1
sessions[session1][8] += payload_size
if not sessions[session1][2]:
sessions[session1][2] = True
elif session2 in sessions.keys():
sessions[session2][6] += packet_size
sessions[session2][7] += 1
sessions[session2][8] += payload_size
if not sessions[session2][3]:
sessions[session2][3] = True
elif int(flags[9]): # RST
session1 = (ip1, p1, ip2, p2, proto)
session2 = (ip2, p2, ip1, p1, proto)
if session1 in sessions.keys():
sessions[session1][6] += packet_size
sessions[session1][7] += 1
sessions[session1][8] += payload_size
sessions[session1][4] = True
elif session2 in sessions.keys():
sessions[session2][6] += packet_size
sessions[session2][7] += 1
sessions[session2][8] += payload_size
sessions[session2][4] = True
else:
session1 = (ip1, p1, ip2, p2, proto)
session2 = (ip2, p2, ip1, p1, proto)
if session1 in sessions.keys():
sessions[session1][6] += packet_size
sessions[session1][7] += 1
sessions[session1][8] += payload_size
elif session2 in sessions.keys():
sessions[session2][6] += packet_size
sessions[session2][7] += 1
sessions[session2][8] += payload_size
if packet.haslayer(scapy.UDP) and packet.haslayer(scapy.IP):
payload_size = len(packet[scapy.UDP].payload)
packet_size = len(packet.payload)
ip1 = ipv4_to_hex(packet[scapy.IP].src)
ip2 = ipv4_to_hex(packet[scapy.IP].dst)
p1 = port_to_hex(packet[scapy.UDP].sport)
p2 = port_to_hex(packet[scapy.UDP].dport)
proto = "00000011" # UDP
session1 = (ip1, p1, ip2, p2, proto)
session2 = (ip2, p2, ip1, p1, proto)
if session1 in sessions.keys():
sessions[session1][6] += packet_size
sessions[session1][7] += 1
sessions[session1][8] += payload_size
elif session2 in sessions.keys():
sessions[session2][6] += packet_size
sessions[session2][7] += 1
sessions[session2][8] += payload_size
else:
sessions[session1] = [False, False, False, False, False, False, packet_size, 1, payload_size]
else:
pass
valid_sessions = {}
for session, details in sessions.items():
if session[4] == "00000006": # TCP
if details[0:4] == [True, True, True, True]:
valid_sessions[session] = details
elif details[4] and details[0] and details[1]:
valid_sessions[session] = details
elif session[4] == "00000011": #UDP
valid_sessions[session] = details
return valid_sessions
def sniff(self):
if self.options.pcap_file == 'None':
self.logger.info("Using network interface: %s" %
(self.options.listen_interface))
try:
scapy.sniff(iface=self.options.listen_interface,
prn=self.pkt_callback,
lfilter=self.pkt_check,
filter=self.options.filter,
store=0)
except socket.error, e:
self.logger.error("Sniffer error on %s: %s" %
(self.options.listen_interface, e))
else:
self.logger.info("Using pcap file: %s" % (self.options.pcap_file))
pcapr = scapy.PcapReader(self.options.pcap_file)
while 1:
try:
pkt = pcapr.next()
if self.pkt_check(pkt):
self.pkt_callback(pkt)
except scapy.StopIteration, e:
break
def pkt_is_last(self, pkt):
if pkt['TCP'].flags == 17 or pkt['TCP'].flags == 25:
return True
return False
def pkt_hash(self, pkt):
sdip = (pkt['IP'].src, pkt['TCP'].sport, pkt['IP'].dst,
#!/usr/bin/env python
# File dumpUDP.py
import scapy.all as scapy
import sys
pcap_file = sys.argv[1]
mac = sys.argv[2]
print(''.join(p[scapy.UDP].load for p in scapy.PcapReader(pcap_file)
if p[scapy.Ether].src == mac and scapy.UDP in p))
try:
pcap_in = sys.argv[1]
except IndexError as e:
print('Usage: create_pcap_stats.py filename.pcap')
sys.exit(-1)
if not pcap_in.endswith('.pcap'):
print('input filename should end with ".pcap"')
sys.exit(-1)
stats_out = pcap_in.replace('.pcap', '-stat.txt')
def write_stats(stats):
with open(stats_out, 'w') as f:
for item in stats.items():
f.write("%s %s\n" % item)
dst = {}
for i, pkt in enumerate(scapy.PcapReader(pcap_in)):
try:
ip = pkt[scapy.IP]
except IndexError:
print("pkt #%d has no IP header" % i)
dst[ip.dst] = dst.get(ip.dst, 0) + 1
if i % 50000 == 0:
print(i)
write_stats(dst)
print('bye')
