def countVolumeInOutv3(pcap_filename, priv_net): "Filters WA traffic volume and stores it in database" ''' ### Incoming traffic: from general to particular ### ''' ''' #### First of all incoming traffic with DNS IP's as seed ####''' #Genereal view: Filter by dst priv_net provided #Filter DNS traffic if utilities.isIPAddress(priv_net) > 0: priv_net = utilities.IPNetworkConverter(priv_net) dns_filter = 'udp port 53' pcap_f_DNS = utilities.pcap_filter(pcap_filename, dns_filter, "WA_DNSv3") #Get WhatsApp IP's nets from DNS responses: (ip_WA_nets, ip_WA) = utilities.WAIPgetterDNSresponses(pcap_f_DNS) #print "Hasta aqui sin errores" (pcapIN, ip_WA_netsInOut, ip_WA_InOut) = getPcapInTrafficv3(pcap_filename, priv_net, ip_WA_nets, ip_WA) ''' ### Now, outcoming traffic ### ''' pcapOUT = getPcapOutTrafficv3(pcap_filename, ip_WA_InOut) else: print "No incoming traffic analysed" #log into debug file return
def getPcapOutTraffic(pcap_filename): "Filters outcoming traffic and returns the pcap_file" #Filter DNS traffic pcap_IN_f = utilities.pcap_filter(pcap_filename, "udp port 53", "WA_DNS") #Get WhatsApp IP's nets from DNS responses: ip_WA_nets = utilities.WAIPgetterDNSresponses(pcap_IN_f) #Create an outcoming file out_vol_filter = utilities.strFilterNets(ip_WA_nets, 'dst') out_vol_filter = out_vol_filter + ' and (tcp port 443 or tcp port 5222)' pcapOUT_f = utilities.pcap_filter(pcap_filename, out_vol_filter, "WA_TCP_out") return (pcapOUT_f,ip_WA_nets)
def getPcapInTrafficDNS(pcap_filename, IP_WA): "Filters incoming traffic coarsely and returns pcap_file" #Create an incoming file by filtering with the new list of IP's /32 in_vol_filter = utilities.strFilterHosts(IP_WA, 'src') in_vol_filter = in_vol_filter + ' and (tcp port 443 or tcp port 5222)' pcapIN_f = utilities.pcap_filter(pcap_filename, in_vol_filter, "WA_DNS_tcp_xmpp_in") return (pcapIN_f)
def getPcapOutTrafficDNS(pcap_filename, IP_WA): "Filters outcoming traffic and returns the pcap_file" #Create an outcoming file out_vol_filter = utilities.strFilterHosts(IP_WA, 'dst') out_vol_filter = out_vol_filter + ' and (tcp port 443 or tcp port 5222)' pcapOUT_f = utilities.pcap_filter(pcap_filename, out_vol_filter, "WA_DNS_tcp_xmpp_out") return (pcapOUT_f)
def getPcapInTraffic(pcap_filename, priv_net, ip_WA_DNS_nets): "Filters incoming traffic coarsely and returns pcap_file" #Check priv address if utilities.isIPAddress(priv_net) > 0: #Filter by dst priv_net: in_vol_filter_net = 'dst net ' + priv_net + ' and (tcp port 443 or tcp port 5222)' pcapIN_f_coarse = utilities.pcap_filter(pcap_filename, in_vol_filter_net, "WA_TCP_in_coarse") #Try to get IP's from WhatsApp in the previous file (adding them to the list obtained in DNS responses) ip_netsInOut = utilities.WAIPgetterInTraffic(pcapIN_f_coarse, ip_WA_DNS_nets) #Create an incoming file by filtering with the new list in_vol_filter = utilities.strFilterNets(ip_netsInOut, 'src') pcapIN_f = utilities.pcap_filter(pcapIN_f_coarse, in_vol_filter, "WA_TCP_in") return (pcapIN_f, ip_netsInOut) else: print "No incoming traffic analysed" #log into debug file return
def countVolumeDNS(pcap_filename, priv_net, wd):
"Filters WA traffic volume and stores it in database"
'''
Get WA Ip's from DNS queries/answers and then filters by sense: in/out by these IP's ip.src == "IP" / ip.dst == "IP"
Then, filters by sense: in/out
'''
#incoming: Filter by dst priv_net provided
#outcoming: Filter by dst priv_net provided
#Filter DNS traffic
if utilities.isIPAddress(priv_net) > 0:
logging.debug("Private IP network provided %s", priv_net)
priv_net = utilities.IPNetworkConverter(priv_net)
#if I filter with the dst network, I improve performance
dns_filter = 'dst net ' + priv_net + ' and udp port 53'
logging.debug("Filtering DNS file with filter: %s", dns_filter)
pcap_f_DNS = utilities.pcap_filter(pcap_filename, dns_filter, "WA_DNS_dns")
#check if file has no empty size
if os.path.getsize(pcap_f_DNS) > 24: #size of an empty pcap
logging.debug("DNS output filtered created successfully.")
else:
logging.critical("[countVolumeDNS] No DNS traffic found. Pcap file is empty.")
print "[countVolumeDNS] No DNS traffic found. Pcap file is empty."
return -1
logging.debug("Pcap file with DNS traffic %s", pcap_f_DNS)
#Get WhatsApp IP's nets from DNS responses:
(ip_WA_nets, ip_WA) = utilities.WAIPgetterDNSresponses(pcap_f_DNS)
pcapIN = getPcapInTrafficDNS(pcap_filename, ip_WA)
logging.debug("Pcap file with incoming traffic %s", pcapIN)
''' ### Now, outcoming traffic ### '''
pcapOUT = getPcapOutTrafficDNS(pcap_filename, ip_WA)
logging.debug("Pcap file with outcoming traffic %s", pcapOUT)
## Create directory with method name and move files
volume_dir = wd + '/only_DNS'
new_pcapOUT = ''
new_pcapIN = ''
new_pcapDNS = ''
try:
os.makedirs(volume_dir)
new_pcapOUT = volume_dir + '/' + os.path.basename(pcapOUT)
new_pcapIN = volume_dir + '/' + os.path.basename(pcapIN)
new_pcapDNS = volume_dir + '/' + os.path.basename(pcap_f_DNS)
except OSError as err:
logging.error('Error while creating "Volume" directory: %s. Exiting...', str(err))
print('Error while creating "Volume" directory: '+str(err)+'. Exiting...')
pass
try:
os.rename(pcapOUT, new_pcapOUT)
os.rename(pcapIN, new_pcapIN)
os.rename(pcap_f_DNS, new_pcapDNS)
except OSError as err:
logging.error('Error while moving pcap files: %s. Exiting...', str(err))
print('Error while moving pcap files: '+str(err)+'. Exiting...')
pass
#return (new_pcapOUT, new_pcapIN)
''' Storing important info in DB '''
#call to pcap_reader to get important information
(rubish1, rubish2, wa_volume_list_IN) = utilities.pcap_reader(new_pcapIN, 1, 'parser' ,priv_net)
(rubish1, rubish2, wa_volume_list_OUT) = utilities.pcap_reader(new_pcapOUT,1, 'parser',priv_net)
#print len(wa_volume_list_IN)
#print len(wa_volume_list_OUT)
#call here to enrich volume information with StatePacket info
wa_vol_enriched_list_IN = utilities.enrichVolume(wa_volume_list_IN, 'incoming')
wa_vol_enriched_list_OUT = utilities.enrichVolume(wa_volume_list_OUT, 'outcoming')
#try to store the info in the DB
if flagES_testing is False:
logging.debug("[countVolumeDNS]{Insert into DB} About to enter into Volume2DB")
#storeVolumePackets2DB(wa_volume_list_OUT, wa_volume_list_IN)
storeVolumePackets2DB(wa_vol_enriched_list_IN, wa_vol_enriched_list_OUT)
else:
print "No incoming traffic analysed. Not supported IP network format provided. Exiting program..."
logging.critical("No incoming traffic analysed. Not supported IP network format provided. Exiting program...")
return -1
return 1