def dotransform(request, response):
pkts = rdpcap(request.value)
dns_names = []
tor_traffic = []
ip_convo = []
try:
tmpfolder = request.fields['sniffMyPackets.outputfld']
except:
pass
for x in pkts:
if x.haslayer(TCP) and x.haslayer(Raw):
if 'www.' in x.getlayer(Raw).load:
for s in re.finditer('www.\w*.\w*', str(x)):
dnsrec = s.group()
srcip = x.getlayer(IP).src
dstip = x.getlayer(IP).dst
sport = x.getlayer(TCP).sport
dport = x.getlayer(TCP).dport
ipaddr = srcip, dstip, sport, dport, dnsrec
if sport or dport not in ip_convo:
ip_convo.append(ipaddr)
if dnsrec not in tor_traffic:
tor_traffic.append(dnsrec)
for pkt in pkts:
if pkt.haslayer(DNS) and pkt.getlayer(DNS).qr == 0:
x = pkt.getlayer(DNS).qd.qname
if x not in dns_names:
dns_names.append(x)
for dnsrec in tor_traffic:
for z in dns_names:
if dnsrec == z:
tor_traffic.remove(dnsrec)
for srcip, dstip, sport, dport, dnsrec in ip_convo:
if int(sport) != int(dport):
for f in tor_traffic:
if dnsrec == f:
e = Host(dstip)
e.hostsrc = srcip
e.hostdst = dstip
e.hostsport = sport
e.hostdport = dport
e += Field('pcapsrc', request.value, displayname='Original pcap File')
e += Field('proto', 'tcp', displayname='Protocol')
e += Field('sniffMyPackets.outputfld', tmpfolder, displayname='Folder Location')
e.linklabel = dnsrec
e.linkcolor = 0xCC33FF
response += e
return response
def dotransform(request, response):
convo = []
target = request.value
pcap = request.fields['pcapsrc']
pkts = rdpcap(pcap)
for p in pkts:
if p.haslayer(TCP) and p.getlayer(IP).src == target:
srcip = p.getlayer(IP).src
dstip = p.getlayer(IP).dst
sport = p.getlayer(TCP).sport
dport = p.getlayer(TCP).dport
talker = srcip, dstip, sport, dport, pcap, 'tcp'
if talker not in convo:
convo.append(talker)
if p.haslayer(IP) and p.haslayer(UDP) and p.getlayer(IP).src == target:
srcip = p.getlayer(IP).src
dstip = p.getlayer(IP).dst
sport = p.getlayer(UDP).sport
dport = p.getlayer(UDP).dport
talker = srcip, dstip, sport, dport, pcap, 'udp'
if talker not in convo:
convo.append(talker)
for src, dst, sport, dport, pcap, proto in convo:
e = Host(dst)
e.hostsrc = src
e.hostdst = dst
e.hostsport = sport
e.hostdport = dport
e.linklabel = proto + '\n' + str(sport) + ':' + str(dport)
if proto == 'tcp':
e.linkcolor = 0x2314CA
if proto == 'udp':
e.linkcolor = 0x0E7323
e += Field('pcapsrc', pcap, displayname='Original pcap File')
e += Field('proto', proto, displayname='Protocol')
response += e
return response
def dotransform(request, response):
convo = []
target = request.value
pcap = request.fields['pcapsrc']
pkts = rdpcap(pcap)
for p in pkts:
if p.haslayer(TCP) and p.getlayer(IP).src == target:
srcip = p.getlayer(IP).src
dstip = p.getlayer(IP).dst
sport = p.getlayer(TCP).sport
dport = p.getlayer(TCP).dport
talker = srcip, dstip, sport, dport, pcap, 'tcp'
if talker not in convo:
convo.append(talker)
if p.haslayer(IP) and p.haslayer(UDP) and p.getlayer(IP).src == target:
srcip = p.getlayer(IP).src
dstip = p.getlayer(IP).dst
sport = p.getlayer(UDP).sport
dport = p.getlayer(UDP).dport
talker = srcip, dstip, sport, dport, pcap, 'udp'
if talker not in convo:
convo.append(talker)
for src, dst, sport, dport, pcap, proto in convo:
e = Host(dst)
e.hostsrc = src
e.hostdst = dst
e.hostsport = sport
e.hostdport = dport
e.linklabel = proto + '\n' + str(sport) + ':' + str(dport)
if proto == 'tcp':
e.linkcolor = 0x2314CA
if proto == 'udp':
e.linkcolor = 0x0E7323
e += Field('pcapsrc', pcap, displayname='Original pcap File')
e += Field('proto', proto, displayname='Protocol')
response += e
return response
