def __init__(self, promisc=True, buffer_size=None, read_timeout=100, show_packets=False): self._pcap_t = None self._packets = None assert promisc in (True, False), "promisc must be either True or False" self._promisc = promisc self._buffer_size = buffer_size self._read_timeout = read_timeout assert show_packets in ( True, False), "show_packets must be either True or False" self._show_packets = show_packets self._pcap_lock = threading.Lock() try: from impacket.ImpactDecoder import LinuxSLLDecoder self._decoder = LinuxSLLDecoder() except ImportError: self._decoder = None
def __init__(self, pcapObj): datalink = pcapObj.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Tipo de datalink não suportado: " % datalink) self.pcap = pcapObj Thread.__init__(self)
def __init__(self, cap_stream): multiprocessing.Process.__init__(self) self.cap_stream = cap_stream self.datalink = cap_stream.datalink() if pcapy.DLT_EN10MB == self.datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == self.datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % self.datalink)
def __init__(self, pcapObj): # Query the type of the link and instantiate a decoder accordingly. datalink = pcapObj.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.pcap = pcapObj Thread.__init__(self)
def __init__(self, pcapObj): # Query the type of the link and instantiate a decoder accordingly. datalink = pcapObj.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.pcap = pcapObj self.connections = {}
def __init__(self, pcapObj=None, Interface=None): datalink = pcapObj.datalink() self.Interface = Interface if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Unsupported datalink type: " % datalink) self.pcap = pcapObj self.buffer_traffic = [] Thread.__init__(self)
def __init__(self, pcapy_object): """ PacketLoop(Thread) Class Constructor """ datalink = pcapy_object.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: print "Datalink type not supported: " % datalink exit() self.pcap = pcapy_object Thread.__init__(self) self.stop = False
def __init__(self, pcapReader, dstIp, dstPort): self.socket_ = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) self.dest = (dstIp, dstPort) # Query datalink type and instantiate the corresponding decoder datalink = pcapReader.datalink() if datalink == pcapy.DLT_EN10MB: self.decoder = EthDecoder() elif datalink == pcapy.DLT_LINUX_SLL: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported"); self.pcapReader = pcapReader self.counter = 0
def __init__(self, pcapObj,subnet,arptable): # Query the type of the link and instantiate a decoder accordingly. datalink = pcapObj.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.pcap = pcapObj self.subnet = subnet self.arptable = arptable Thread.__init__(self)
def __init__(self, pcapObj): """ Query the type of the link and instantiate a decoder accordingly. """ datalink = pcapObj.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.pcap = pcapObj self.buffer = [] # init internal buffer self.quit = False # quit thread? Thread.__init__(self)
def __init__(self, pcapObj, server_ports, ws_path, soap_request_handler, server): # Query the type of the link and instantiate a decoder accordingly. datalink = pcapObj.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception('Datalink type not supported: %s' % (datalink, )) self.pcap = pcapObj self.server_ports = set(server_ports) self.ws_path = ws_path self.server = server self.soap_request_handler = soap_request_handler self.valid_http_methods = set(['GET', 'POST']) self._shortest_method_name = min( [len(x) for x in self.valid_http_methods]) self._longest_method_name = max( [len(x) for x in self.valid_http_methods]) Thread.__init__(self) self.packet_counter = 0 self.connections = ConnectionManager() self.http_request_counter = Counter() self.soap_call_counter = Counter() self.server_conn = None self._needs_server_update = False self._last_server_update = 0
class OSCServer(Thread): def __init__(self, callback, dev='any', port=3333, ignoreIp=None): Thread.__init__(self) DEV = dev # interface to listen on MAX_LEN = 1514 # max size of packet to capture PROMISCUOUS = 1 # promiscuous mode? READ_TIMEOUT = 100 # in milliseconds self.MAX_PKTS = -1 # number of packets to capture; -1 => no limit self.p = open_live(DEV, MAX_LEN, PROMISCUOUS, READ_TIMEOUT) myfilter = 'udp and port ' + str(port) if ignoreIp: myfilter += ' and not dst host ' + ignoreIp self.p.setfilter(myfilter) self.callback = callback self.packets = 0 datalink = self.p.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) def ph(self, hdr, data): p = self.decoder.decode(data) ip = p.child() udp = ip.child() self.packets += 1 self.callback(udp.get_data_as_string()) def run(self): self.p.loop(self.MAX_PKTS, self.ph)
class DecoderThread(Thread): """ Main decoder/network sniffer class (running in separate thread). """ def __init__(self, pcapObj): """ Query the type of the link and instantiate a decoder accordingly. """ datalink = pcapObj.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.pcap = pcapObj Thread.__init__(self) def run(self): """ Sniff ad infinitum. PacketHandler shall be invoked by pcap for every packet. """ self.pcap.loop(0, self.packetHandler) def packetHandler(self, hdr, data): """ Use the ImpactDecoder to turn the rawpacket into a hierarchy of ImpactPacket instances. Display the packet in human-readable form. http://d.hatena.ne.jp/shoe16i/mobile?date=20090203§ion=p1 """ decoded_data = self.decoder.decode(data) tcp = decoded_data.child().child() data = tcp.get_packet() decoded_data = data for item in regex_links.finditer(str(decoded_data)): if not item: continue pos = item.start() print item.groups()[0], "\n"
class OSCServer(Thread) : def __init__(self, callback, dev='any', port = 3333, ignoreIp = None) : Thread.__init__(self) DEV = dev # interface to listen on MAX_LEN = 1514 # max size of packet to capture PROMISCUOUS = 1 # promiscuous mode? READ_TIMEOUT = 100 # in milliseconds self.MAX_PKTS = -1 # number of packets to capture; -1 => no limit self.p = open_live(DEV, MAX_LEN, PROMISCUOUS, READ_TIMEOUT) myfilter = 'udp and port '+str(port) if ignoreIp: myfilter+=' and not dst host '+ignoreIp self.p.setfilter(myfilter) self.callback = callback self.packets = 0 datalink = self.p.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) def ph(self,hdr, data): p = self.decoder.decode(data) ip = p.child() udp = ip.child() self.packets+=1 self.callback( udp.get_data_as_string()) def run(self) : self.p.loop(self.MAX_PKTS,self.ph)
class UdpSender: def __init__(self, pcapReader, dstIp, dstPort): self.socket_ = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) self.dest = (dstIp, dstPort) # Query datalink type and instantiate the corresponding decoder datalink = pcapReader.datalink() if datalink == pcapy.DLT_EN10MB: self.decoder = EthDecoder() elif datalink == pcapy.DLT_LINUX_SLL: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported"); self.pcapReader = pcapReader self.counter = 0 def run(self): # Sniff ad infinitum # Packet handler will be invoked by pcap for every packet self.pcapReader.loop(0, self.packetHandler) def packetHandler(self, hdr, data): # Use the ImpactDecoder to turn the raw packet into a hierarchy of # ImpactPacket instances # Display the packet en human-readable form dl_header = self.decoder.decode(data) ip_header = dl_header.child() self.counter += 1 data_to_send = ip_header.get_packet() self.socket_.sendto(data_to_send, self.dest) print "Transfered packet No. %d" % self.counter
class Decoder: def __init__(self, pcapObj, folder): # Query the type of the link and instantiate a decoder accordingly. datalink = pcapObj.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.pcap = pcapObj self.connections = {} folder = folder def start(self): # Sniff ad infinitum. # PacketHandler shall be invoked by pcap for every packet. self.pcap.loop(0, self.packetHandler) def packetHandler(self, hdr, data): # Use the ImpactDecoder to turn the rawpacket into a hierarchy # of ImpactPacket instances. try: p = self.decoder.decode(data) ip = p.child() protocol = ip.get_ip_p() # Build a distinctive key for this pair of peers. if protocol == 6: tcp = ip.child() proto = 'TCP' src = (ip.get_ip_src(), tcp.get_th_sport()) dst = (ip.get_ip_dst(), tcp.get_th_dport()) con = Connection(proto, src, dst) elif protocol == 17: udp = ip.child() proto = 'UDP' src = (ip.get_ip_src(), udp.get_uh_sport()) dst = (ip.get_ip_dst(), udp.get_uh_dport()) con = Connection(proto, src, dst) # If there isn't an entry associated yetwith this connection, # open a new pcapdumper and create an association. if not self.connections.has_key(con): fn = con.getFilename() fn = '%s/%s' % (folder, fn) # print "Found a new connection, storing into:", fn if fn not in files: files.append(fn) try: dumper = self.pcap.dump_open(fn) except pcapy.PcapError, e: print "Can't write packet to:", fn return self.connections[con] = dumper # Write the packet to the corresponding file. self.connections[con].dump(hdr, data) except Exception as e: print str(e) pass
class DecoderThread(Thread): """A thread to sniff packets on my machine, read the SYN number and send it to the peer""" def __init__(self, pcapObj, udp_obj): self.udp_obj = udp_obj # Query the type of the link and instantiate a decoder accordingly. datalink = pcapObj.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.pcap = pcapObj Thread.__init__(self) def run(self): # Sniff ad infinitum. # PacketHandler shall be invoked by pcap for every packet. self.pcap.loop(1, self.packetHandler) def packetHandler(self, hdr, data): # Use the ImpactDecoder to turn the rawpacket into a hierarchy # of ImpactPacket instances. # Display the packet in human-readable form. try: packet = self.decoder.decode(data) #print 'Try to send SYN...' syn = packet.child().child().get_th_seq() self.udp_obj.send_SYN_to_ConnectionBroker(syn) except: print "Unexpected error:", sys.exc_info()[0], sys.exc_info()[1]
def __init__(self, pcapObj): # Query the type of the link and instantiate a decoder accordingly. self.proto_id = None self.src_ip = None self.tgt_ip = None self.src_port = None self.tgt_port = None self.msgs = [] # error msgs datalink = pcapObj.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.pcap = pcapObj self.connections = []
class Decoder: def __init__(self, pcapObj): # Query the type of the link and instantiate a decoder accordingly. datalink = pcapObj.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.pcap = pcapObj self.connections = {} def start(self): # Sniff ad infinitum. # PacketHandler shall be invoked by pcap for every packet. self.pcap.loop(0, self.packetHandler) def packetHandler(self, hdr, data): # Use the ImpactDecoder to turn the rawpacket into a hierarchy # of ImpactPacket instances. try: p = self.decoder.decode(data) ip = p.child() protocol = ip.get_ip_p() # Build a distinctive key for this pair of peers. if protocol == 6: tcp = ip.child() proto = 'TCP' src = (ip.get_ip_src(), tcp.get_th_sport()) dst = (ip.get_ip_dst(), tcp.get_th_dport()) con = Connection(proto, src, dst) elif protocol == 17: udp = ip.child() proto = 'UDP' src = (ip.get_ip_src(), udp.get_uh_sport()) dst = (ip.get_ip_dst(), udp.get_uh_dport()) con = Connection(proto, src, dst) # If there isn't an entry associated yetwith this connection, # open a new pcapdumper and create an association. if not self.connections.has_key(con): fn = con.getFilename() print "Found a new connection, storing into:", fn try: dumper = self.pcap.dump_open(fn) except pcapy.PcapError, e: print "Can't write packet to:", fn return self.connections[con] = dumper # Write the packet to the corresponding file. self.connections[con].dump(hdr, data) except Exception as e: print str(e) pass
def __init__(self, bridge, subnet, arptable): # Open interface for capturing. self.pcap = open_live(bridge.bridgename, 65536, 1, 100) # Query the type of the link and instantiate a decoder accordingly. datalink = self.pcap.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.bridge = bridge self.subnet = subnet self.arptable = arptable self.protocols = args.discovery_protos or self.protocols Thread.__init__(self)
def __init__(self, pcapObj): self.searchTerm = 'commands' self.hostDict = {} self.flowDict = {} self.arbitraryChunkedLength = 30000 # as length of chunked tranfers can not be measured, we will provide an artibrary length for now # OSC functionality (multicasting for now) sendAddress = '127.0.0.1', 57120 self.oscClient=OSCClient() self.oscClient.connect(sendAddress) # Query the type of the link and instantiate a decoder accordingly. datalink = pcapObj.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.pcap = pcapObj Thread.__init__(self)
class Decoder: def __init__(self, pcapObj): # Query the type of the link and instantiate a decoder accordingly. datalink = pcapObj.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.pcap = pcapObj self.connections = {} def start(self): # Sniff ad infinitum. # PacketHandler shall be invoked by pcap for every packet. self.pcap.loop(0, self.packetHandler) def packetHandler(self, hdr, data): """Handles an incoming pcap packet. This method only knows how to recognize TCP/IP connections. Be sure that only TCP packets are passed onto this handler (or fix the code to ignore the others). Setting r"ip proto \tcp" as part of the pcap filter expression suffices, and there shouldn't be any problem combining that with other expressions. """ # Use the ImpactDecoder to turn the rawpacket into a hierarchy # of ImpactPacket instances. p = self.decoder.decode(data) ip = p.child() tcp = ip.child() # Build a distinctive key for this pair of peers. src = (ip.get_ip_src(), tcp.get_th_sport() ) dst = (ip.get_ip_dst(), tcp.get_th_dport() ) con = Connection(src,dst) # If there isn't an entry associated yetwith this connection, # open a new pcapdumper and create an association. if not self.connections.has_key(con): fn = con.getFilename() print "Found a new connection, storing into:", fn try: dumper = self.pcap.dump_open(fn) except pcapy.PcapError, e: print "Can't write packet to:", fn return self.connections[con] = dumper # Write the packet to the corresponding file. self.connections[con].dump(hdr, data)
class Decoder: def __init__(self, pcapObj): # Query the type of the link and instantiate a decoder accordingly. datalink = pcapObj.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.pcap = pcapObj self.connections = {} def start(self): # Sniff ad infinitum. # PacketHandler shall be invoked by pcap for every packet. self.pcap.loop(0, self.packetHandler) def packetHandler(self, hdr, data): """Handles an incoming pcap packet. This method only knows how to recognize TCP/IP connections. Be sure that only TCP packets are passed onto this handler (or fix the code to ignore the others). Setting r"ip proto \tcp" as part of the pcap filter expression suffices, and there shouldn't be any problem combining that with other expressions. """ # Use the ImpactDecoder to turn the rawpacket into a hierarchy # of ImpactPacket instances. p = self.decoder.decode(data) ip = p.child() tcp = ip.child() # Build a distinctive key for this pair of peers. src = (ip.get_ip_src(), tcp.get_th_sport()) dst = (ip.get_ip_dst(), tcp.get_th_dport()) con = Connection(src, dst) # If there isn't an entry associated yetwith this connection, # open a new pcapdumper and create an association. if not self.connections.has_key(con): fn = con.getFilename() print "Found a new connection, storing into:", fn try: dumper = self.pcap.dump_open(fn) except pcapy.PcapError, e: print "Can't write packet to:", fn return self.connections[con] = dumper # Write the packet to the corresponding file. self.connections[con].dump(hdr, data)
def __init__(self, pcapObj, filename=None): # Query the type of the link and instantiate a decoder accordingly. datalink = pcapObj.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.pcap = pcapObj self.connections = {} # added by yair self.packet_count = 0 self.packet_list = [] self.filename = filename self.dir = None # a dictionary containing all TCP streams self.streams = {}
class Decoder: def __init__(self, pcapObj): # Query the type of the link and instantiate a decoder accordingly. self.proto_id = None self.src_ip = None self.tgt_ip = None self.src_port = None self.tgt_port = None self.msgs = [] # error msgs datalink = pcapObj.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.pcap = pcapObj self.connections = [] def start(self): # Sniff ad infinitum. # PacketHandler shall be invoked by pcap for every packet. self.pcap.loop(0, self.packetHandler) def packetHandler(self, hdr, data): """Handles an incoming pcap packet. This method only knows how to recognize TCP/IP connections. Be sure that only TCP packets are passed onto this handler (or fix the code to ignore the others). Setting r"ip proto \tcp" as part of the pcap filter expression suffices, and there shouldn't be any problem combining that with other expressions. """ # Use the ImpactDecoder to turn the rawpacket into a hierarchy # of ImpactPacket instances. try: p = self.decoder.decode(data) logging.debug("start decoding" ) except Exception, e: logging.error("p = self.decoder.decode(data) failed for device" ) msgs.append(str(e)) # get the details from the decoded packet data if p: try: self.src_ip = p.child().get_ip_src() self.tgt_ip = p.child().get_ip_dst() self.proto_id = p.child().child().protocol except Exception, e: logging.error("exception while parsing ip packet: %s" % str(e)) self.msgs.append(str(e))
class DecoderThread(Thread): def __init__(self, pcapObj): # Query the type of the link and instantiate a decoder accordingly. datalink = pcapObj.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.pcap = pcapObj Thread.__init__(self) def run(self): # Sniff ad infinitum. # PacketHandler shall be invoked by pcap for every packet. self.pcap.loop(0, self.packetHandler) def packetHandler(self, hdr, data): # Use the ImpactDecoder to turn the rawpacket into a hierarchy # of ImpactPacket instances. # Display the packet in human-readable form. print self.decoder.decode(data)
class DecoderThread(Thread): def __init__(self, pcapObj,subnet,arptable): # Query the type of the link and instantiate a decoder accordingly. datalink = pcapObj.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.pcap = pcapObj self.subnet = subnet self.arptable = arptable Thread.__init__(self) #super(Thread, self).__init__() def run(self): # Sniff ad infinitum. # PacketHandler shall be invoked by pcap for every packet. self.pcap.loop(0, self.packetHandler) def packetHandler(self, hdr, data): e = self.decoder.decode(data) if e.get_ether_type() == impacket.ImpactPacket.IP.ethertype: #print e.child().get_ip_src() ip = e.child() ttl = ip.get_ip_ttl() ## Uneven but not 1 or 255 ttl means it's probably coming from a router ## if (ttl % 2) > 0 and ttl > 1 and ttl != 255: self.subnet.gatewaymac = e.get_ether_shost() self.subnet.sourcemac = e.get_ether_dhost() self.subnet.sourceaddress = ip.get_ip_dst() if e.get_ether_type() == impacket.ImpactPacket.ARP.ethertype: arp = e.child() self.subnet.registeraddress(arp.get_ar_tpa()) self.subnet.registeraddress(arp.get_ar_spa()) if arp.get_op_name(arp.get_ar_op()) == "REPLY": print "got arp reply" self.arptable.registeraddress(arp.get_ar_spa(), arp.as_hrd(arp.get_ar_sha())) if arp.get_op_name(arp.get_ar_op()) == "REQUEST": self.arptable.registeraddress(arp.get_ar_spa(), arp.as_hrd(arp.get_ar_sha()))
class ReaderAndDecoderThread(multiprocessing.Process): def __init__(self, cap_stream): multiprocessing.Process.__init__(self) self.cap_stream = cap_stream self.datalink = cap_stream.datalink() if pcapy.DLT_EN10MB == self.datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == self.datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % self.datalink) def run(self): global read_count while True: success = False try: # Quit reader (Keyboardinterrupt) if exit_reader_and_decoder_thread.is_set(): break (header, packet) = self.cap_stream.next() if header is not None: success = True sec, usec = header.getts() packet_queue.put((sec, usec, self.decoder.decode(packet))) with read_count.get_lock(): read_count.value += 1 elif config.pcap_file: reader_end_of_file.set() break except (pcapy.PcapError, socket.timeout): traceback.print_exc() pass except KeyboardInterrupt: break if not success: time.sleep(REGULAR_SENSOR_SLEEP_TIME)
def start(self): self.p = open_live(self.interface, 1600, 0, 100) ## self.p.setnonblock(1) if self.filter: self.p.setfilter(self.filter) # Query the type of the link and instantiate a decoder accordingly. datalink = self.p.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.tk.after(POLL_PERIOD, self.poll) self.tk.after(REFRESH_PERIOD, self.timerDraw) self.tk.bind('q', self.quit) self.tk.mainloop()
class DecoderThread(Thread): def __init__(self, pcapObj): datalink = pcapObj.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Tipo de datalink não suportado: " % datalink) self.pcap = pcapObj Thread.__init__(self) def run(self): self.pcap.loop(0, self.packetHandler) def display_hex(self, pkt): return pkt.get_data_as_string() def packetHandler(self, hdr, data): p = self.decoder.decode(data) ip = p.child() tcp = ip.child() src = (ip.get_ip_src(), tcp.get_th_sport()) dst = (ip.get_ip_dst(), tcp.get_th_dport()) seq = tcp.get_th_seq() ack = tcp.get_th_ack() flags = tcp.get_th_flags() win = tcp.get_th_win() sum = tcp.get_th_sum() urp = tcp.get_th_urp() payload = self.display_hex(p) print('\n') print(f'SRC -> {src[0]}:{src[1]} | DST -> {dst[0]}:{dst[1]} | [{flags}:{ack}] Seq={seq} Win={win} Size={len(payload)} Sum={sum} Urp={urp}') if dst[0] == '172.17.7.232': print(bcolors.OKGREEN + str(payload) + bcolors.ENDC) else: print(bcolors.WARNING + str(payload) + bcolors.ENDC) print('\n')
def __init__(self, promisc=True, buffer_size=None, read_timeout=100, show_packets=False): self._pcap_t = None self._packets = None assert promisc in (True, False), "promisc must be either True or False" self._promisc = promisc self._buffer_size = buffer_size self._read_timeout = read_timeout assert show_packets in (True, False), "show_packets must be either True or False" self._show_packets = show_packets self._pcap_lock = threading.Lock() try: from impacket.ImpactDecoder import LinuxSLLDecoder self._decoder = LinuxSLLDecoder() except ImportError: self._decoder = None
class NetdudeDecoder(Decoder): """ """ def __init__(self,pcapObj ): """ """ self.proto_id = None self.src_ip = None self.tgt_ip = None self.src_port = None self.tgt_port = None self.msgs = [] # error msgs datalink = pcapObj.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.pcap = pcapObj self.connections = [] def packetHandler(self, hdr, data): try: p = self.decoder.decode(data) logging.debug("start decoding" ) except Exception, e: logging.error("p = self.decoder.decode(data) failed for device" ) msgs.append(str(e)) # get the details from the decoded packet data if p: try: self.src_ip = p.child().get_ip_src() self.tgt_ip = p.child().get_ip_dst() self.proto_id = p.child().child().protocol except Exception, e: logging.error("exception while parsing ip packet: %s" % str(e)) self.msgs.append(str(e))
class DecoderThread(Thread): def __init__(self, pcapObj, queue): # Query the type of the link and instantiate a decoder accordingly. datalink = pcapObj.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.queue = queue self.pcap = pcapObj Thread.__init__(self) def run(self): # Sniff ad infinitum. # PacketHandler shall be invoked by pcap for every packet. self.pcap.loop(0, self.packetHandler) def packetHandler(self, hdr, data): # Use the ImpactDecoder to turn the rawpacket into a hierarchy # of ImpactPacket instances, then send it to the Visualiser # which drives the Holiday lights. try: p = self.decoder.decode(data) except (Exception, KeyboardInterrupt) as e: print e return try: protocol = p.child().__class__.__name__ size = p.get_size() src = False if protocol == 'IP' or protocol == 'UDP': src = p.child().get_ip_src() dest = p.child().get_ip_dst() elif protocol == 'IP6': src = p.child().get_source_address() dest = p.child().get_destination_address() print "IP6", src, dest src = False if src: l = size_to_length(size) if src[0:2] == '10': col = local_ip_to_rgb(src) #col = ip_to_rgb(dest) v = SPEED / l i = 0 else: if RETURN_SAME: col = local_ip_to_rgb(src) else: col = ip_to_rgb(src) v = -SPEED / l i = -52 gradient = make_pulse(col, l) #print gradient self.queue.put(pulse.Pulse(i, v, gradient)) #print protocol, src, " -> ", dest, "Size ", size except Exception as e: print "Decoding failed" print e return
class DecoderThread(Thread): def __init__(self, pcapObj=None, FilePath=None, Interface=None): datalink = pcapObj.datalink() self.FilePath = FilePath self.Interface = Interface if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Unsupported datalink type: " % datalink) self.pcap = pcapObj Thread.__init__(self) def run(self): self.pcap.loop(0, self.packetHandler) def display_hex(self, pkt): return pkt.get_data_as_string() def packetHandler(self, hdr, data): p = self.decoder.decode(data) ip = p.child() tcp = ip.child() payload = self.display_hex(p) try: srcPort = tcp.get_th_sport() except AttributeError: srcPort = 0 try: dstPort = tcp.get_th_dport() except AttributeError: dstPort = 0 if dstPort > 0: sumBytePayload = sum(payload) / dstPort lenPayload = len(payload) / dstPort else: sumBytePayload = sum(payload) lenPayload = len(payload) try: protocol = tcp.protocol except AttributeError: return io = 1 #input if protocol is None: #ARP return #protocol 17 = UDP if protocol == 1: #ICMP if tcp.get_icmp_num_addrs() > 0: io = 0 #output if protocol == 6: #TCP myAddr = ni.ifaddresses(self.Interface)[ni.AF_INET][0]['addr'] if myAddr != ip.get_ip_dst(): io = 0 #output #Protocol|I/O|SrcPort|DstPort|SumPayload|LenPayload LOGS = str(protocol) + '|' + str(io) + '|' + str(srcPort) + '|' + str(dstPort) + '|' + str(sumBytePayload) + '|' +\ str(lenPayload) + '\n' with open(self.FilePath, 'a') as wf: wf.write(LOGS) wf.close()
class DecoderThread(Thread): def __init__(self, bridge, subnet, arptable): # Open interface for capturing. self.pcap = open_live(bridge.bridgename, 1500, 0, 100) # Query the type of the link and instantiate a decoder accordingly. datalink = self.pcap.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.bridge = bridge self.subnet = subnet self.arptable = arptable self.running = True Thread.__init__(self) def run(self): # Sniff ad infinitum. # PacketHandler shall be invoked by pcap for every packet. while self.running: self.pcap.dispatch(1, self.packetHandler) def stop(self): self.running = False time.sleep(0.1) def packetHandler(self, hdr, data): e = self.decoder.decode(data) if e.get_ether_type() == impacket.eap.DOT1X_AUTHENTICATION: eapol = e.child() if eapol.get_packet_type() == eapol.EAP_PACKET: eap = eapol.child() eapr = eap.child() # Only client sends responses with identity if eap.get_code() == eap.RESPONSE and eapr.get_type() == eapr.IDENTITY: self.subnet.clientmac = e.get_ether_shost() elif e.get_ether_type() == impacket.ImpactPacket.IP.ethertype: ip = e.child() if isinstance(ip.child(), impacket.ImpactPacket.UDP): udp = ip.child() if isinstance(udp.child(), impacket.dhcp.BootpPacket): bootp = udp.child() if isinstance(bootp.child(), impacket.dhcp.DhcpPacket): dhcp = bootp.child() if dhcp.getOptionValue('message-type') == dhcp.DHCPDISCOVER: self.subnet.clientmac = e.get_ether_shost() elif dhcp.getOptionValue('message-type') == dhcp.DHCPREQUEST: self.subnet.clientmac = e.get_ether_shost() elif dhcp.getOptionValue('message-type') == dhcp.DHCPACK: self.subnet.clientip = self.subnet.int2ip(bootp["yiaddr"]) self.subnet.clientmac = e.get_ether_dhost() self.subnet.gatewayip = self.subnet.int2ip(dhcp.getOptionValue("router")[0]) self.subnet.gatewaymac = e.get_ether_shost() self.subnet.subnetmask = self.subnet.ip2array( self.subnet.int2ip(dhcp.getOptionValue("subnet-mask"))) self.subnet.subnet = self.subnet.ip2array(self.subnet.int2ip( dhcp.getOptionValue("subnet-mask") & bootp["yiaddr"])) self.subnet.dhcp = True elif dhcp.getOptionValue('message-type') == dhcp.DHCPOFFER: self.subnet.clientip = self.subnet.int2ip(bootp["yiaddr"]) self.subnet.clientmac = e.get_ether_dhost() self.subnet.gatewayip = self.subnet.int2ip(dhcp.getOptionValue("router")[0]) self.subnet.gatewaymac = e.get_ether_shost() self.subnet.subnetmask = self.subnet.ip2array( self.subnet.int2ip(dhcp.getOptionValue("subnet-mask"))) self.subnet.subnet = self.subnet.ip2array(self.subnet.int2ip( dhcp.getOptionValue("subnet-mask") & bootp["yiaddr"])) self.subnet.dhcp = True else: if not self.subnet.dhcp: ttl = ip.get_ip_ttl() # Uneven but not 1 or 255 ttl means it's probably coming from a router if (ttl % 2) > 0 and ttl > 1 and ttl != 255: self.subnet.gatewaymac = e.get_ether_shost() self.subnet.clientmac = e.get_ether_dhost() self.subnet.clientip = ip.get_ip_dst() elif e.get_ether_type() == impacket.ImpactPacket.ARP.ethertype: arp = e.child() if not self.subnet.dhcp: self.subnet.registeraddress(arp.get_ar_tpa()) self.subnet.registeraddress(arp.get_ar_spa()) if arp.get_op_name(arp.get_ar_op()) == "REPLY": logging.debug("got arp reply") self.arptable.registeraddress(arp.get_ar_spa(), arp.as_hrd(arp.get_ar_sha())) if arp.get_op_name(arp.get_ar_op()) == "REQUEST": self.arptable.registeraddress(arp.get_ar_spa(), arp.as_hrd(arp.get_ar_sha()))
class DecoderThread(Thread): protocols = ['DHCP', 'HTTP', 'dot1x', 'ARP', 'TTL'] def __init__(self, bridge, subnet, arptable): # Open interface for capturing. self.pcap = open_live(bridge.bridgename, 65536, 1, 100) # Query the type of the link and instantiate a decoder accordingly. datalink = self.pcap.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.bridge = bridge self.subnet = subnet self.arptable = arptable self.protocols = args.discovery_protos or self.protocols Thread.__init__(self) def run(self): self.running = True # Reset the link try: cmd("mii-tool -R %s 2>/dev/null" % ' '.join(self.bridge.interfaces)) except: pass # Sniff ad infinitum. # PacketHandler shall be invoked by pcap for every packet. while self.running: self.pcap.dispatch(1, self.packetHandler) def stop(self): self.running = False time.sleep(0.1) def packetHandler(self, hdr, data): try: e = self.decoder.decode(data) except: return if e.get_ether_type() == impacket.ImpactPacket.ARP.ethertype: arp = e.child() if arp.get_op_name(arp.get_ar_op()) == "REPLY": self.arptable.registeraddress(arp.get_ar_spa(), arp.as_hrd(arp.get_ar_sha())) if arp.get_op_name(arp.get_ar_op()) == "REQUEST": self.arptable.registeraddress(arp.get_ar_spa(), arp.as_hrd(arp.get_ar_sha())) # Got both interface sides. No more discovery needed if self.bridge.clientsiteint and self.bridge.switchsideint: return if 'dot1x' in self.protocols and not self.subnet.dhcp and \ e.get_ether_type() == impacket.eap.DOT1X_AUTHENTICATION: eapol = e.child() if eapol.get_packet_type() == eapol.EAP_PACKET: eap = eapol.child() eapr = eap.child() # Only client sends responses with identity if eap.get_code() == eap.RESPONSE and eapr.get_type() == eapr.IDENTITY: self.subnet.clientmac = self.subnet.clientmac or e.get_ether_shost() self.subnet.clientip = self.subnet.clientip or \ self.arptable.mac2ip(self.subnet.get_clientmac) elif e.get_ether_type() == impacket.ImpactPacket.IP.ethertype: ip = e.child() if isinstance(ip.child(), impacket.ImpactPacket.UDP): udp = ip.child() if 'DHCP' in self.protocols and \ isinstance(udp.child(), impacket.dhcp.BootpPacket): bootp = udp.child() if isinstance(bootp.child(), impacket.dhcp.DhcpPacket): dhcp = bootp.child() if dhcp.getOptionValue('message-type') == dhcp.DHCPDISCOVER: self.subnet.clientmac = e.get_ether_shost() elif dhcp.getOptionValue('message-type') == dhcp.DHCPREQUEST: self.subnet.clientmac = e.get_ether_shost() elif dhcp.getOptionValue('message-type') == dhcp.DHCPACK or \ dhcp.getOptionValue('message-type') == dhcp.DHCPOFFER: if not self.subnet.clientip: self.subnet.clientip = self.subnet.int2ip(bootp["yiaddr"]) self.subnet.gatewayip = self.subnet.int2ip(dhcp.getOptionValue("router")[0]) self.subnet.gatewaymac = e.get_ether_shost() self.subnet.subnetmask = self.subnet.ip2array( self.subnet.int2ip(dhcp.getOptionValue("subnet-mask"))) self.subnet.subnet = self.subnet.ip2array(self.subnet.int2ip( dhcp.getOptionValue("subnet-mask") & bootp["yiaddr"])) self.subnet.dnsip = self.subnet.int2ip(dhcp.getOptionValue("domain-name-server")[0]) self.subnet.dhcp = True elif isinstance(ip.child(), impacket.ImpactPacket.TCP): tcp = ip.child() if 'HTTP' in self.protocols and \ re.search(r'[A-Z]+ [^ ] HTTP/1\.', tcp.get_data_as_string()): self.subnet.gatewaymac = self.subnet.gatewaymac or e.get_ether_dhost() print(self.subnet.get_gatewaymac()) self.subnet.gatewayip = self.subnet.gatewayip or \ self.arptable.mac2ip(self.subnet.get_gatewaymac()) self.subnet.clientmac = self.subnet.clientmac or e.get_ether_shost() self.subnet.clientip = self.subnet.clientip or ip.get_ip_src() elif 'TTL' in self.protocols and not self.subnet.dhcp: ttl = ip.get_ip_ttl() # Uneven but not 1 or 255 ttl means it's probably coming from a router if (ttl % 2) > 0 and ttl > 1 and ttl != 255: self.subnet.gatewaymac = self.subnet.gatewaymac or e.get_ether_shost() self.subnet.gatewayip = self.subnet.gatewayip or \ self.arptable.mac2ip(self.subnet.get_gatewaymac()) self.subnet.clientmac = self.subnet.clientmac or e.get_ether_dhost() self.subnet.clientip = self.subnet.clientip or ip.get_ip_dst() elif 'ARP' in self.protocols and not self.subnet.dhcp and \ e.get_ether_type() == impacket.ImpactPacket.ARP.ethertype: arp = e.child() self.subnet.registeraddress(arp.get_ar_tpa()) self.subnet.registeraddress(arp.get_ar_spa())
def run(self): global maxcount global maxbytes global history global persistant global running global last_dump flows = {} count = 0 # Arguments here are: # device # snaplen (maximum number of bytes to capture _per_packet_) # promiscious mode (1 for true) # timeout (in milliseconds) cap = pcapy.open_live(FLAGS.i, 1500, 1, 1000) # We get layer 1 packets. Therefore we need to use the right decoder. datalink = cap.datalink() if pcapy.DLT_EN10MB == datalink: decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: decoder = LinuxSLLDecoder() else: print '%s Datalink type not supported: ' %(datetime.datetime.now(), datalink) sys.exit(1) # Read packets -- header contains information about the data from pcap, # payload is the actual packet as a string (header, payload) = cap.next() while header: count += 1 if FLAGS.verbose: print ('%s captured %d bytes, truncated to %d bytes' %(datetime.datetime.now(), header.getlen(), header.getcaplen())) try: # The link level packet contains a payload l = decoder.decode(payload) p = l.child() key = None if p.ethertype == 0x800: # This is an IP packet ip = p.child() ips = [p.get_ip_src(), p.get_ip_dst()] ips.sort() if ip.protocol == 1: # ICMP if FLAGS.verbose: print (' ICMP: %s -> %s type %s' %(p.get_ip_src(), p.get_ip_dst(), ip.get_type_name(ip.get_icmp_type()))) key = 'ICMP %s' % repr(ips) elif ip.protocol == 6: # TCP if FLAGS.verbose: print ' TCP: %s:%d -> %s:%d' %(p.get_ip_src(), ip.get_th_sport(), p.get_ip_dst(), ip.get_th_dport()) ports = [ip.get_th_sport(), ip.get_th_dport()] ports.sort() key = 'TCP %s %s' %(repr(ips), repr(ports)) elif ip.protocol == 17: # UDP if FLAGS.verbose: print ' UDP: %s:%d -> %s:%d' %(p.get_ip_src(), ip.get_uh_sport(), p.get_ip_dst(), ip.get_uh_dport()) ports = [ip.get_uh_sport(), ip.get_uh_dport()] ports.sort() key = 'TCP %s %s' %(repr(ips), repr(ports)) elif ip.protocol: print '%s Unknown IP protocol %s' %(datetime.datetime.now(), ip.protocol) if key: flows.setdefault(key, (0, 0, 0, 0)) (a_count, a_bytes, b_count, b_bytes) = flows[key] if ips == [p.get_ip_src(), p.get_ip_dst()]: a_count += 1 a_bytes += header.getlen() else: b_count += 1 b_bytes += header.getlen() flows[key] = (a_count, a_bytes, b_count, b_bytes) else: print '%s Unknown ethertype %x' %(datetime.datetime.now(), p.ethertype) except impacket.ImpactPacket.ImpactPacketException, e: print '%s Sniffer skipped packet: %s' %(datetime.datetime.now(), e) self.data_lock.acquire() if time.time() - last_dump > 30: # Recalibrate maximums maxcount = 100 maxbytes = 100 for flow in flows: (acount, abytes, bcount, bbytes) = flows[flow] if acount > maxcount: maxcount = acount if bcount > maxcount: maxcount = bcount if abytes > maxbytes: maxbytes = abytes if bbytes > maxbytes: maxbytes = bbytes # Append to history history.append(flows) history = history[-30:] # Write to persistant history as well persistant.setdefault('history', {}) persistant['history'][time.time()] = flows persistant.sync() if len(persistant['history']) > 29: print '%s Committing suicide' % datetime.datetime.now() persistant.close() running = False raise SystemExit() print ('%s Sniffer captured %d packets in the last 30 seconds' %(datetime.datetime.now(), count)) count = 0 flows = {} last_dump = time.time() self.data_lock.release() del header del payload (header, payload) = cap.next()
class Pcap(object): def __init__(self, promisc=True, buffer_size=None, read_timeout=100, show_packets=False): self._pcap_t = None self._packets = None assert promisc in (True, False), "promisc must be either True or False" self._promisc = promisc self._buffer_size = buffer_size self._read_timeout = read_timeout assert show_packets in ( True, False), "show_packets must be either True or False" self._show_packets = show_packets self._pcap_lock = threading.Lock() try: from impacket.ImpactDecoder import LinuxSLLDecoder self._decoder = LinuxSLLDecoder() except ImportError: self._decoder = None def _set_buffer(self, buffer_size): w.pcap_set_buffer_size(self._pcap_t, buffer_size) def _set_timeout(self, read_timeout): w.pcap_set_timeout(self._pcap_t, read_timeout) @property def packets(self): for p in iter(self._packets.get, None): yield p @property def packet_count(self): return self._packets.qsize() @property def activated(self): return self._pcap_t is not None @property def snaplen(self): if not self.activated: raise PcapError(w.PCAP_ERROR_NOT_ACTIVATED) return w.pcap_snapshot(self._pcap_t) @snaplen.setter def snaplen(self, snaplen): if not self.activated: raise PcapError(w.PCAP_ERROR_NOT_ACTIVATED) return w.pcap_set_snaplen(self._pcap_t, snaplen) == 0 @property def promisc(self): return self._promisc def _set_promisc(self, state): w.pcap_set_promisc(self._pcap_t, state) @property def tstamp_types(self): return [(val, w.pcap_tstamp_type_val_to_name(val), w.pcap_tstamp_type_val_to_description(val)) for val in w.pcap_list_tstamp_types(self._pcap_t)] @property def datalink(self): dl = w.pcap_datalink(self._pcap_t) for dl_type, dl_name, dl_description in self.datalinks: if dl == dl_type: return dl_name return None def set_datalink(self, dlt): return w.pcap_set_datalink(self._pcap_t, dlt) == 0 @property def datalinks(self): if not self.activated: raise PcapError(w.PCAP_ERROR_NOT_ACTIVATED) return [(val, w.pcap_datalink_val_to_name(val), w.pcap_datalink_val_to_description(val)) for val in w.pcap_list_datalinks(self._pcap_t)] def set_tstamp_type(self, tstamp_type): return w.pcap_set_tstamp_type(self._pcap_t, tstamp_type) == 0 def _activate(self): self._packets = Queue() w.pcap_activate(self._pcap_t) def _start(self): self._activate() self._start_loop() def _start_loop(self): thread.start_new_thread(self._loop, tuple()) def _loop(self): user = str(id(self)) _pcap_user_mapping[user] = self while True: with self._pcap_lock: if self.activated: ret = w.pcap_dispatch(self._pcap_t, -1, _packet_handler, user) if ret is None: break else: break del _pcap_user_mapping[user] def close(self): if self._pcap_t: w.pcap_breakloop(self._pcap_t) with self._pcap_lock: if self._pcap_t: w.pcap_close(self._pcap_t) self._pcap_t = None def _packet_handler(self, hdr, packet): packet_dict = dict(tv_sec=hdr.ts.tv_sec, tv_usec=hdr.ts.tv_usec, len=hdr.len, caplen=hdr.caplen, data=packet, decoded=None) if self._decoder: packet_dict['decoded'] = self._decoder.decode(packet) if self._show_packets: print packet_dict['decoded'] self._packets.put(packet_dict) def open_dev(self, dev='any'): """Create and activate pcap on a device. If no `dev` is specified then 'any' i used. """ self._pcap_t = w.pcap_create(dev) self._set_promisc(self._promisc) if self._buffer_size: self._set_buffer(self._buffer_size) if self._read_timeout: self._set_timeout(self._read_timeout) self._start() def open_file(self, filename): """Create and activate pcap with a file or filename.""" if isinstance(filename, basestring): self._pcap_t = w.pcap_open_offline(filename) else: self._pcap_t = w.pcap_fopen_offline(filename) self._start()
class DecoderThread(Thread): def __init__(self, pcapObj=None, Interface=None): datalink = pcapObj.datalink() self.Interface = Interface if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Unsupported datalink type: " % datalink) self.pcap = pcapObj self.buffer_traffic = [] Thread.__init__(self) def run(self): self.pcap.loop(0, self.packetHandler) def display_hex(self, pkt): return pkt.get_data_as_string() def encode_protocol(self, protocol): # tcp=1;udp=2;others=3 if protocol == 6: return 1 elif protocol == 17: return 2 else: return 3 def encode_port(self, port): # ports longer than 3 digits are irrelevant if len(str(port)) > 3: return 0 else: return int(port) def packetHandler(self, hdr, data): p = self.decoder.decode(data) ip = p.child() tcp = ip.child() payload = self.display_hex(p) myAddr = ni.ifaddresses(self.Interface)[ni.AF_INET][0]['addr'] try: srcIP = ip.get_ip_src() if myAddr == srcIP: srcIP = 0 except AttributeError: srcIP = 0 try: dstIP = ip.get_ip_dst() if myAddr == dstIP: dstIP = 0 except AttributeError: dstIP = 0 try: srcPort = tcp.get_th_sport() except AttributeError: srcPort = 0 try: dstPort = tcp.get_th_dport() except AttributeError: dstPort = 0 if dstPort > 0: sumBytePayload = sum(payload) / dstPort else: sumBytePayload = sum(payload) try: protocol = tcp.protocol except AttributeError: return io = 1 # input if protocol is None: # ARP return # protocol 17 = UDP if protocol == 1: # ICMP if tcp.get_icmp_num_addrs() > 0: io = 0 # output if protocol == 6: # TCP myAddr = ni.ifaddresses(self.Interface)[ni.AF_INET][0]['addr'] if myAddr != ip.get_ip_dst(): io = 0 # output protocol = self.encode_protocol(protocol) srcPort = self.encode_port(srcPort) dstPort = self.encode_port(dstPort) if len(self.buffer_traffic) > 10: self.buffer_traffic = [] self.buffer_traffic.append( [protocol, io, srcPort, dstPort, sumBytePayload]) self.model = Thread(target=ModelPredict, args=(protocol, io, srcPort, dstPort, sumBytePayload, srcIP, dstIP, self.buffer_traffic)) self.model.start()
class DecoderThread(Thread): def __init__(self, pcapObj): self.searchTerm = 'commands' self.hostDict = {} self.flowDict = {} self.arbitraryChunkedLength = 30000 # as length of chunked tranfers can not be measured, we will provide an artibrary length for now # OSC functionality (multicasting for now) sendAddress = '127.0.0.1', 57120 self.oscClient=OSCClient() self.oscClient.connect(sendAddress) # Query the type of the link and instantiate a decoder accordingly. datalink = pcapObj.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.pcap = pcapObj Thread.__init__(self) def run(self): # Sniff ad infinitum. # PacketHandler shall be invoked by pcap for every packet. self.pcap.loop(0, self.packetHandler) def packetHandler(self, hdr, data): # Use the ImpactDecoder to turn the rawpacket into a hierarchy of ImpactPacket instances. eth = self.decoder.decode(data) ip = eth.child() tcp = ip.child() src = (ip.get_ip_src(), tcp.get_th_sport() ) dst = (ip.get_ip_dst(), tcp.get_th_dport() ) self.detectHTTP(tcp, src, dst) def detectHTTP(self, tcp, src, dst): packetString = tcp.get_data_as_string() srcIp = src[0] dstIp = dst[0] self.detectRequestOrNewResponseOrExistingResponse(packetString, src, dst, tcp) def detectRequestOrNewResponseOrExistingResponse(self, packetString, src, dst, tcp): request = HTTPRequest(packetString) if request.error_code is None: # detect request self.parseRequest(request, src, dst) elif packetString[:8] == "HTTP/1.1": # detect response # only pass if a request was sent flowKey = (src, dst) if flowKey in self.hostDict: self.parseNewResponse(packetString, src, dst, tcp) else: flowKey = (src, dst) if flowKey in self.flowDict: # continue if packet is a continuation of an existing response body = packetString # with an existing response the body is the entire packetstring self.parseExistingResponse(flowKey, body, src, dst, tcp) def parseRequest(self, request, src, dst): if request.command == 'GET' and request.request_version == 'HTTP/1.1': # store the host and path related to this request by unique key for later lookup: self.hostDict[(dst, src)] = {} self.hostDict[(dst, src)]['host'] = request.headers['host'] self.hostDict[(dst, src)]['path'] = request.path def parseNewResponse(self, packetString, src, dst, tcp): responseCode = packetString[9:12] if responseCode == '200': # just okay responses for now if '\r\n\r\n' in packetString: # only proceed if the response has a body bodyIndex = packetString.index('\r\n\r\n') + 4 body = packetString[bodyIndex:] socket = FakeSocket(packetString) response = HTTPResponse(socket) response.begin() headerArray = response.getheaders() for item in headerArray: flowKey = (src, dst) if item[0] == 'content-type' and 'text/html' in item[1]: # accept any kind of text content for item in headerArray: if item[0] == 'content-length': length = int(item[1]) self.parseFixedLengthResponse(flowKey, body, length, src, dst, tcp, responseCode) elif item[0] == 'transfer-encoding' and item[1] == 'chunked': print 'found chunked' self.parseChunkedResponse(flowKey, body, src, dst, tcp, responseCode) else: print "body not found" def parseFixedLengthResponse(self, flowKey, body, length, src, dst, tcp, responseCode): self.flowDict[flowKey] = {'body': body, 'type': 'fixedLength', 'length': length} self.doStart(flowKey, body, src, dst, tcp, responseCode, 'fixedLength') contentLength = self.arbitraryChunkedLength progress = float(len(body)) / float(contentLength) packetContentLength = progress searchResults = self.bodySearch(body, contentLength) self.sendInfoAboutThisPacket(body, progress, packetContentLength, searchResults) def parseChunkedResponse(self, flowKey, body, src, dst, tcp, responseCode): self.flowDict[flowKey] = {'body': body, 'type': 'chunked'} self.doStart(flowKey, body, src, dst, tcp, responseCode, 'chunked') contentLength = self.flowDict[flowKey]['length'] progress = float(len(body)) / float(contentLength) packetContentLength = progress searchResults = self.bodySearch(body, contentLength) self.sendInfoAboutThisPacket(body, progress, packetContentLength, searchResults) def parseExistingResponse(self, flowKey, body, src, dst, tcp): if self.flowDict[flowKey]['type'] == 'fixedLength': contentLength = self.flowDict[flowKey]['length'] progress, packetContentLength = self.accumulateBodyAndReturnPacketPosition(flowKey, body, contentLength) mappedSearchResults = self.bodySearch(body, contentLength) self.sendInfoAboutThisPacket(body, progress, packetContentLength, mappedSearchResults) self.detectFixedLengthEnd(flowKey, src, dst) elif self.flowDict[flowKey]['type'] == 'chunked': contentLength = self.arbitraryChunkedLength progress, packetContentLength = self.accumulateBodyAndReturnPacketPosition(flowKey, body, contentLength) searchResults = self.bodySearch(body, contentLength) self.sendInfoAboutThisPacket(body, progress, packetContentLength, mappedSearchResults) self.detectChunkedEnd(packetString, src, dst) def accumulateBodyAndReturnPacketPosition(self, flowKey, body, contentLength): existingBody = self.flowDict[flowKey]['body'] newBody = self.flowDict[flowKey]['body'] = existingBody + body progress = float(len(newBody)) / float(contentLength) packetContentLength = float(len(body)) / float(contentLength) return progress, packetContentLength def sendInfoAboutThisPacket(self, body, progress, packetContentLength, mappedSearchResults): # call or response - relevant? self.oscSender('/progress', [progress]) # if mappedSearchResults: # if list is not empty # self.oscSender('/searchResults', mappedSearchResults) # self.oscSender('/bodyLength', [packetContentLength]) # self.oscSender('/body', [body]) def detectFixedLengthEnd(self, flowKey, src, dst): accumulatedBodyLength = len(self.flowDict[flowKey]['body']) contentLength = self.flowDict[flowKey]['length'] if accumulatedBodyLength == contentLength: self.doStop(src, dst) def detectChunkedEnd(self, body, src, dst): if '0\r\n\r\n' in body: # doesn't always work self.doStop(src, dst) def doStart(self, flowKey, body, src, dst, tcp, responseCode, encodingType): host = self.hostDict[(src, dst)]['host'] path = self.hostDict[(src, dst)]['path'] destinationIP = dst[0] sourceIP = src[0] destinationPort = dst[1] scaledDestinationPort = self.scale(destinationPort, 49152, 65535, 0, 1) # no use to have the source Port as it will always be 80 (http) self.oscSender('/start', [responseCode, host, path[0:20], destinationIP, sourceIP, destinationPort, encodingType]) def doStop(self, src, dst): host = self.hostDict[(src, dst)]['host'] path = self.hostDict[(src, dst)]['path'] del self.hostDict[(src, dst)] # need to do this? del self.flowDict[(src, dst)] self.oscSender('/stop', [host, path]) def bodySearch(self, body, contentLength): searchResults = [m.start() for m in re.finditer(self.searchTerm, body)] mappedSearchResults = [float(item)/float(contentLength) for item in searchResults] return mappedSearchResults def oscSender(self, addr, params): msg = OSCMessage() msg.setAddress(addr) if params is not None: for param in params: msg.append(param) print "sending: " + str(msg) + " to: " + str(self.oscClient) # do not indent this line! try: self.oscClient.send(msg) except OSCClientError: # could explicitly try to detect errno 61 here print "WARNING: cannot send to SuperCollider" def scale(self, value, leftMin, leftMax, rightMin, rightMax): leftSpan = leftMax - leftMin rightSpan = rightMax - rightMin valueScaled = float(value - leftMin) / float(leftSpan) return rightMin + (valueScaled * rightSpan)
class DecoderThread(Thread): def __init__(self, bridge, subnet, arptable): # Open interface for capturing. self.pcap = open_live(bridge.bridgename, 1500, 0, 100) # Query the type of the link and instantiate a decoder accordingly. datalink = self.pcap.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.bridge = bridge self.subnet = subnet self.arptable = arptable self.running = True Thread.__init__(self) def run(self): # Sniff ad infinitum. # PacketHandler shall be invoked by pcap for every packet. while self.running: self.pcap.dispatch(1, self.packetHandler) def stop(self): self.running = False time.sleep(0.1) def packetHandler(self, hdr, data): e = self.decoder.decode(data) if e.get_ether_type() == impacket.eap.DOT1X_AUTHENTICATION: eapol = e.child() if eapol.get_packet_type() == eapol.EAP_PACKET: eap = eapol.child() eapr = eap.child() # Only client sends responses with identity if eap.get_code() == eap.RESPONSE and eapr.get_type( ) == eapr.IDENTITY: self.subnet.clientmac = e.get_ether_shost() elif e.get_ether_type() == impacket.ImpactPacket.IP.ethertype: ip = e.child() if isinstance(ip.child(), impacket.ImpactPacket.UDP): udp = ip.child() if isinstance(udp.child(), impacket.dhcp.BootpPacket): bootp = udp.child() if isinstance(bootp.child(), impacket.dhcp.DhcpPacket): dhcp = bootp.child() if dhcp.getOptionValue( 'message-type') == dhcp.DHCPDISCOVER: self.subnet.clientmac = e.get_ether_shost() elif dhcp.getOptionValue( 'message-type') == dhcp.DHCPREQUEST: self.subnet.clientmac = e.get_ether_shost() elif dhcp.getOptionValue( 'message-type') == dhcp.DHCPACK: self.subnet.clientip = self.subnet.int2ip( bootp["yiaddr"]) self.subnet.clientmac = e.get_ether_dhost() self.subnet.gatewayip = self.subnet.int2ip( dhcp.getOptionValue("router")[0]) self.subnet.gatewaymac = e.get_ether_shost() self.subnet.subnetmask = self.subnet.ip2array( self.subnet.int2ip( dhcp.getOptionValue("subnet-mask"))) self.subnet.subnet = self.subnet.ip2array( self.subnet.int2ip( dhcp.getOptionValue("subnet-mask") & bootp["yiaddr"])) self.subnet.dhcp = True elif dhcp.getOptionValue( 'message-type') == dhcp.DHCPOFFER: self.subnet.clientip = self.subnet.int2ip( bootp["yiaddr"]) self.subnet.clientmac = e.get_ether_dhost() self.subnet.gatewayip = self.subnet.int2ip( dhcp.getOptionValue("router")[0]) self.subnet.domain_name = dhcp.getOptionValue( "domain name")[0] self.subnet.dns_server = self.subnet.int2ip( dhcp.getOptionValue("domain name server")[0]) self.subnet.gatewaymac = e.get_ether_shost() self.subnet.subnetmask = self.subnet.ip2array( self.subnet.int2ip( dhcp.getOptionValue("subnet-mask"))) self.subnet.subnet = self.subnet.ip2array( self.subnet.int2ip( dhcp.getOptionValue("subnet-mask") & bootp["yiaddr"])) self.subnet.dhcp = True else: if not self.subnet.dhcp: ttl = ip.get_ip_ttl() # Uneven but not 1 or 255 ttl means it's probably coming from a router if (ttl % 2) > 0 and ttl > 1 and ttl != 255: self.subnet.gatewaymac = e.get_ether_shost() self.subnet.clientmac = e.get_ether_dhost() self.subnet.clientip = ip.get_ip_dst() elif e.get_ether_type() == impacket.ImpactPacket.ARP.ethertype: arp = e.child() if not self.subnet.dhcp: self.subnet.registeraddress(arp.get_ar_tpa()) self.subnet.registeraddress(arp.get_ar_spa()) if arp.get_op_name(arp.get_ar_op()) == "REPLY": logging.debug("got arp reply") self.arptable.registeraddress(arp.get_ar_spa(), arp.as_hrd(arp.get_ar_sha())) if arp.get_op_name(arp.get_ar_op()) == "REQUEST": self.arptable.registeraddress(arp.get_ar_spa(), arp.as_hrd(arp.get_ar_sha()))
class Pcap(object): def __init__(self, promisc=True, buffer_size=None, read_timeout=100, show_packets=False): self._pcap_t = None self._packets = None assert promisc in (True, False), "promisc must be either True or False" self._promisc = promisc self._buffer_size = buffer_size self._read_timeout = read_timeout assert show_packets in (True, False), "show_packets must be either True or False" self._show_packets = show_packets self._pcap_lock = threading.Lock() try: from impacket.ImpactDecoder import LinuxSLLDecoder self._decoder = LinuxSLLDecoder() except ImportError: self._decoder = None def _set_buffer(self, buffer_size): w.pcap_set_buffer_size(self._pcap_t, buffer_size) def _set_timeout(self, read_timeout): w.pcap_set_timeout(self._pcap_t, read_timeout) @property def packets(self): for p in iter(self._packets.get, None): yield p @property def packet_count(self): return self._packets.qsize() @property def activated(self): return self._pcap_t is not None @property def snaplen(self): if not self.activated: raise PcapError(w.PCAP_ERROR_NOT_ACTIVATED) return w.pcap_snapshot(self._pcap_t) @snaplen.setter def snaplen(self, snaplen): if not self.activated: raise PcapError(w.PCAP_ERROR_NOT_ACTIVATED) return w.pcap_set_snaplen(self._pcap_t, snaplen) == 0 @property def promisc(self): return self._promisc def _set_promisc(self, state): w.pcap_set_promisc(self._pcap_t, state) @property def tstamp_types(self): return [(val, w.pcap_tstamp_type_val_to_name(val), w.pcap_tstamp_type_val_to_description(val)) for val in w.pcap_list_tstamp_types(self._pcap_t)] @property def datalink(self): dl = w.pcap_datalink(self._pcap_t) for dl_type, dl_name, dl_description in self.datalinks: if dl == dl_type: return dl_name return None def set_datalink(self, dlt): return w.pcap_set_datalink(self._pcap_t, dlt) == 0 @property def datalinks(self): if not self.activated: raise PcapError(w.PCAP_ERROR_NOT_ACTIVATED) return [(val, w.pcap_datalink_val_to_name(val), w.pcap_datalink_val_to_description(val)) for val in w.pcap_list_datalinks(self._pcap_t)] def set_tstamp_type(self, tstamp_type): return w.pcap_set_tstamp_type(self._pcap_t, tstamp_type) == 0 def _activate(self): self._packets = Queue() w.pcap_activate(self._pcap_t) def _start(self): self._activate() self._start_loop() def _start_loop(self): thread.start_new_thread(self._loop, tuple()) def _loop(self): user = str(id(self)) _pcap_user_mapping[user] = self while True: with self._pcap_lock: if self.activated: ret = w.pcap_dispatch(self._pcap_t, -1, _packet_handler, user) if ret is None: break else: break del _pcap_user_mapping[user] def close(self): if self._pcap_t: w.pcap_breakloop(self._pcap_t) with self._pcap_lock: if self._pcap_t: w.pcap_close(self._pcap_t) self._pcap_t = None def _packet_handler(self, hdr, packet): packet_dict = dict( tv_sec=hdr.ts.tv_sec, tv_usec=hdr.ts.tv_usec, len=hdr.len, caplen=hdr.caplen, data=packet, decoded=None ) if self._decoder: packet_dict['decoded'] = self._decoder.decode(packet) if self._show_packets: print packet_dict['decoded'] self._packets.put(packet_dict) def open_dev(self, dev='any'): """Create and activate pcap on a device. If no `dev` is specified then 'any' i used. """ self._pcap_t = w.pcap_create(dev) self._set_promisc(self._promisc) if self._buffer_size: self._set_buffer(self._buffer_size) if self._read_timeout: self._set_timeout(self._read_timeout) self._start() def open_file(self, filename): """Create and activate pcap with a file or filename.""" if isinstance(filename, basestring): self._pcap_t = w.pcap_open_offline(filename) else: self._pcap_t = w.pcap_fopen_offline(filename) self._start()
class DecoderThread(Thread): protocols = ['DHCP', 'HTTP', 'dot1x', 'ARP', 'TTL'] def __init__(self, bridge, subnet, arptable): # Open interface for capturing. self.pcap = open_live(bridge.bridgename, 65536, 1, 100) # Query the type of the link and instantiate a decoder accordingly. datalink = self.pcap.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.bridge = bridge self.subnet = subnet self.arptable = arptable self.protocols = args.discovery_protos or self.protocols Thread.__init__(self) def run(self): self.running = True # Reset the link try: cmd("mii-tool -R %s 2>/dev/null" % ' '.join(self.bridge.interfaces)) except: pass # Sniff ad infinitum. # PacketHandler shall be invoked by pcap for every packet. while self.running: self.pcap.dispatch(1, self.packetHandler) def stop(self): self.running = False time.sleep(0.1) def packetHandler(self, hdr, data): try: e = self.decoder.decode(data) except: return if e.get_ether_type() == impacket.ImpactPacket.ARP.ethertype: arp = e.child() if arp.get_op_name(arp.get_ar_op()) == "REPLY": self.arptable.registeraddress(arp.get_ar_spa(), arp.as_hrd(arp.get_ar_sha())) if arp.get_op_name(arp.get_ar_op()) == "REQUEST": self.arptable.registeraddress(arp.get_ar_spa(), arp.as_hrd(arp.get_ar_sha())) # Got both interface sides. No more discovery needed if self.bridge.clientsiteint and self.bridge.switchsideint: return if 'dot1x' in self.protocols and not self.subnet.dhcp and \ e.get_ether_type() == impacket.eap.DOT1X_AUTHENTICATION: eapol = e.child() if eapol.get_packet_type() == eapol.EAP_PACKET: eap = eapol.child() eapr = eap.child() # Only client sends responses with identity if eap.get_code() == eap.RESPONSE and eapr.get_type( ) == eapr.IDENTITY: self.subnet.clientmac = self.subnet.clientmac or e.get_ether_shost( ) self.subnet.clientip = self.subnet.clientip or \ self.arptable.mac2ip(self.subnet.get_clientmac) elif e.get_ether_type() == impacket.ImpactPacket.IP.ethertype: ip = e.child() if isinstance(ip.child(), impacket.ImpactPacket.UDP): udp = ip.child() if 'DHCP' in self.protocols: if udp.get_uh_dport() in ( 67, 68) and udp.get_uh_sport() in (67, 68): bootp_decoder = BootpDecoder() bootp = bootp_decoder.decode(udp.child().get_packet()) if isinstance(bootp.child(), impacket.dhcp.DhcpPacket): dhcp = bootp.child() if dhcp.getOptionValue( 'message-type') == dhcp.DHCPDISCOVER: self.subnet.clientmac = e.get_ether_shost() elif dhcp.getOptionValue( 'message-type') == dhcp.DHCPREQUEST: self.subnet.clientmac = e.get_ether_shost() elif dhcp.getOptionValue('message-type') == dhcp.DHCPACK or \ dhcp.getOptionValue('message-type') == dhcp.DHCPOFFER: if not self.subnet.clientip: self.subnet.clientip = self.subnet.int2ip( bootp["yiaddr"]) self.subnet.gatewayip = self.subnet.int2ip( dhcp.getOptionValue("router")[0]) self.subnet.gatewaymac = e.get_ether_shost() self.subnet.subnetmask = self.subnet.ip2array( self.subnet.int2ip( dhcp.getOptionValue("subnet-mask"))) self.subnet.subnet = self.subnet.ip2array( self.subnet.int2ip( dhcp.getOptionValue("subnet-mask") & bootp["yiaddr"])) self.subnet.dnsip = self.subnet.int2ip( dhcp.getOptionValue("domain-name-server") [0]) self.subnet.dhcp = True elif isinstance(ip.child(), impacket.ImpactPacket.TCP): tcp = ip.child() if 'HTTP' in self.protocols and \ re.search(r'[A-Z]+ [^ ] HTTP/1\.', tcp.get_data_as_string()): self.subnet.gatewaymac = self.subnet.gatewaymac or e.get_ether_dhost( ) print(self.subnet.get_gatewaymac()) self.subnet.gatewayip = self.subnet.gatewayip or \ self.arptable.mac2ip(self.subnet.get_gatewaymac()) self.subnet.clientmac = self.subnet.clientmac or e.get_ether_shost( ) self.subnet.clientip = self.subnet.clientip or ip.get_ip_src( ) elif 'TTL' in self.protocols and not self.subnet.dhcp: ttl = ip.get_ip_ttl() # Uneven but not 1 or 255 ttl means it's probably coming from a router if (ttl % 2) > 0 and ttl > 1 and ttl != 255: self.subnet.gatewaymac = self.subnet.gatewaymac or e.get_ether_shost( ) self.subnet.gatewayip = self.subnet.gatewayip or \ self.arptable.mac2ip(self.subnet.get_gatewaymac()) self.subnet.clientmac = self.subnet.clientmac or e.get_ether_dhost( ) self.subnet.clientip = self.subnet.clientip or ip.get_ip_dst( ) elif 'ARP' in self.protocols and not self.subnet.dhcp and \ e.get_ether_type() == impacket.ImpactPacket.ARP.ethertype: arp = e.child() self.subnet.registeraddress(arp.get_ar_tpa()) self.subnet.registeraddress(arp.get_ar_spa())
class Decoder(object): def __init__(self, pcapObj, filename=None): # Query the type of the link and instantiate a decoder accordingly. datalink = pcapObj.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.pcap = pcapObj self.connections = {} # added by yair self.packet_count = 0 self.packet_list = [] self.filename = filename self.dir = None # a dictionary containing all TCP streams self.streams = {} def start(self): # Sniff ad infinitum. # PacketHandler shall be invoked by pcap for every packet. self.pcap.loop(0, self.packetHandler) def packetHandler(self, hdr, data): """Handles an incoming pcap packet. This method only knows how to recognize TCP/IP connections. Be sure that only TCP packets are passed onto this handler (or fix the code to ignore the others). Setting r"ip proto \tcp" as part of the pcap filter expression suffices, and there shouldn't be any problem combining that with other expressions. """ global flag_verbose # Use the ImpactDecoder to turn the rawpacket into a hierarchy # of ImpactPacket instances. p = self.decoder.decode(data) ip = p.child() tcp = ip.child() # Build a distinctive key for this pair of peers. src = (ip.get_ip_src(), tcp.get_th_sport()) dst = (ip.get_ip_dst(), tcp.get_th_dport()) con = Connection(src, dst) wtime = calc_wtime(wts=hdr.getts()) TCPts = None for opt in tcp.get_options(): try: TCPts = opt.get_ts() break except ImpactPacketException: pass self.packet_count += 1 packet = dPacket(wtime, ip.get_ip_dst(), tcp.get_th_sport(), tcp.get_th_dport(), ip.get_ip_id(), TCPts, self.packet_count) self.packet_list.append(packet) #add by yair - create dir for split files if flag_csv: split_dir_name = self.filename + '_TCPsessions' newpath = os.path.join(os.getcwd(), split_dir_name) self.dir = newpath # If there isn't an entry associated yet with this connection, # open a new pcapdumper and create an association. self.connections.setdefault(con, []) self.connections[con].append(packet)
print " bytes = the approximate maximum size of the little files" print "" if len(sys.argv) < 3: showUsage() sys.exit(1) fileCount = 1 p = open_offline(sys.argv[1]) datalink = p.datalink() if DLT_EN10MB == datalink: decoder = EthDecoder() elif DLT_LINUX_SLL == datalink: decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) while 1: try: (hdr, data) = p.next() filename = "%s_%d.cap" % (sys.argv[2], fileCount) pktCount = 0 capSize = 0 d = p.dump_open(filename) while capSize < int(sys.argv[3]): pkt = decoder.decode(data) try: bytes = len(pkt.get_packet()) except:
class PacketLoop(Thread): """ PacketLoop(Thread) Main Class """ def __init__(self, pcapy_object): """ PacketLoop(Thread) Class Constructor """ datalink = pcapy_object.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: print "Datalink type not supported: " % datalink exit() self.pcap = pcapy_object Thread.__init__(self) self.stop = False #---------------------------------------------------------------------- def run(self): """ Thread Main Function """ while not self.stop: self.pcap.dispatch(1, self.packet_handler) #---------------------------------------------------------------------- def get_ips(self, decoded_data): """ Returns src and dst ips in tuple format """ return (decoded_data.child().get_ip_src(), decoded_data.child().get_ip_dst()) #---------------------------------------------------------------------- def get_ports(self, decoded_data): """ Returns src and dst ports in tuple format """ return ( decoded_data.child().child().get_th_sport(), decoded_data.child().child().get_th_dport() ) #---------------------------------------------------------------------- def get_raw_data(self, decoded_data): """ Returns byte data """ #return decoded_data.child().child().child().get_buffer_as_string() return decoded_data.child().child().child().get_packet() #---------------------------------------------------------------------- def packet_handler(self, header, data): print data import sys sys.exit(12) """ Packet Handler Function Use the ImpactDecoder to turn the rawpacket into a human readable format """ decoded_data = self.decoder.decode(data) src_ip, dst_ip = self.get_ips(decoded_data) src_port, dst_port = self.get_ports(decoded_data) raw_data = self.get_raw_data(decoded_data) #print "[%s:%s] --> [%s:%s]" % (src_ip, src_port, dst_ip, dst_port) print raw_data if raw_data.startswith("HTTP"): decode_raw = HttpResponseDecoder(raw_data) decode_raw.parse() print decode_raw print decode_raw.body self.stop = True else: decode_raw = HttpRequestDecoder(raw_data) decode_raw.parse() print decode_raw
class SnifferThread(Thread): """ Main decoder/network sniffer class (running in separate thread). """ # initialization # def __init__(self, pcapObj): """ Query the type of the link and instantiate a decoder accordingly. """ datalink = pcapObj.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: raise Exception("Datalink type not supported: " % datalink) self.pcap = pcapObj self.buffer = [] # init internal buffer self.quit = False # quit thread? Thread.__init__(self) def run(self): """ Sniff ad infinitum. PacketHandler shall be invoked by pcap for every packet. When returning with error, decide """ while not self.quit: try: self.pcap.loop(0, self.__packetHandler) except SystemExit: # raised by '__packetHandler' to force quit pass # is there a direct (simpler?) way to force return from waiting 'self.pcap.loop' ?!? except: # generic error #warnings.warn( "%s %s" % sys.exc_info()[0:2] ) #print "\n".join(inspect.getframeinfo(sys.exc_info()[2]).code_context) #print "".join([ 'File "%s", line %i, in %s (%s)\n%s\n' % (f[1:4]+("\n".join(f[4]),)) for f in inspect.getinnerframes(sys.exc_info()[2]) ]) warnings.warn("\n".join(PyLib.tb_info()[2])) sys.exc_clear() def __packetHandler(self, hdr, data): """ Use the ImpactDecoder to turn the rawpacket into a hierarchy of ImpactPacket instances. Then search for URLs in packet by regex and log them to list. """ if self.quit: raise SystemExit('capture on interface stoped.') decoded_data = self.decoder.decode(data) (src, dst, data) = self.__getHeaderInfo(decoded_data) for item in regex_links.finditer(str(data)): if not item: continue #pos = item.start() link = item.groups()[0] #self.buffer.append( (link,) ) self.buffer.append(( link, src, dst, )) # append to internal buffer # thanks to http://d.hatena.ne.jp/shoe16i/mobile?date=20090203§ion=p1 def __getHeaderInfo(self, decoded_data): """ Extract the header info completely. """ ip = decoded_data.child() tcp = ip.child() #src = (ip.get_ip_src(), tcp.get_th_sport()) try: src = ip.get_ip_src() except: src = '?' #dst = (ip.get_ip_dst(), tcp.get_th_dport()) try: dst = ip.get_ip_dst() except: dst = '?' #data = tcp.get_data_as_string() data = tcp.get_packet() return (src, dst, data)