def _decode_payload(self, pktt):
"""Decode UDP payload."""
if 123 in [self.src_port, self.dst_port]:
# NTP on port 123
ntp = NTP(pktt)
if ntp:
pktt.pkt.ntp = ntp
return
elif 53 in [self.src_port, self.dst_port]:
# DNS on port 53
dns = DNS(pktt, proto=17)
if dns:
pktt.pkt.dns = dns
return
elif 88 in [self.src_port, self.dst_port]:
# KRB5 on port 88
krb = KRB5(pktt, proto=17)
if krb:
pktt.pkt.krb = krb
return
# Get RPC header
rpc = RPC(pktt, proto=17)
if rpc:
# Save RPC layer on packet object
pktt.pkt.rpc = rpc
if rpc.type:
# Remove packet call from the xid map since reply has
# already been decoded
pktt._rpc_xid_map.pop(rpc.xid, None)
# Decode NFS layer
rpc.decode_payload()
def _decode_payload(self, pktt):
"""Decode UDP payload."""
# Get RPC header
rpc = RPC(pktt, proto=17)
if rpc:
# Save RPC layer on packet object
pktt.pkt.rpc = rpc
if rpc.type:
# Remove packet call from the xid map since reply has
# already been decoded
pktt._rpc_xid_map.pop(rpc.xid, None)
# Decode NFS layer
rpc.decode_payload()
def _decode_payload(self, pktt, stream):
"""Decode TCP payload."""
rpc = None
if stream['frag_off'] > 0 and len(stream['msfrag']) == 0:
# This RPC packet lies within previous TCP packet,
# Re-position the offset of the data
self.data = self.data[stream['frag_off']:]
# Get the total size
save_data = self.data
size = len(self.data)
# Try decoding the RPC header before using the msfrag data
# to re-sync the stream
if len(stream['msfrag']) > 0:
rpc = RPC(pktt, self.data, proto=6)
if not rpc:
self.data = save_data
if rpc or (size == 0 and len(stream['msfrag']) > 0 and self.flags_raw != 0x10):
# There has been some data lost in the capture,
# to continue decoding next packets, reset stream
# except if this packet is just a TCP ACK (flags = 0x10)
stream['msfrag'] = ''
stream['frag_off'] = 0
# Expected data segment sequence number
nseg = self.seq - stream['last_seq']
# Make sure this segment has valid data
if nseg != len(stream['msfrag']) and \
size <= 20 and save_data == '\x00' * size:
return
if not rpc:
# Concatenate previous fragment
self.data = stream['msfrag'] + self.data
ldata = len(self.data) - 4
# Get RPC header
rpc = RPC(pktt, self.data, proto=6)
else:
ldata = size - 4
if not rpc:
return
rpcsize = rpc.fragment_hdr.size
if ldata < rpcsize:
# An RPC fragment is missing to decode RPC payload
stream['msfrag'] += save_data
else:
if len(stream['msfrag']) > 0 or ldata == rpcsize:
stream['frag_off'] = 0
stream['msfrag'] = ''
# Save RPC layer on packet object
pktt.pkt.rpc = rpc
del self.data
# Decode NFS layer
nfs = rpc.decode_nfs()
if nfs:
pktt.pkt.nfs = nfs
rpcbytes = ldata - len(rpc.data)
if not nfs and rpcbytes != rpcsize:
pass
elif rpc.data:
# Save the offset of next RPC packet within this TCP packet
# Data offset is cumulative
stream['frag_off'] += size - len(rpc.data)
save_data = rpc.data
ldata = len(rpc.data) - 4
try:
rpc_header = RPC(pktt, rpc.data, proto=6)
except Exception:
rpc_header = None
if not rpc_header or ldata < rpc_header.fragment_hdr.size:
# Part of next RPC packet is within this TCP packet
# Save the multi-span fragment data
stream['msfrag'] += save_data
else:
# Next RPC packet is entirely within this TCP packet
# Re-position the file pointer to the current offset
pktt.offset = pktt.b_offset
pktt._getfh().seek(pktt.offset)
else:
stream['frag_off'] = 0
def _decode_payload(self, pktt, stream):
"""Decode TCP payload."""
rpc = None
pkt = pktt.pkt
unpack = pktt.unpack
if stream['frag_off'] > 0 and len(stream['msfrag']) == 0:
# This RPC packet lies within previous TCP packet,
# Re-position the offset of the data
unpack.seek(unpack.tell() + stream['frag_off'])
# Get the total size
sid = unpack.save_state()
size = unpack.size()
nonvalid = bool(size <= 20 and unpack.getbytes() == '\x00' * size)
# Try decoding the RPC header before using the msfrag data
# to re-sync the stream
if len(stream['msfrag']) > 0:
rpc = RPC(pktt, proto=6)
if not rpc:
unpack.restore_state(sid)
sid = unpack.save_state()
if rpc or (size == 0 and len(stream['msfrag']) > 0 and self.flags_raw != 0x10):
# There has been some data lost in the capture,
# to continue decoding next packets, reset stream
# except if this packet is just a TCP ACK (flags = 0x10)
stream['msfrag'] = ''
stream['frag_off'] = 0
# Expected data segment sequence number
nseg = self.seq - stream['last_seq']
# Make sure this segment has valid data
if nseg != len(stream['msfrag']) and nonvalid:
return
if not rpc:
if len(stream['msfrag']):
# Concatenate previous fragment
unpack.insert(stream['msfrag'])
ldata = unpack.size() - 4
# Get RPC header
rpc = RPC(pktt, proto=6)
else:
ldata = size - 4
if not rpc:
return
rpcsize = rpc.fragment_hdr.size
truncbytes = pkt.record.length_orig - pkt.record.length_inc
if truncbytes == 0 and ldata < rpcsize:
# An RPC fragment is missing to decode RPC payload
unpack.restore_state(sid)
stream['msfrag'] += unpack.getbytes()
else:
if len(stream['msfrag']) > 0 or ldata == rpcsize:
stream['frag_off'] = 0
stream['msfrag'] = ''
# Save RPC layer on packet object
pkt.rpc = rpc
if rpc.type:
# Remove packet call from the xid map since reply has
# already been decoded
pktt._rpc_xid_map.pop(rpc.xid, None)
# Decode NFS layer
rpcload = rpc.decode_payload()
rpcbytes = ldata - unpack.size()
if not rpcload and rpcbytes != rpcsize:
pass
elif unpack.size():
# Save the offset of next RPC packet within this TCP packet
# Data offset is cumulative
stream['frag_off'] += size - unpack.size()
sid = unpack.save_state()
ldata = unpack.size() - 4
try:
rpc_header = RPC(pktt, proto=6, state=False)
except Exception:
rpc_header = None
if not rpc_header or ldata < rpc_header.fragment_hdr.size:
# Part of next RPC packet is within this TCP packet
# Save the multi-span fragment data
unpack.restore_state(sid)
stream['msfrag'] += unpack.getbytes()
else:
# Next RPC packet is entirely within this TCP packet
# Re-position the file pointer to the current offset
pktt.offset = pktt.boffset
pktt._getfh().seek(pktt.offset)
else:
stream['frag_off'] = 0
def _decode_payload(self, pktt, stream):
"""Decode TCP payload."""
rpc = None
pkt = pktt.pkt
unpack = pktt.unpack
if 53 in [self.src_port, self.dst_port]:
# DNS on port 53
dns = DNS(pktt, proto=6)
if dns:
pkt.dns = dns
return
elif 88 in [self.src_port, self.dst_port]:
# KRB5 on port 88
krb = KRB5(pktt, proto=6)
if krb:
pkt.krb = krb
return
if stream.frag_off > 0 and len(stream.buffer) == 0:
# This RPC packet lies within previous TCP packet,
# Re-position the offset of the data
unpack.seek(unpack.tell() + stream.frag_off)
# Get the total size
sid = unpack.save_state()
size = unpack.size()
# Try decoding the RPC header before using the stream buffer data
# to re-sync the stream
if len(stream.buffer) > 0:
rpc = RPC(pktt, proto=6)
if not rpc:
unpack.restore_state(sid)
sid = unpack.save_state()
if rpc or (size == 0 and len(stream.buffer) > 0
and self.flags.rawflags != 0x10):
# There has been some data lost in the capture,
# to continue decoding next packets, reset stream
# except if this packet is just a TCP ACK (flags = 0x10)
stream.buffer = ""
stream.frag_off = 0
if not rpc:
if len(stream.buffer):
# Concatenate previous fragment
unpack.insert(stream.buffer)
ldata = unpack.size() - 4
# Get RPC header
rpc = RPC(pktt, proto=6)
else:
ldata = size - 4
if not rpc:
return
rpcsize = rpc.fragment_hdr.size
truncbytes = pkt.record.length_orig - pkt.record.length_inc
if truncbytes == 0 and ldata < rpcsize:
# An RPC fragment is missing to decode RPC payload
unpack.restore_state(sid)
stream.add_fragment(unpack.getbytes(), self.seq)
else:
if len(stream.buffer) > 0 or ldata == rpcsize:
stream.frag_off = 0
stream.buffer = ""
# Save RPC layer on packet object
pkt.rpc = rpc
if rpc.type:
# Remove packet call from the xid map since reply has
# already been decoded
pktt._rpc_xid_map.pop(rpc.xid, None)
# Decode NFS layer
rpcload = rpc.decode_payload()
rpcbytes = ldata - unpack.size()
if not rpcload and rpcbytes != rpcsize:
pass
elif unpack.size():
# Save the offset of next RPC packet within this TCP packet
# Data offset is cumulative
stream.frag_off += size - unpack.size()
sid = unpack.save_state()
ldata = unpack.size() - 4
try:
rpc_header = RPC(pktt, proto=6, state=False)
except Exception:
rpc_header = None
if not rpc_header or ldata < rpc_header.fragment_hdr.size:
# Part of next RPC packet is within this TCP packet
# Save the multi-span fragment data
unpack.restore_state(sid)
stream.add_fragment(unpack.getbytes(), self.seq)
else:
# Next RPC packet is entirely within this TCP packet
# Re-position the file pointer to the current offset
pktt.seek(pktt.boffset)
else:
stream.frag_off = 0
def _decode_payload(self, pktt, stream):
"""Decode TCP payload."""
rpc = None
pkt = pktt.pkt
unpack = pktt.unpack
if stream['frag_off'] > 0 and len(stream['msfrag']) == 0:
# This RPC packet lies within previous TCP packet,
# Re-position the offset of the data
unpack.seek(unpack.tell() + stream['frag_off'])
# Get the total size
sid = unpack.save_state()
size = unpack.size()
nonvalid = bool(size <= 20 and unpack.getbytes() == '\x00' * size)
# Try decoding the RPC header before using the msfrag data
# to re-sync the stream
if len(stream['msfrag']) > 0:
rpc = RPC(pktt, proto=6)
if not rpc:
unpack.restore_state(sid)
sid = unpack.save_state()
if rpc or (size == 0 and len(stream['msfrag']) > 0 and self.flags_raw != 0x10):
# There has been some data lost in the capture,
# to continue decoding next packets, reset stream
# except if this packet is just a TCP ACK (flags = 0x10)
stream['msfrag'] = ''
stream['frag_off'] = 0
# Expected data segment sequence number
nseg = self.seq - stream['last_seq']
# Make sure this segment has valid data
if nseg != len(stream['msfrag']) and nonvalid:
return
if not rpc:
if len(stream['msfrag']):
# Concatenate previous fragment
unpack.insert(stream['msfrag'])
ldata = unpack.size() - 4
# Get RPC header
rpc = RPC(pktt, proto=6)
else:
ldata = size - 4
if not rpc:
return
rpcsize = rpc.fragment_hdr.size
truncbytes = pkt.record.length_orig - pkt.record.length_inc
if truncbytes == 0 and ldata < rpcsize:
# An RPC fragment is missing to decode RPC payload
unpack.restore_state(sid)
stream['msfrag'] += unpack.getbytes()
else:
if len(stream['msfrag']) > 0 or ldata == rpcsize:
stream['frag_off'] = 0
stream['msfrag'] = ''
# Save RPC layer on packet object
pkt.rpc = rpc
if rpc.type:
# Remove packet call from the xid map since reply has
# already been decoded
pktt._rpc_xid_map.pop(rpc.xid, None)
# Decode NFS layer
nfs = rpc.decode_nfs()
if nfs:
pkt.nfs = nfs
rpcbytes = ldata - unpack.size()
if not nfs and rpcbytes != rpcsize:
pass
elif unpack.size():
# Save the offset of next RPC packet within this TCP packet
# Data offset is cumulative
stream['frag_off'] += size - unpack.size()
sid = unpack.save_state()
ldata = unpack.size() - 4
try:
rpc_header = RPC(pktt, proto=6, state=False)
except Exception:
rpc_header = None
if not rpc_header or ldata < rpc_header.fragment_hdr.size:
# Part of next RPC packet is within this TCP packet
# Save the multi-span fragment data
unpack.restore_state(sid)
stream['msfrag'] += unpack.getbytes()
else:
# Next RPC packet is entirely within this TCP packet
# Re-position the file pointer to the current offset
pktt.offset = pktt.boffset
pktt._getfh().seek(pktt.offset)
else:
stream['frag_off'] = 0
def _decode_payload(self, pktt, stream):
"""Decode TCP payload."""
rpc = None
pkt = pktt.pkt
unpack = pktt.unpack
if 53 in [self.src_port, self.dst_port]:
# DNS on port 53
dns = DNS(pktt, proto=6)
if dns:
pkt.dns = dns
return
elif 88 in [self.src_port, self.dst_port]:
# KRB5 on port 88
krb = KRB5(pktt, proto=6)
if krb:
pkt.krb = krb
return
if stream.frag_off > 0 and len(stream.buffer) == 0:
# This RPC packet lies within previous TCP packet,
# Re-position the offset of the data
unpack.seek(unpack.tell() + stream.frag_off)
# Get the total size
sid = unpack.save_state()
size = unpack.size()
# Try decoding the RPC header before using the stream buffer data
# to re-sync the stream
if len(stream.buffer) > 0:
rpc = RPC(pktt, proto=6)
if not rpc:
unpack.restore_state(sid)
sid = unpack.save_state()
if rpc or (size == 0 and len(stream.buffer) > 0 and self.flags.rawflags != 0x10):
# There has been some data lost in the capture,
# to continue decoding next packets, reset stream
# except if this packet is just a TCP ACK (flags = 0x10)
stream.buffer = ""
stream.frag_off = 0
if not rpc:
if len(stream.buffer):
# Concatenate previous fragment
unpack.insert(stream.buffer)
ldata = unpack.size() - 4
# Get RPC header
rpc = RPC(pktt, proto=6)
else:
ldata = size - 4
if not rpc:
return
rpcsize = rpc.fragment_hdr.size
truncbytes = pkt.record.length_orig - pkt.record.length_inc
if truncbytes == 0 and ldata < rpcsize:
# An RPC fragment is missing to decode RPC payload
unpack.restore_state(sid)
stream.add_fragment(unpack.getbytes(), self.seq)
else:
if len(stream.buffer) > 0 or ldata == rpcsize:
stream.frag_off = 0
stream.buffer = ""
# Save RPC layer on packet object
pkt.rpc = rpc
if rpc.type:
# Remove packet call from the xid map since reply has
# already been decoded
pktt._rpc_xid_map.pop(rpc.xid, None)
# Decode NFS layer
rpcload = rpc.decode_payload()
rpcbytes = ldata - unpack.size()
if not rpcload and rpcbytes != rpcsize:
pass
elif unpack.size():
# Save the offset of next RPC packet within this TCP packet
# Data offset is cumulative
stream.frag_off += size - unpack.size()
sid = unpack.save_state()
ldata = unpack.size() - 4
try:
rpc_header = RPC(pktt, proto=6, state=False)
except Exception:
rpc_header = None
if not rpc_header or ldata < rpc_header.fragment_hdr.size:
# Part of next RPC packet is within this TCP packet
# Save the multi-span fragment data
unpack.restore_state(sid)
stream.add_fragment(unpack.getbytes(), self.seq)
else:
# Next RPC packet is entirely within this TCP packet
# Re-position the file pointer to the current offset
pktt.seek(pktt.boffset)
else:
stream.frag_off = 0
