Esempio n. 1
0
class Pktt(BaseObj, Unpack):
    """Packet trace object

       Usage:
           from packet.pktt import Pktt

           x = Pktt("/traces/tracefile.cap")

           # Iterate over all packets found in the trace file
           for pkt in x:
               print pkt
    """
    def __init__(self, tfile, live=False, state=True):
        """Constructor

           Initialize object's private data, note that this will not check the
           file for existence nor will open the file to verify if it is a valid
           tcpdump file. The tcpdump trace file will be opened the first time a
           packet is retrieved.

           tracefile:
               Name of tcpdump trace file or a list of trace file names
               (little or big endian format)
           live:
               If set to True, methods will not return if encountered <EOF>,
               they will keep on trying until more data is available in the
               file. This is useful when running tcpdump in parallel,
               especially when tcpdump is run with the '-C' option, in which
               case when <EOF> is encountered the next trace file created by
               tcpdump will be opened and the object will be re-initialized,
               all private data referencing the previous file is lost.
        """
        self.tfile = tfile  # Current trace file name
        self.bfile = tfile  # Base trace file name
        self.live = live  # Set to True if dealing with a live tcpdump file
        self.offset = 0  # Current file offset
        self.boffset = 0  # File offset of current packet
        self.ioffset = 0  # File offset of first packet
        self.index = 0  # Current packet index
        self.frame = 1  # Current frame number
        self.mindex = 0  # Maximum packet index for current trace file
        self.findex = 0  # Current tcpdump file index (used with self.live)
        self.fh = None  # Current file handle
        self.eof = False  # End of file marker for current packet trace
        self.serial = False  # Processing trace files serially
        self.pkt = None  # Current packet
        self.pkt_call = None  # The current packet call if self.pkt is a reply
        self.pktt_list = []  # List of Pktt objects created
        self.tfiles = []  # List of packet trace files
        self.rdbuffer = ""  # Read buffer
        self.rdoffset = 0  # Read buffer offset
        self.filesize = 0  # Size of packet trace file
        self.prevprog = -1.0  # Previous progress percentage
        self.prevtime = 0.0  # Previous segment time
        self.prevdone = -1  # Previous progress bar units done so far
        self.prevoff = 0  # Previous offset
        self.showprog = 0  # If this is true the progress will be displayed
        self.progdone = 0  # Display last progress only once
        self.timestart = time.time()  # Time reference base
        self.reply_matched = False  # Matching a reply

        # TCP stream map: to keep track of the different TCP streams within
        # the trace file -- used to deal with RPC packets spanning multiple
        # TCP packets or to handle a TCP packet having multiple RPC packets
        self._tcp_stream_map = {}

        # RPC xid map: to keep track of packet calls
        self._rpc_xid_map = {}
        # List of outstanding xids to match
        self._match_xid_list = []

        # Process tfile argument
        if isinstance(tfile, list):
            # The argument tfile is given as a list of packet trace files
            self.tfiles = tfile
            if len(self.tfiles) == 1:
                # Only one file is given
                self.tfile = self.tfiles[0]
            else:
                # Create all packet trace objects
                for tfile in self.tfiles:
                    self.pktt_list.append(Pktt(tfile))

    def __del__(self):
        """Destructor

           Gracefully close the tcpdump trace file if it is opened.
        """
        if self.fh:
            self.fh.close()

    def __iter__(self):
        """Make this object iterable."""
        return self

    def __contains__(self, expr):
        """Implement membership test operator.
           Return true if expr matches a packet in the trace file,
           false otherwise.

           The packet is also stored in the object attribute pkt.

           Examples:
               # Find the next READ request
               if ("NFS.argop == 25" in x):
                   print x.pkt.nfs

           See match() method for more information
        """
        pkt = self.match(expr)
        return (pkt is not None)

    def __getitem__(self, index):
        """Get the packet from the trace file given by the index
           or raise IndexError.

           The packet is also stored in the object attribute pkt.

           Examples:
               pkt = x[index]
        """
        self.dprint('PKT4', ">>> __getitem__(%d)" % index)
        if index < 0:
            # No negative index is allowed
            raise IndexError

        try:
            if index == self.pkt.record.index:
                # The requested packet is in memory, just return it
                return self.pkt
        except:
            pass

        if index < self.index:
            # Reset the current packet index and offset
            # The index is less than the current packet offset so position
            # the file pointer to the offset of the packet given by index
            self.rewind(index)

        # Move to the packet specified by the index
        pkt = None
        while self.index <= index:
            try:
                pkt = self.next()
            except:
                break

        if pkt is None:
            raise IndexError
        return pkt

    def next(self):
        """Get the next packet from the trace file or raise StopIteration.

           The packet is also stored in the object attribute pkt.

           Examples:
               # Iterate over all packets found in the trace file using
               # the iterable properties of the object
               for pkt in x:
                   print pkt

               # Iterate over all packets found in the trace file using it
               # as a method and using the object variable as the packet
               # Must use the try statement to catch StopIteration exception
               try:
                   while (x.next()):
                       print x.pkt
               except StopIteration:
                   pass

               # Iterate over all packets found in the trace file using it
               # as a method and using the return value as the packet
               # Must use the try statement to catch StopIteration exception
               while True:
                   try:
                       print x.next()
                   except StopIteration:
                       break

           NOTE:
               Supports only single active iteration
        """
        self.dprint('PKT4', ">>> %d: next()" % self.index)
        # Initialize next packet
        self.pkt = Pkt()

        if len(self.pktt_list) > 1:
            # Dealing with multiple trace files
            minsecs = None
            pktt_obj = None
            for obj in self.pktt_list:
                if obj.pkt is None:
                    # Get first packet for this packet trace object
                    try:
                        obj.next()
                    except StopIteration:
                        obj.mindex = self.index
                if obj.eof:
                    continue
                if minsecs is None or obj.pkt.record.secs < minsecs:
                    minsecs = obj.pkt.record.secs
                    pktt_obj = obj
            if self.filesize == 0:
                # Calculate total bytes to process
                for obj in self.pktt_list:
                    self.filesize += obj.filesize
            if pktt_obj is None:
                # All packet trace files have been processed
                self.offset = self.filesize
                self.show_progress(True)
                raise StopIteration
            elif len(self._tcp_stream_map):
                # This packet trace file should be processed serially
                # Have all state transferred to next packet object
                pktt_obj.rewind()
                pktt_obj._tcp_stream_map = self._tcp_stream_map
                pktt_obj._rpc_xid_map = self._rpc_xid_map
                self._tcp_stream_map = {}
                self._rpc_xid_map = {}
                pktt_obj.next()

            # Overwrite attributes seen by the caller with the attributes
            # from the current packet trace object
            self.pkt = pktt_obj.pkt
            self.pkt_call = pktt_obj.pkt_call
            self.tfile = pktt_obj.tfile
            self.pkt.record.index = self.index  # Use a cumulative index
            self.offset += pktt_obj.offset - pktt_obj.boffset

            try:
                # Get next packet for this packet trace object
                pktt_obj.next()
            except StopIteration:
                # Set maximum packet index for this packet trace object to
                # be used by rewind to select the proper packet trace object
                pktt_obj.mindex = self.index
                # Check if objects should be serially processed
                pktt_obj.serial = False
                for obj in self.pktt_list:
                    if not obj.eof:
                        if obj.index > 1:
                            pktt_obj.serial = False
                            break
                        elif obj.index == 1:
                            pktt_obj.serial = True
                if pktt_obj.serial:
                    # Save current state
                    self._tcp_stream_map = pktt_obj._tcp_stream_map
                    self._rpc_xid_map = pktt_obj._rpc_xid_map

            self.show_progress()

            # Increment cumulative packet index
            self.index += 1
            return self.pkt

        if self.boffset != self.offset:
            # Frame number is one for every record header on the pcap trace
            # On the other hand self.index is the packet number. Since there
            # could be multiple packets on a single frame self.index could
            # be larger the self.frame except that self.index start at 0
            # while self.frame starts at 1.
            # The frame number can be used to match packets with other tools
            # like wireshark
            self.frame += 1

        # Save file offset for this packet
        self.boffset = self.offset

        # Get record header
        data = self._read(16)
        if len(data) < 16:
            self.eof = True
            self.offset = self.filesize
            self.show_progress(True)
            raise StopIteration
        # Decode record header
        record = Record(self, data)

        # Get record data and create Unpack object
        self.unpack = Unpack(self._read(record.length_inc))
        if self.unpack.size() < record.length_inc:
            # Record has been truncated, stop iteration
            self.eof = True
            self.offset = self.filesize
            self.show_progress(True)
            raise StopIteration

        if self.header.link_type == 1:
            # Decode ethernet layer
            ETHERNET(self)
        else:
            # Unknown link layer
            record.data = self.unpack.getbytes()

        self.show_progress()

        # Increment packet index
        self.index += 1

        return self.pkt

    def rewind(self, index=0):
        """Rewind the trace file by setting the file pointer to the start of
           the given packet index. Returns False if unable to rewind the file,
           e.g., when the given index is greater than the maximum number
           of packets processed so far.
        """
        self.dprint('PKT1', ">>> rewind(%d)" % index)
        if index >= 0 and index < self.index:
            if len(self.pktt_list) > 1:
                # Dealing with multiple trace files
                self.index = 0
                for obj in self.pktt_list:
                    if not obj.eof or index <= obj.mindex:
                        obj.rewind()
                        try:
                            obj.next()
                        except StopIteration:
                            pass
                    elif obj.serial and index > obj.mindex:
                        self.index = obj.mindex + 1
            else:
                # Reset the current packet index and offset to the first packet
                self.offset = self.ioffset
                self.index = 0
                self.eof = False

                # Position the file pointer to the offset of the first packet
                self.seek(self.ioffset)

                # Clear state
                self._tcp_stream_map = {}
                self._rpc_xid_map = {}

            # Move to the packet before the specified by the index so the
            # next packet fetched will be the one given by index
            while self.index < index:
                try:
                    pkt = self.next()
                except:
                    break

            # Rewind succeeded
            return True
        return False

    def seek(self, offset, whence=os.SEEK_SET, hard=False):
        """Position the read offset correctly
           If new position is outside the current read buffer then clear the
           buffer so a new chunk of data will be read from the file instead
        """
        soffset = self.fh.tell() - len(self.rdbuffer)
        if hard or offset < soffset or whence != os.SEEK_SET:
            # Seek is before the read buffer, do the actual seek
            self.rdbuffer = ""
            self.rdoffset = 0
            self.fh.seek(offset, whence)
            self.offset = self.fh.tell()
        else:
            # Seek is not before the read buffer
            self.rdoffset = offset - soffset
            self.offset = offset

    def _getfh(self):
        """Get the filehandle of the trace file, open file if necessary."""
        if self.fh == None:
            # Check size of file
            fstat = os.stat(self.tfile)
            if fstat.st_size == 0:
                raise Exception("Packet trace file is empty")

            # Open trace file
            self.fh = open(self.tfile, 'rb')
            self.filesize = fstat.st_size

            iszip = False
            self.header_fmt = None
            while self.header_fmt is None:
                # Initialize offset
                self.offset = 0

                # Get file identifier
                try:
                    self.ident = self._read(4)
                except:
                    self.ident = ""

                if self.ident == '\324\303\262\241':
                    # Little endian
                    self.header_fmt = '<HHIIII'
                    self.header_rec = '<IIII'
                elif self.ident == '\241\262\303\324':
                    # Big endian
                    self.header_fmt = '>HHIIII'
                    self.header_rec = '>IIII'
                else:
                    if iszip:
                        raise Exception('Not a tcpdump file')
                    iszip = True
                    # Get the size of the uncompressed file, this only works
                    # for uncompressed files less than 4GB
                    self.fh.seek(-4, os.SEEK_END)
                    self.filesize = struct.unpack("<I", self.fh.read(4))[0]
                    # Do a hard seek -- clear read ahead buffer
                    self.seek(0, hard=True)
                    # Try if this is a gzip compress file
                    self.fh = gzip.GzipFile(fileobj=self.fh)

            # Get header information
            self.header = Header(self)

            # Initialize packet number
            self.index = 0
            self.tstart = None
            self.ioffset = self.offset

        return self.fh

    def _read(self, count):
        """Wrapper for read in order to increment the object's offset. It also
           takes care of <EOF> when 'live' option is set which keeps on trying
           to read and switching files when needed.
        """
        # Open packet trace if needed
        self._getfh()
        while True:
            # Get the number of bytes specified
            rdsize = len(self.rdbuffer) - self.rdoffset
            if count > rdsize:
                # Not all bytes needed are in the read buffer
                if self.rdoffset > READ_SIZE:
                    # If the read offset is on the second half of the
                    # 2*READ_SIZE buffer discard the first bytes so the
                    # new read offset is right at the middle of the buffer
                    # This is done in case there is a seek behind the current
                    # offset so data is not read from the file again
                    self.rdbuffer = self.rdbuffer[self.rdoffset - READ_SIZE:]
                    self.rdoffset = READ_SIZE
                # Read next chunk from file
                self.rdbuffer += self.fh.read(max(count, READ_SIZE))
            # Get the bytes requested and increment read offset accordingly
            data = self.rdbuffer[self.rdoffset:self.rdoffset + count]
            self.rdoffset += count

            ldata = len(data)
            if self.live and ldata != count:
                # Not all data was read (<EOF>)
                tracefile = "%s%d" % (self.bfile, self.findex + 1)
                # Check if next trace file exists
                if os.path.isfile(tracefile):
                    # Save information that keeps track of the next trace file
                    basefile = self.bfile
                    findex = self.findex + 1
                    # Re-initialize the object
                    self.__del__()
                    self.__init__(tracefile, live=self.live)
                    # Overwrite next trace file info
                    self.bfile = basefile
                    self.findex = findex
                # Re-position file pointer to last known offset
                self.seek(self.offset)
                time.sleep(1)
            else:
                break

        # Increment object's offset by the amount of data read
        self.offset += ldata
        return data

    def _split_match(self, uargs):
        """Split match arguments and return a tuple (lhs, opr, rhs)
           where lhs is the left hand side of the given argument expression,
           opr is the operation and rhs is the right hand side of the given
           argument expression:

               <lhs> <opr> <rhs>

           Valid opr values are: ==, !=, <, >, <=, >=, in
        """
        m = re.search(r"([^!=<>]+)\s*([!=<>]+|in)\s*(.*)", uargs)
        lhs = m.group(1).rstrip()
        opr = m.group(2)
        rhs = m.group(3)
        return (lhs, opr, rhs)

    def _process_match(self, obj, lhs, opr, rhs):
        """Process "regex" and 'in' operator on match expression.
           Regular expression is given as re('regex') and converted to a
           proper regex re.search('regex', data), where data is the object
           compose of obj and lhs|rhs depending on opr. The argument obj
           is an object prefix.

           If opr is a comparison operation (==, !=, etc.), both obj and lhs
           will be the actual LHS and rhs will be the actual RHS.
           If opr is 'in', lhs will be the actual LHS and both obj and rhs
           will be the actual RHS.

           Return the processed match expression.

           Examples:
               # Regular expression processing
               expr = x._process_match('self.pkt.ip.', 'src', '==', "re(r'192\.*')")

               Returns the following expression ready to be evaluated:
               expr = "re.search(r'192\.*', str(self.pkt,ip.src))"

               # Object prefix processing
               expr = x._process_match('item.', 'argop', '==', '25')

               Returns the following expression ready to be evaluated:
               expr = "item.argop==25"

               # Membership (in) processing
               expr = x._process_match('item.', '62', 'in', 'attributes')

               Returns the following expression ready to be evaluated:
               expr = "62 in item.attributes"
        """
        func = None
        if opr != 'in':
            regex = re.search(r"(\w+)\((.*)\)", lhs)
            if regex:
                lhs = regex.group(2)
                func = regex.group(1)

        if rhs[:3] == 're(':
            # Regular expression, it must be in rhs
            rhs = "re.search" + rhs[2:]
            if opr == "!=":
                rhs = "not " + rhs
            LHS = rhs[:-1] + ", str(" + obj + lhs + "))"
            RHS = ""
            opr = ""
        elif opr == 'in':
            opr = " in "
            if self.inlhs:
                LHS = obj + lhs
                RHS = rhs
            else:
                LHS = lhs
                RHS = obj + rhs
        else:
            LHS = obj + lhs
            RHS = rhs

        if func is not None:
            LHS = "%s(%s)" % (func, LHS)

        return LHS + opr + RHS

    def _match(self, layer, uargs):
        """Default match function."""
        if not hasattr(self.pkt, layer):
            return False

        if layer == "nfs":
            # Use special matching function for NFS
            texpr = self.match_nfs(uargs)
        else:
            # Use general match
            obj = "self.pkt.%s." % layer.lower()
            lhs, opr, rhs = self._split_match(uargs)
            expr = self._process_match(obj, lhs, opr, rhs)
            texpr = eval(expr)
        self.dprint(
            'PKT2', "    %d: match_%s(%s) -> %r" %
            (self.pkt.record.index, layer, uargs, texpr))
        return texpr

    def clear_xid_list(self):
        """Clear list of outstanding xids"""
        self._match_xid_list = []

    def _match_nfs(self, uargs):
        """Match NFS values on current packet."""
        array = None
        isarg = True
        lhs, opr, rhs = self._split_match(uargs)

        if self.pkt.rpc.version == 3 or _nfsopmap.get(lhs):
            try:
                # Top level NFSv4 packet info or NFSv3 packet
                expr = self._process_match("self.pkt.nfs.", lhs, opr, rhs)
                if eval(expr):
                    # Set NFSop and NFSidx
                    self.pkt.NFSop = self.pkt.nfs
                    self.pkt.NFSidx = 0
                    return True
                return False
            except Exception:
                return False

        idx = 0
        obj_prefix = "item."
        for item in self.pkt.nfs.array:
            try:
                # Get expression to eval
                expr = self._process_match(obj_prefix, lhs, opr, rhs)
                if eval(expr):
                    self.pkt.NFSop = item
                    self.pkt.NFSidx = idx
                    return True
            except Exception:
                # Continue searching
                pass
            idx += 1
        return False

    def match_nfs(self, uargs):
        """Match NFS values on current packet.

           In NFSv4, there is a single compound procedure with multiple
           operations, matching becomes a little bit tricky in order to make
           the matching expression easy to use. The NFS object's name space
           gets converted into a flat name space for the sole purpose of
           matching. In other words, all operation objects in array are
           treated as being part of the NFS object's top level attributes.

           Consider the following NFS object:
               nfsobj = COMPOUND4res(
                   status=NFS4_OK,
                   tag='NFSv4_tag',
                   array = [
                       nfs_resop4(
                           resop=OP_SEQUENCE,
                           opsequence=SEQUENCE4res(
                               status=NFS4_OK,
                               resok=SEQUENCE4resok(
                                   sessionid='sessionid',
                                   sequenceid=29,
                                   slotid=0,
                                   highest_slotid=179,
                                   target_highest_slotid=179,
                                   status_flags=0,
                               ),
                           ),
                       ),
                       nfs_resop4(
                           resop=OP_PUTFH,
                           opputfh = PUTFH4res(
                               status=NFS4_OK,
                           ),
                       ),
                       ...
                   ]
               ),

           The result for operation PUTFH is the second in the list:
               putfh = nfsobj.array[1]

           From this putfh object the status operation can be accessed as:
               status = putfh.opputfh.status

           or simply as (this is how the NFS object works):
               status = putfh.status

           In this example, the following match expression 'NFS.status == 0'
           could match the top level status of the compound (nfsobj.status)
           or the putfh status (nfsobj.array[1].status)

           The following match expression 'NFS.sequenceid == 25' will also
           match this packet as well, even though the actual expression should
           be 'nfsobj.array[0].opsequence.resok.sequenceid == 25' or
           simply 'nfsobj.array[0].sequenceid == 25'.

           This approach makes the match expressions simpler at the expense of
           having some ambiguities on where the actual matched occurred. If a
           match is desired on a specific operation, a more qualified name can
           be given. In the above example, in order to match the status of the
           PUTFH operation the match expression 'NFS.opputfh.status == 0' can
           be used. On the other hand, consider a compound having multiple
           PUTFH results the above match expression will always match the first
           occurrence of PUTFH where the status is 0. There is no way to tell
           the match engine to match the second or Nth occurrence of an
           operation.
        """
        texpr = self._match_nfs(uargs)
        self.dprint(
            'PKT2', "    %d: match_nfs(%s) -> %r" %
            (self.pkt.record.index, uargs, texpr))
        return texpr

    def _convert_match(self, ast):
        """Convert a parser list match expression into their corresponding
           function calls.

           Example:
               expr = "TCP.flags.ACK == 1 and NFS.argop == 50"
               st = parser.expr(expr)
               ast = parser.st2list(st)
               data =  self._convert_match(ast)

               Returns:
               data = "(self._match('tcp','flags.ACK==1'))and(self._match('nfs','argop==50'))"
        """
        ret = ''
        isin = False
        if not isinstance(ast, list):
            if ast.lower() in _match_func_map:
                # Replace name by its corresponding function name
                return _match_func_map[ast.lower()]
            return ast
        if len(ast) == 2:
            return self._convert_match(ast[1])

        for a in ast[1:]:
            data = self._convert_match(a)
            if data == 'in':
                data = ' in '
                isin = True
                if ret[:5] == "self.":
                    # LHS in the 'in' operator is a packet object
                    self.inlhs = True
                else:
                    # LHS in the 'in' operator is a constant value
                    self.inlhs = False
            ret += data

        if _token_map[ast[0]] == "comparison":
            # Comparison
            if isin:
                regex = re.search(r'(.*)(self\._match)_(\w+)\.(.*)', ret)
                data = regex.groups()
                func = data[1]
                layer = data[2]
                uargs = data[0] + data[3]
            else:
                regex = re.search(r"^((\w+)\()?(self\._match)_(\w+)\.(.*)",
                                  ret)
                data = regex.groups()
                func = data[2]
                layer = data[3]
                if data[0] is None:
                    uargs = data[4]
                else:
                    uargs = data[0] + data[4]
            # Escape all single quotes since the whole string will be quoted
            uargs = re.sub(r"'", "\\'", uargs)
            ret = "(%s('%s','%s'))" % (func, layer, uargs)

        return ret

    def match(self, expr, maxindex=None, rewind=True, reply=False):
        """Return the packet that matches the given expression, also the packet
           index points to the next packet after the matched packet.
           Returns None if packet is not found and the packet index points
           to the packet at the beginning of the search.

           expr:
               String of expressions to be evaluated
           maxindex:
               The match fails if packet index hits this limit
           rewind:
               Rewind to index where matching started if match fails
           reply:
               Match RPC replies of previously matched calls as well

           Examples:
               # Find the packet with both the ACK and SYN TCP flags set to 1
               pkt = x.match("TCP.flags.ACK == 1 and TCP.flags.SYN == 1")

               # Find the next NFS EXCHANGE_ID request
               pkt = x.match("NFS.argop == 42")

               # Find the next NFS EXCHANGE_ID or CREATE_SESSION request
               pkt = x.match("NFS.argop in [42,43]")

               # Find the next NFS OPEN request or reply
               pkt = x.match("NFS.op == 18")

               # Find all packets coming from subnet 192.168.1.0/24 using
               # a regular expression
               while x.match(r"IP.src == re('192\.168\.1\.\d*')"):
                   print x.pkt.tcp

               # Find packet having a GETATTR asking for FATTR4_FS_LAYOUT_TYPES(bit 62)
               pkt_call = x.match("NFS.attr_request & 0x4000000000000000L != 0")
               if pkt_call:
                   # Find GETATTR reply
                   xid = pkt_call.rpc.xid
                   # Find reply where the number 62 is in the array NFS.attributes
                   pkt_reply = x.match("RPC.xid == %d and 62 in NFS.attributes" % xid)

               # Find the next WRITE request
               pkt = x.match("NFS.argop == 38")
               if pkt:
                   print pkt.nfs

               # Same as above, but using membership test operator instead
               if ("NFS.argop == 38" in x):
                   print x.pkt.nfs

           See also:
               match_ethernet(), match_ip(), match_tcp(), match_rpc(), match_nfs()
        """
        # Save current position
        save_index = self.index

        # Parse match expression
        st = parser.expr(expr)
        smap = parser.st2list(st)
        pdata = self._convert_match(smap)
        self.dprint('PKT1', ">>> %d: match(%s)" % (self.index, expr))
        self.reply_matched = False

        # Search one packet at a time
        for pkt in self:
            if maxindex and self.index > maxindex:
                # Hit maxindex limit
                break
            try:
                if reply and pkt == "rpc" and pkt.rpc.type == 1 and pkt.rpc.xid in self._match_xid_list:
                    self.dprint(
                        'PKT1',
                        ">>> %d: match() -> True: reply" % pkt.record.index)
                    self._match_xid_list.remove(pkt.rpc.xid)
                    self.reply_matched = True
                    return pkt
                if eval(pdata):
                    # Return matched packet
                    self.dprint('PKT1',
                                ">>> %d: match() -> True" % pkt.record.index)
                    if reply and pkt == "rpc" and pkt.rpc.type == 0:
                        # Save xid of matched call
                        self._match_xid_list.append(pkt.rpc.xid)
                    return pkt
            except Exception:
                pass

        if rewind:
            # No packet matched, re-position the file pointer back to where
            # the search started
            self.rewind(save_index)
        self.pkt = None
        self.dprint('PKT1', ">>> match() -> False")
        return None

    def show_progress(self, done=False):
        """Display progress bar if enabled and if running on correct terminal"""
        if SHOWPROG and self.showprog and (done or self.index % 500 == 0):
            rows, columns = struct.unpack(
                'hh', fcntl.ioctl(2, termios.TIOCGWINSZ, "1234"))
            if columns < 100:
                sps = 30
            else:
                # Terminal is wide enough, include bytes/sec
                sps = 42
            # Progress bar length
            wlen = int(columns) - len(str_units(self.filesize)) - sps
            # Number of bytes per progress bar unit
            xunit = float(self.filesize) / wlen
            # Progress bar units done so far
            xdone = int(self.offset / xunit)
            xtime = time.time()
            progress = 100.0 * self.offset / self.filesize

            # Display progress only if there is some change in progress
            if (done and not self.progdone) or (self.prevdone != xdone or \
               int(self.prevtime) != int(xtime) or \
               round(self.prevprog) != round(progress)):
                if done:
                    # Do not display progress again when done=True
                    self.progdone = 1
                otime = xtime - self.timestart  # Overall time
                tdelta = xtime - self.prevtime  # Segment time
                self.prevprog = progress
                self.prevdone = xdone
                self.prevtime = xtime
                # Number of progress bar units for completion
                slen = wlen - xdone
                if done:
                    # Overall average bytes/sec
                    bps = self.offset / otime
                else:
                    # Segment average bytes/sec
                    bps = (self.offset - self.prevoff) / tdelta
                self.prevoff = self.offset
                # Progress bar has both foreground and background colors
                # as green and in case the terminal does not support colors
                # then a "=" is displayed instead instead of a green block
                pbar = " [\033[32m\033[42m%s\033[m%s] " % ("=" * xdone,
                                                           " " * slen)
                # Add progress percentage and how many bytes have been
                # processed so far relative to the total number of bytes
                pbar += "%5.1f%% %9s/%s" % (progress, str_units(
                    self.offset), str_units(self.filesize))
                if columns < 100:
                    sys.stderr.write("%s %-6s\r" % (pbar, str_time(otime)))
                else:
                    # Terminal is wide enough, include bytes/sec
                    sys.stderr.write("%s %9s/s %-6s\r" %
                                     (pbar, str_units(bps), str_time(otime)))
                if done:
                    sys.stderr.write("\n")

    @staticmethod
    def escape(data):
        """Escape special characters.

           Examples:
               # Call as an instance
               escaped_data = x.escape(data)

               # Call as a class
               escaped_data = Pktt.escape(data)
        """
        # repr() can escape or not a single quote depending if a double
        # quote is present, just make sure both quotes are escaped correctly
        rdata = repr(data)
        if rdata[0] == '"':
            # Double quotes are escaped
            dquote = r'x22'
            squote = r'\x27'
        else:
            # Single quotes are escaped
            dquote = r'\x22'
            squote = r'x27'
        # Replace all double quotes to its corresponding hex value
        data = re.sub(r'"', dquote, rdata[1:-1])
        # Replace all single quotes to its corresponding hex value
        data = re.sub(r"'", squote, data)
        # Escape all backslashes
        data = re.sub(r'\\', r'\\\\', data)
        return data

    @staticmethod
    def ip_tcp_src_expr(ipaddr, port):
        """Return a match expression to find a packet coming from ipaddr:port.

           Examples:
               # Call as an instance
               expr = x.ip_tcp_src_expr('192.168.1.50', 2049)

               # Call as a class
               expr = Pktt.ip_tcp_src_expr('192.168.1.50', 2049)

               # Returns "IP.src == '192.168.1.50' and TCP.src_port == 2049"
               # Expression ready for x.match()
               pkt = x.match(expr)
        """
        return "IP.src == '%s' and TCP.src_port == %d" % (ipaddr, port)

    @staticmethod
    def ip_tcp_dst_expr(ipaddr, port):
        """Return a match expression to find a packet going to ipaddr:port.

           Examples:
               # Call as an instance
               expr = x.ip_tcp_dst_expr('192.168.1.50', 2049)

               # Call as a class
               expr = Pktt.ip_tcp_dst_expr('192.168.1.50', 2049)

               # Returns "IP.dst == '192.168.1.50' and TCP.dst_port == 2049"
               # Expression ready for x.match()
               pkt = x.match(expr)
        """
        return "IP.dst == '%s' and TCP.dst_port == %d" % (ipaddr, port)
Esempio n. 2
0
class Pktt(BaseObj, Unpack):
    """Packet trace object

       Usage:
           from packet.pktt import Pktt

           x = Pktt("/traces/tracefile.cap")

           # Iterate over all packets found in the trace file
           for pkt in x:
               print pkt
    """
    def __init__(self, tfile, live=False, state=True):
        """Constructor

           Initialize object's private data, note that this will not check the
           file for existence nor will open the file to verify if it is a valid
           tcpdump file. The tcpdump trace file will be opened the first time a
           packet is retrieved.

           tracefile:
               Name of tcpdump trace file or a list of trace file names
               (little or big endian format)
           live:
               If set to True, methods will not return if encountered <EOF>,
               they will keep on trying until more data is available in the
               file. This is useful when running tcpdump in parallel,
               especially when tcpdump is run with the '-C' option, in which
               case when <EOF> is encountered the next trace file created by
               tcpdump will be opened and the object will be re-initialized,
               all private data referencing the previous file is lost.
        """
        self.tfile = tfile  # Current trace file name
        self.bfile = tfile  # Base trace file name
        self.live = live  # Set to True if dealing with a live tcpdump file
        self.offset = 0  # Current file offset
        self.boffset = 0  # File offset of current packet
        self.ioffset = 0  # File offset of first packet
        self.index = 0  # Current packet index
        self.mindex = 0  # Maximum packet index for current trace file
        self.findex = 0  # Current tcpdump file index (used with self.live)
        self.fh = None  # Current file handle
        self.eof = False  # End of file marker for current packet trace
        self.serial = False  # Processing trace files serially
        self.pkt = None  # Current packet
        self.pkt_call = None  # The current packet call if self.pkt is a reply
        self.pktt_list = []  # List of Pktt objects created
        self.tfiles = []  # List of packet trace files

        # TCP stream map: to keep track of the different TCP streams within
        # the trace file -- used to deal with RPC packets spanning multiple
        # TCP packets or to handle a TCP packet having multiple RPC packets
        self._tcp_stream_map = {}

        # RPC xid map: to keep track of packet calls
        self._rpc_xid_map = {}

        # Process tfile argument
        if isinstance(tfile, list):
            # The argument tfile is given as a list of packet trace files
            self.tfiles = tfile
            if len(self.tfiles) == 1:
                # Only one file is given
                self.tfile = self.tfiles[0]
            else:
                # Create all packet trace objects
                for tfile in self.tfiles:
                    self.pktt_list.append(Pktt(tfile))

    def __del__(self):
        """Destructor

           Gracefully close the tcpdump trace file if it is opened.
        """
        if self.fh:
            self.fh.close()

    def __iter__(self):
        """Make this object iterable."""
        return self

    def __contains__(self, expr):
        """Implement membership test operator.
           Return true if expr matches a packet in the trace file,
           false otherwise.

           The packet is also stored in the object attribute pkt.

           Examples:
               # Find the next READ request
               if ("NFS.argop == 25" in x):
                   print x.pkt.nfs

           See match() method for more information
        """
        pkt = self.match(expr)
        return (pkt is not None)

    def __getitem__(self, index):
        """Get the packet from the trace file given by the index
           or raise IndexError.

           The packet is also stored in the object attribute pkt.

           Examples:
               pkt = x[index]
        """
        self.dprint('PKT4', ">>> __getitem__(%d)" % index)
        if index < 0:
            # No negative index is allowed
            raise IndexError

        try:
            if index == self.pkt.record.index:
                # The requested packet is in memory, just return it
                return self.pkt
        except:
            pass

        if index < self.index:
            # Reset the current packet index and offset
            # The index is less than the current packet offset so position
            # the file pointer to the offset of the packet given by index
            self.rewind(index)

        # Move to the packet specified by the index
        pkt = None
        while self.index <= index:
            try:
                pkt = self.next()
            except:
                break

        if pkt is None:
            raise IndexError
        return pkt

    def next(self):
        """Get the next packet from the trace file or raise StopIteration.

           The packet is also stored in the object attribute pkt.

           Examples:
               # Iterate over all packets found in the trace file using
               # the iterable properties of the object
               for pkt in x:
                   print pkt

               # Iterate over all packets found in the trace file using it
               # as a method and using the object variable as the packet
               # Must use the try statement to catch StopIteration exception
               try:
                   while (x.next()):
                       print x.pkt
               except StopIteration:
                   pass

               # Iterate over all packets found in the trace file using it
               # as a method and using the return value as the packet
               # Must use the try statement to catch StopIteration exception
               while True:
                   try:
                       print x.next()
                   except StopIteration:
                       break

           NOTE:
               Supports only single active iteration
        """
        self.dprint('PKT4', ">>> %d: next()" % self.index)
        # Initialize next packet
        self.pkt = Pkt()

        if len(self.pktt_list) > 1:
            # Dealing with multiple trace files
            minsecs = None
            pktt_obj = None
            for obj in self.pktt_list:
                if obj.pkt is None:
                    # Get first packet for this packet trace object
                    try:
                        obj.next()
                    except StopIteration:
                        obj.mindex = self.index
                if obj.eof:
                    continue
                if minsecs is None or obj.pkt.record.secs < minsecs:
                    minsecs = obj.pkt.record.secs
                    pktt_obj = obj
            if pktt_obj is None:
                # All packet trace files have been processed
                raise StopIteration
            elif len(self._tcp_stream_map):
                # This packet trace file should be processed serially
                # Have all state transferred to next packet object
                pktt_obj.rewind()
                pktt_obj._tcp_stream_map = self._tcp_stream_map
                pktt_obj._rpc_xid_map = self._rpc_xid_map
                self._tcp_stream_map = {}
                self._rpc_xid_map = {}
                pktt_obj.next()

            # Overwrite attributes seen by the caller with the attributes
            # from the current packet trace object
            self.pkt = pktt_obj.pkt
            self.pkt_call = pktt_obj.pkt_call
            self.tfile = pktt_obj.tfile
            self.pkt.record.index = self.index  # Use a cumulative index

            try:
                # Get next packet for this packet trace object
                pktt_obj.next()
            except StopIteration:
                # Set maximum packet index for this packet trace object to
                # be used by rewind to select the proper packet trace object
                pktt_obj.mindex = self.index
                # Check if objects should be serially processed
                pktt_obj.serial = False
                for obj in self.pktt_list:
                    if not obj.eof:
                        if obj.index > 1:
                            pktt_obj.serial = False
                            break
                        elif obj.index == 1:
                            pktt_obj.serial = True
                if pktt_obj.serial:
                    # Save current state
                    self._tcp_stream_map = pktt_obj._tcp_stream_map
                    self._rpc_xid_map = pktt_obj._rpc_xid_map

            # Increment cumulative packet index
            self.index += 1
            return self.pkt

        # Save file offset for this packet
        self.boffset = self.offset

        # Get record header
        data = self._read(16)
        if len(data) < 16:
            self.eof = True
            raise StopIteration
        # Decode record header
        record = Record(self, data)

        # Get record data and create Unpack object
        self.unpack = Unpack(self._read(record.length_inc))
        if self.unpack.size() < record.length_inc:
            # Record has been truncated, stop iteration
            raise StopIteration

        if self.header.link_type == 1:
            # Decode ethernet layer
            ETHERNET(self)
        else:
            # Unknown link layer
            record.data = self.unpack.getbytes()

        # Increment packet index
        self.index += 1

        return self.pkt

    def rewind(self, index=0):
        """Rewind the trace file by setting the file pointer to the start of
           the given packet index. Returns False if unable to rewind the file,
           e.g., when the given index is greater than the maximum number
           of packets processed so far.
        """
        self.dprint('PKT1', ">>> rewind(%d)" % index)
        if index >= 0 and index < self.index:
            if len(self.pktt_list) > 1:
                # Dealing with multiple trace files
                self.index = 0
                for obj in self.pktt_list:
                    if not obj.eof or index <= obj.mindex:
                        obj.rewind()
                        try:
                            obj.next()
                        except StopIteration:
                            pass
                    elif obj.serial and index > obj.mindex:
                        self.index = obj.mindex + 1
            else:
                # Reset the current packet index and offset to the first packet
                self.offset = self.ioffset
                self.index = 0
                self.eof = False

                # Position the file pointer to the offset of the first packet
                self._getfh().seek(self.offset)

                # Clear state
                self._tcp_stream_map = {}
                self._rpc_xid_map = {}

            # Move to the packet before the specified by the index so the
            # next packet fetched will be the one given by index
            while self.index < index:
                try:
                    pkt = self.next()
                except:
                    break

            # Rewind succeeded
            return True
        return False

    def _getfh(self):
        """Get the filehandle of the trace file, open file if necessary."""
        if self.fh == None:
            # Check size of file
            fstat = os.stat(self.tfile)
            if fstat.st_size == 0:
                raise Exception("Packet trace file is empty")

            # Open trace file
            self.fh = open(self.tfile, 'rb')

            iszip = False
            self.header_fmt = None
            while self.header_fmt is None:
                # Initialize offset
                self.offset = 0

                # Get file identifier
                try:
                    self.ident = self._read(4)
                except:
                    self.ident = ""

                if self.ident == '\324\303\262\241':
                    # Little endian
                    self.header_fmt = '<HHIIII'
                    self.header_rec = '<IIII'
                elif self.ident == '\241\262\303\324':
                    # Big endian
                    self.header_fmt = '>HHIIII'
                    self.header_rec = '>IIII'
                else:
                    if iszip:
                        raise Exception('Not a tcpdump file')
                    iszip = True
                    self.fh.seek(0)
                    # Try if this is a gzip compress file
                    self.fh = gzip.GzipFile(fileobj=self.fh)

            # Get header information
            self.header = Header(self)

            # Initialize packet number
            self.index = 0
            self.tstart = None
            self.ioffset = self.offset

        return self.fh

    def _read(self, count):
        """Wrapper for read in order to increment the object's offset. It also
           takes care of <EOF> when 'live' option is set which keeps on trying
           to read and switching files when needed.
        """
        while True:
            # Read number of bytes specified
            data = self._getfh().read(count)
            ldata = len(data)
            if self.live and ldata != count:
                # Not all data was read (<EOF>)
                tracefile = "%s%d" % (self.bfile, self.findex + 1)
                # Check if next trace file exists
                if os.path.isfile(tracefile):
                    # Save information that keeps track of the next trace file
                    basefile = self.bfile
                    findex = self.findex + 1
                    # Re-initialize the object
                    self.__del__()
                    self.__init__(tracefile, live=self.live)
                    # Overwrite next trace file info
                    self.bfile = basefile
                    self.findex = findex
                # Re-position file pointer to last known offset
                self._getfh().seek(self.offset)
                time.sleep(1)
            else:
                break

        # Increment object's offset by the amount of data read
        self.offset += ldata
        return data

    def _split_match(self, args):
        """Split match arguments and return a tuple (lhs, opr, rhs)
           where lhs is the left hand side of the given argument expression,
           opr is the operation and rhs is the right hand side of the given
           argument expression:

               <lhs> <opr> <rhs>

           Valid opr values are: ==, !=, <, >, <=, >=, in
        """
        m = re.search(r"([^!=<>]+)\s*([!=<>]+|in)\s*(.*)", args)
        lhs = m.group(1).rstrip()
        opr = m.group(2)
        rhs = m.group(3)
        return (lhs, opr, rhs)

    def _process_match(self, obj, lhs, opr, rhs):
        """Process "regex" and 'in' operator on match expression.
           Regular expression is given as re('regex') and converted to a
           proper regex re.search('regex', data), where data is the object
           compose of obj and lhs|rhs depending on opr. The argument obj
           is an object prefix.

           If opr is a comparison operation (==, !=, etc.), both obj and lhs
           will be the actual LHS and rhs will be the actual RHS.
           If opr is 'in', lhs will be the actual LHS and both obj and rhs
           will be the actual RHS.

           Return the processed match expression.

           Examples:
               # Regular expression processing
               expr = x._process_match('self.pkt.ip.', 'src', '==', "re(r'192\.*')")

               Returns the following expression ready to be evaluated:
               expr = "re.search(r'192\.*', str(self.pkt,ip.src))"

               # Object prefix processing
               expr = x._process_match('item.', 'argop', '==', '25')

               Returns the following expression ready to be evaluated:
               expr = "item.argop==25"

               # Membership (in) processing
               expr = x._process_match('item.', '62', 'in', 'obj_attributes')

               Returns the following expression ready to be evaluated:
               expr = "62 in item.obj_attributes"
        """
        if rhs[:3] == 're(':
            # Regular expression, it must be in rhs
            rhs = "re.search" + rhs[2:]
            if opr == "!=":
                rhs = "not " + rhs
            expr = rhs[:-1] + ", str(" + obj + lhs + "))"
        elif opr == 'in':
            if self.inlhs:
                expr = obj + lhs + ' ' + opr + ' ' + rhs
            else:
                expr = lhs + ' ' + opr + ' ' + obj + rhs
        else:
            expr = obj + lhs + opr + rhs

        return expr

    def _match(self, layer, args):
        """Default match function."""
        obj = "self.pkt.%s." % layer.lower()
        lhs, opr, rhs = self._split_match(args)
        expr = self._process_match(obj, lhs, opr, rhs)
        texpr = eval(expr)
        self.dprint(
            'PKT2', "    %d: match_%s(%s) -> %r" %
            (self.pkt.record.index, layer, args, texpr))
        return texpr

    def match_ethernet(self, args):
        """Match ETHERNET values on current packet.

           See ETHERNET() object for more information
        """
        return self._match('ethernet', args)

    def match_ip(self, args):
        """Match IP values on current packet.

           See IPv4() and IPv6() object for more information
        """
        return self._match('ip', args)

    def match_tcp(self, args):
        """Match TCP values on current packet.

           See TCP() object for more information
        """
        return self._match('tcp', args)

    def match_rpc(self, args):
        """Match RPC values on current packet.

           See RPC() object for more information
        """
        return self._match('rpc', args)

    def _match_nfs(self, args):
        """Match NFS values on current packet."""
        array = None
        isarg = True
        lhs, opr, rhs = self._split_match(args)

        if _nfsopmap.get(lhs):
            try:
                # Top level NFS packet info
                expr = self._process_match("self.pkt.nfs.", lhs, opr, rhs)
                return eval(expr)
            except Exception:
                return False

        try:
            array = self.pkt.nfs.argarray
        except Exception:
            try:
                array = self.pkt.nfs.resarray
                isarg = False
            except Exception:
                # No NFS or no compound call/reply
                return False

        idx = 0
        for item in array:
            try:
                if isarg:
                    op = "item.arg"
                else:
                    op = "item.res"

                if lhs == 'op':
                    obj_prefix = op
                else:
                    obj_prefix = "item."

                # Get expression to eval
                expr = self._process_match(obj_prefix, lhs, opr, rhs)
                if eval(expr):
                    self.pkt.NFSop = item
                    self.pkt.NFSidx = idx
                    return True
            except Exception:
                # Continue searching
                pass
            idx += 1
        return False

    def match_nfs(self, args):
        """Match NFS values on current packet.

           In NFSv4, there is a single compound procedure with multiple
           operations, matching becomes a little bit tricky in order to make
           the matching expression easy to use. The NFS object's name space
           gets converted into a flat name space for the sole purpose of
           matching. In other words, all operation objects in argarray or
           resarray are treated as being part of the NFS object's top level
           attributes.

           Consider the following NFS object:
               nfsobj = COMPOUND4res(
                   status=NFS4_OK,
                   tag='NFSv4_tag',
                   resarray=[
                       nfs_resop4(
                           resop=OP_SEQUENCE,
                           opsequence=SEQUENCE4res(
                               sr_status=NFS4_OK,
                               sr_resok4=SEQUENCE4resok(
                                   sr_sessionid='sessionid',
                                   sr_sequenceid=25,
                                   sr_slotid=0,
                                   sr_highest_slotid=0,
                                   sr_target_highest_slotid=15,
                                   sr_status_flags=0,
                               )
                           )
                       ),
                       nfs_resop4(
                           resop=OP_PUTFH,
                           opputfh=PUTFH4res(
                               status=NFS4_OK
                           )
                       ),
                       ...
                   ]
               ),

           The result for operation PUTFH is the second in the list:
               putfh = nfsobj.resarray[1]

           From this putfh object the status operation can be accessed as:
               status = putfh.opputfh.status

           or simply as (this is how the NFS object works):
               status = putfh.status

           In this example, the following match expression 'NFS.status == 0'
           could match the top level status of the compound (nfsobj.status)
           or the putfh status (nfsobj.resarray[1].status)

           The following match expression 'NFS.sr_sequenceid == 25' will also
           match this packet as well, even though the actual expression should
           be 'nfsobj.resarray[0].opsequence.sr_resok4.sr_sequenceid == 25' or
           simply 'nfsobj.resarray[0].sr_sequenceid == 25'.

           This approach makes the match expressions simpler at the expense of
           having some ambiguities on where the actual matched occurred. If a
           match is desired on a specific operation, a more qualified name can
           be given. In the above example, in order to match the status of the
           PUTFH operation the match expression 'NFS.opputfh.status == 0' can
           be used. On the other hand, consider a compound having multiple
           PUTFH results the above match expression will always match the first
           occurrence of PUTFH where the status is 0. There is no way to tell
           the match engine to match the second or Nth occurrence of an
           operation.
        """
        texpr = self._match_nfs(args)
        self.dprint(
            'PKT2', "    %d: match_nfs(%s) -> %r" %
            (self.pkt.record.index, args, texpr))
        return texpr

    def _convert_match(self, ast):
        """Convert a parser list match expression into their corresponding
           function calls.

           Example:
               expr = "TCP.flags.ACK == 1 and NFS.argop == 50"
               st = parser.expr(expr)
               ast = parser.st2list(st)
               data =  self._convert_match(ast)

               Returns:
               data = "(self.match_tcp('flags.ACK==1'))and(self.match_nfs('argop==50'))"
        """
        ret = ''
        isin = False
        if not isinstance(ast, list):
            if ast in _match_func_map:
                # Replace name by its corresponding function name
                return _match_func_map[ast]
            return ast
        if len(ast) == 2:
            return self._convert_match(ast[1])

        for a in ast[1:]:
            data = self._convert_match(a)
            if data == 'in':
                data = ' in '
                isin = True
                if ret[:5] == "self.":
                    # LHS in the 'in' operator is a packet object
                    self.inlhs = True
                else:
                    # LHS in the 'in' operator is a constant value
                    self.inlhs = False
            ret += data

        if _token_map[ast[0]] == "comparison":
            # Comparison
            if isin:
                m = re.search(r'(.*)(self\.match_\w+)\.(.*)', ret)
                func = m.group(2)
                args = m.group(1) + m.group(3)
            else:
                m = re.search(r"^(self\.match_\w+)\.(.*)", ret)
                func = m.group(1)
                args = m.group(2)
            # Escape all single quotes since the whole string will be quoted
            args = re.sub(r"'", "\\'", args)
            ret = "(%s('%s'))" % (func, args)

        return ret

    def match(self, expr, maxindex=None):
        """Return the packet that matches the given expression, also the packet
           index points to the next packet after the matched packet.
           Returns None if packet is not found and the packet index points
           to the packet at the beginning of the search.

           expr:
               String of expressions to be evaluated
           maxindex:
               The match fails if packet index hits this limit

           Examples:
               # Find the packet with both the ACK and SYN TCP flags set to 1
               pkt = x.match("TCP.flags.ACK == 1 and TCP.flags.SYN == 1")

               # Find the next NFS EXCHANGE_ID request
               pkt = x.match("NFS.argop == 42")

               # Find the next NFS EXCHANGE_ID or CREATE_SESSION request
               pkt = x.match("NFS.argop in [42,43]")

               # Find the next NFS OPEN request or reply
               pkt = x.match("NFS.op == 18")

               # Find all packets coming from subnet 192.168.1.0/24 using
               # a regular expression
               while x.match(r"IP.src == re('192\.168\.1\.\d*')"):
                   print x.pkt.tcp

               # Find packet having a GETATTR asking for FATTR4_FS_LAYOUT_TYPE(bit 62)
               pkt_call = x.match("NFS.attr_request & 0x4000000000000000L != 0")
               if pkt_call:
                   # Find GETATTR reply
                   xid = pkt_call.rpc.xid
                   # Find reply where the number 62 is in the array NFS.obj_attributes
                   pkt_reply = x.match("RPC.xid == %d and 62 in NFS.obj_attributes" % xid)

               # Find the next WRITE request
               pkt = x.match("NFS.argop == 38")
               if pkt:
                   print pkt.nfs

               # Same as above, but using membership test operator instead
               if ("NFS.argop == 38" in x):
                   print x.pkt.nfs

           See also:
               match_ethernet(), match_ip(), match_tcp(), match_rpc(), match_nfs()
        """
        # Save current position
        save_index = self.index

        # Parse match expression
        st = parser.expr(expr)
        smap = parser.st2list(st)
        pdata = self._convert_match(smap)
        self.dprint('PKT1', ">>> %d: match(%s)" % (self.index, expr))

        # Search one packet at a time
        for pkt in self:
            if maxindex and self.index > maxindex:
                # Hit maxindex limit
                break
            try:
                if eval(pdata):
                    # Return matched packet
                    self.dprint('PKT1',
                                ">>> %d: match() -> True" % pkt.record.index)
                    return pkt
            except Exception:
                pass

        # No packet matched, re-position the file pointer back to where
        # the search started
        self.rewind(save_index)
        self.pkt = None
        self.dprint('PKT1', ">>> match() -> False")
        return None

    @staticmethod
    def escape(data):
        """Escape special characters.

           Examples:
               # Call as an instance
               escaped_data = x.escape(data)

               # Call as a class
               escaped_data = Pktt.escape(data)
        """
        # repr() can escape or not a single quote depending if a double
        # quote is present, just make sure both quotes are escaped correctly
        rdata = repr(data)
        if rdata[0] == '"':
            # Double quotes are escaped
            dquote = r'x22'
            squote = r'\x27'
        else:
            # Single quotes are escaped
            dquote = r'\x22'
            squote = r'x27'
        # Replace all double quotes to its corresponding hex value
        data = re.sub(r'"', dquote, rdata[1:-1])
        # Replace all single quotes to its corresponding hex value
        data = re.sub(r"'", squote, data)
        # Escape all backslashes
        data = re.sub(r'\\', r'\\\\', data)
        return data

    @staticmethod
    def ip_tcp_src_expr(ipaddr, port):
        """Return a match expression to find a packet coming from ipaddr:port.

           Examples:
               # Call as an instance
               expr = x.ip_tcp_src_expr('192.168.1.50', 2049)

               # Call as a class
               expr = Pktt.ip_tcp_src_expr('192.168.1.50', 2049)

               # Returns "IP.src == '192.168.1.50' and TCP.src_port == 2049"
               # Expression ready for x.match()
               pkt = x.match(expr)
        """
        return "IP.src == '%s' and TCP.src_port == %d" % (ipaddr, port)

    @staticmethod
    def ip_tcp_dst_expr(ipaddr, port):
        """Return a match expression to find a packet going to ipaddr:port.

           Examples:
               # Call as an instance
               expr = x.ip_tcp_dst_expr('192.168.1.50', 2049)

               # Call as a class
               expr = Pktt.ip_tcp_dst_expr('192.168.1.50', 2049)

               # Returns "IP.dst == '192.168.1.50' and TCP.dst_port == 2049"
               # Expression ready for x.match()
               pkt = x.match(expr)
        """
        return "IP.dst == '%s' and TCP.dst_port == %d" % (ipaddr, port)
Esempio n. 3
0
class Pktt(BaseObj, Unpack):
    """Packet trace object

       Usage:
           from packet.pktt import Pktt

           x = Pktt("/traces/tracefile.cap")

           # Iterate over all packets found in the trace file
           for pkt in x:
               print pkt
    """
    def __init__(self, tfile, live=False, state=True):
        """Constructor

           Initialize object's private data, note that this will not check the
           file for existence nor will open the file to verify if it is a valid
           tcpdump file. The tcpdump trace file will be opened the first time a
           packet is retrieved.

           tracefile:
               Name of tcpdump trace file or a list of trace file names
               (little or big endian format)
           live:
               If set to True, methods will not return if encountered <EOF>,
               they will keep on trying until more data is available in the
               file. This is useful when running tcpdump in parallel,
               especially when tcpdump is run with the '-C' option, in which
               case when <EOF> is encountered the next trace file created by
               tcpdump will be opened and the object will be re-initialized,
               all private data referencing the previous file is lost.
        """
        self.tfile   = tfile  # Current trace file name
        self.bfile   = tfile  # Base trace file name
        self.live    = live   # Set to True if dealing with a live tcpdump file
        self.offset  = 0      # Current file offset
        self.boffset = 0      # File offset of current packet
        self.ioffset = 0      # File offset of first packet
        self.index   = 0      # Current packet index
        self.mindex  = 0      # Maximum packet index for current trace file
        self.findex  = 0      # Current tcpdump file index (used with self.live)
        self.fh      = None   # Current file handle
        self.eof     = False  # End of file marker for current packet trace
        self.serial  = False  # Processing trace files serially
        self.pkt     = None   # Current packet
        self.pkt_call  = None # The current packet call if self.pkt is a reply
        self.pktt_list = []   # List of Pktt objects created
        self.tfiles    = []   # List of packet trace files

        # TCP stream map: to keep track of the different TCP streams within
        # the trace file -- used to deal with RPC packets spanning multiple
        # TCP packets or to handle a TCP packet having multiple RPC packets
        self._tcp_stream_map = {}

        # RPC xid map: to keep track of packet calls
        self._rpc_xid_map = {}

        # Process tfile argument
        if isinstance(tfile, list):
            # The argument tfile is given as a list of packet trace files
            self.tfiles = tfile
            if len(self.tfiles) == 1:
                # Only one file is given
                self.tfile = self.tfiles[0]
            else:
                # Create all packet trace objects
                for tfile in self.tfiles:
                    self.pktt_list.append(Pktt(tfile))

    def __del__(self):
        """Destructor

           Gracefully close the tcpdump trace file if it is opened.
        """
        if self.fh:
            self.fh.close()

    def __iter__(self):
        """Make this object iterable."""
        return self

    def __contains__(self, expr):
        """Implement membership test operator.
           Return true if expr matches a packet in the trace file,
           false otherwise.

           The packet is also stored in the object attribute pkt.

           Examples:
               # Find the next READ request
               if ("NFS.argop == 25" in x):
                   print x.pkt.nfs

           See match() method for more information
        """
        pkt = self.match(expr)
        return (pkt is not None)

    def __getitem__(self, index):
        """Get the packet from the trace file given by the index
           or raise IndexError.

           The packet is also stored in the object attribute pkt.

           Examples:
               pkt = x[index]
        """
        self.dprint('PKT4', ">>> __getitem__(%d)" % index)
        if index < 0:
            # No negative index is allowed
            raise IndexError

        try:
            if index == self.pkt.record.index:
                # The requested packet is in memory, just return it
                return self.pkt
        except:
            pass

        if index < self.index:
            # Reset the current packet index and offset
            # The index is less than the current packet offset so position
            # the file pointer to the offset of the packet given by index
            self.rewind(index)

        # Move to the packet specified by the index
        pkt = None
        while self.index <= index:
            try:
                pkt = self.next()
            except:
                break

        if pkt is None:
            raise IndexError
        return pkt

    def next(self):
        """Get the next packet from the trace file or raise StopIteration.

           The packet is also stored in the object attribute pkt.

           Examples:
               # Iterate over all packets found in the trace file using
               # the iterable properties of the object
               for pkt in x:
                   print pkt

               # Iterate over all packets found in the trace file using it
               # as a method and using the object variable as the packet
               # Must use the try statement to catch StopIteration exception
               try:
                   while (x.next()):
                       print x.pkt
               except StopIteration:
                   pass

               # Iterate over all packets found in the trace file using it
               # as a method and using the return value as the packet
               # Must use the try statement to catch StopIteration exception
               while True:
                   try:
                       print x.next()
                   except StopIteration:
                       break

           NOTE:
               Supports only single active iteration
        """
        self.dprint('PKT4', ">>> %d: next()" % self.index)
        # Initialize next packet
        self.pkt = Pkt()

        if len(self.pktt_list) > 1:
            # Dealing with multiple trace files
            minsecs  = None
            pktt_obj = None
            for obj in self.pktt_list:
                if obj.pkt is None:
                    # Get first packet for this packet trace object
                    try:
                        obj.next()
                    except StopIteration:
                        obj.mindex = self.index
                if obj.eof:
                    continue
                if minsecs is None or obj.pkt.record.secs < minsecs:
                    minsecs = obj.pkt.record.secs
                    pktt_obj = obj
            if pktt_obj is None:
                # All packet trace files have been processed
                raise StopIteration
            elif len(self._tcp_stream_map):
                # This packet trace file should be processed serially
                # Have all state transferred to next packet object
                pktt_obj.rewind()
                pktt_obj._tcp_stream_map = self._tcp_stream_map
                pktt_obj._rpc_xid_map    = self._rpc_xid_map
                self._tcp_stream_map = {}
                self._rpc_xid_map    = {}
                pktt_obj.next()

            # Overwrite attributes seen by the caller with the attributes
            # from the current packet trace object
            self.pkt = pktt_obj.pkt
            self.pkt_call = pktt_obj.pkt_call
            self.tfile = pktt_obj.tfile
            self.pkt.record.index = self.index  # Use a cumulative index

            try:
                # Get next packet for this packet trace object
                pktt_obj.next()
            except StopIteration:
                # Set maximum packet index for this packet trace object to
                # be used by rewind to select the proper packet trace object
                pktt_obj.mindex = self.index
                # Check if objects should be serially processed
                pktt_obj.serial = False
                for obj in self.pktt_list:
                    if not obj.eof:
                        if obj.index > 1:
                            pktt_obj.serial = False
                            break
                        elif obj.index == 1:
                            pktt_obj.serial = True
                if pktt_obj.serial:
                    # Save current state
                    self._tcp_stream_map = pktt_obj._tcp_stream_map
                    self._rpc_xid_map    = pktt_obj._rpc_xid_map

            # Increment cumulative packet index
            self.index += 1
            return self.pkt

        # Save file offset for this packet
        self.boffset = self.offset

        # Get record header
        data = self._read(16)
        if len(data) < 16:
            self.eof = True
            raise StopIteration
        # Decode record header
        record = Record(self, data)

        # Get record data and create Unpack object
        self.unpack = Unpack(self._read(record.length_inc))
        if self.unpack.size() < record.length_inc:
            # Record has been truncated, stop iteration
            raise StopIteration

        if self.header.link_type == 1:
            # Decode ethernet layer
            ETHERNET(self)
        else:
            # Unknown link layer
            record.data = self.unpack.getbytes()

        # Increment packet index
        self.index += 1

        return self.pkt

    def rewind(self, index=0):
        """Rewind the trace file by setting the file pointer to the start of
           the given packet index. Returns False if unable to rewind the file,
           e.g., when the given index is greater than the maximum number
           of packets processed so far.
        """
        self.dprint('PKT1', ">>> rewind(%d)" % index)
        if index >= 0 and index < self.index:
            if len(self.pktt_list) > 1:
                # Dealing with multiple trace files
                self.index = 0
                for obj in self.pktt_list:
                    if not obj.eof or index <= obj.mindex:
                        obj.rewind()
                        try:
                            obj.next()
                        except StopIteration:
                            pass
                    elif obj.serial and index > obj.mindex:
                        self.index = obj.mindex + 1
            else:
                # Reset the current packet index and offset to the first packet
                self.offset = self.ioffset
                self.index  = 0
                self.eof    = False

                # Position the file pointer to the offset of the first packet
                self._getfh().seek(self.offset)

                # Clear state
                self._tcp_stream_map = {}
                self._rpc_xid_map    = {}

            # Move to the packet before the specified by the index so the
            # next packet fetched will be the one given by index
            while self.index < index:
                try:
                    pkt = self.next()
                except:
                    break

            # Rewind succeeded
            return True
        return False

    def _getfh(self):
        """Get the filehandle of the trace file, open file if necessary."""
        if self.fh == None:
            # Check size of file
            fstat = os.stat(self.tfile)
            if fstat.st_size == 0:
                raise Exception("Packet trace file is empty")

            # Open trace file
            self.fh = open(self.tfile, 'rb')

            iszip = False
            self.header_fmt = None
            while self.header_fmt is None:
                # Initialize offset
                self.offset = 0

                # Get file identifier
                try:
                    self.ident = self._read(4)
                except:
                    self.ident = ""

                if self.ident == '\324\303\262\241':
                    # Little endian
                    self.header_fmt = '<HHIIII'
                    self.header_rec = '<IIII'
                elif self.ident == '\241\262\303\324':
                    # Big endian
                    self.header_fmt = '>HHIIII'
                    self.header_rec = '>IIII'
                else:
                    if iszip:
                        raise Exception('Not a tcpdump file')
                    iszip = True
                    self.fh.seek(0)
                    # Try if this is a gzip compress file
                    self.fh = gzip.GzipFile(fileobj=self.fh)

            # Get header information
            self.header = Header(self)

            # Initialize packet number
            self.index   = 0
            self.tstart  = None
            self.ioffset = self.offset

        return self.fh

    def _read(self, count):
        """Wrapper for read in order to increment the object's offset. It also
           takes care of <EOF> when 'live' option is set which keeps on trying
           to read and switching files when needed.
        """
        while True:
            # Read number of bytes specified
            data = self._getfh().read(count)
            ldata = len(data)
            if self.live and ldata != count:
                # Not all data was read (<EOF>)
                tracefile = "%s%d" % (self.bfile, self.findex+1)
                # Check if next trace file exists
                if os.path.isfile(tracefile):
                    # Save information that keeps track of the next trace file
                    basefile = self.bfile
                    findex = self.findex + 1
                    # Re-initialize the object
                    self.__del__()
                    self.__init__(tracefile, live=self.live)
                    # Overwrite next trace file info
                    self.bfile = basefile
                    self.findex = findex
                # Re-position file pointer to last known offset
                self._getfh().seek(self.offset)
                time.sleep(1)
            else:
                break

        # Increment object's offset by the amount of data read
        self.offset += ldata
        return data

    def _split_match(self, args):
        """Split match arguments and return a tuple (lhs, opr, rhs)
           where lhs is the left hand side of the given argument expression,
           opr is the operation and rhs is the right hand side of the given
           argument expression:

               <lhs> <opr> <rhs>

           Valid opr values are: ==, !=, <, >, <=, >=, in
        """
        m = re.search(r"([^!=<>]+)\s*([!=<>]+|in)\s*(.*)", args)
        lhs = m.group(1).rstrip()
        opr = m.group(2)
        rhs = m.group(3)
        return (lhs, opr, rhs)

    def _process_match(self, obj, lhs, opr, rhs):
        """Process "regex" and 'in' operator on match expression.
           Regular expression is given as re('regex') and converted to a
           proper regex re.search('regex', data), where data is the object
           compose of obj and lhs|rhs depending on opr. The argument obj
           is an object prefix.

           If opr is a comparison operation (==, !=, etc.), both obj and lhs
           will be the actual LHS and rhs will be the actual RHS.
           If opr is 'in', lhs will be the actual LHS and both obj and rhs
           will be the actual RHS.

           Return the processed match expression.

           Examples:
               # Regular expression processing
               expr = x._process_match('self.pkt.ip.', 'src', '==', "re(r'192\.*')")

               Returns the following expression ready to be evaluated:
               expr = "re.search(r'192\.*', str(self.pkt,ip.src))"

               # Object prefix processing
               expr = x._process_match('item.', 'argop', '==', '25')

               Returns the following expression ready to be evaluated:
               expr = "item.argop==25"

               # Membership (in) processing
               expr = x._process_match('item.', '62', 'in', 'obj_attributes')

               Returns the following expression ready to be evaluated:
               expr = "62 in item.obj_attributes"
        """
        if rhs[:3] == 're(':
            # Regular expression, it must be in rhs
            rhs = "re.search" + rhs[2:]
            if opr == "!=":
                rhs = "not " + rhs
            expr = rhs[:-1] + ", str(" + obj + lhs +  "))"
        elif opr == 'in':
            if self.inlhs:
                expr = obj + lhs + ' ' + opr + ' ' + rhs
            else:
                expr = lhs + ' ' + opr + ' ' + obj + rhs
        else:
            expr = obj + lhs + opr + rhs

        return expr

    def _match(self, layer, args):
        """Default match function."""
        obj = "self.pkt.%s." % layer.lower()
        lhs, opr, rhs = self._split_match(args)
        expr = self._process_match(obj, lhs, opr, rhs)
        texpr = eval(expr)
        self.dprint('PKT2', "    %d: match_%s(%s) -> %r" % (self.pkt.record.index, layer, args, texpr))
        return texpr

    def match_ethernet(self, args):
        """Match ETHERNET values on current packet.

           See ETHERNET() object for more information
        """
        return self._match('ethernet', args)

    def match_ip(self, args):
        """Match IP values on current packet.

           See IPv4() and IPv6() object for more information
        """
        return self._match('ip', args)

    def match_tcp(self, args):
        """Match TCP values on current packet.

           See TCP() object for more information
        """
        return self._match('tcp', args)

    def match_rpc(self, args):
        """Match RPC values on current packet.

           See RPC() object for more information
        """
        return self._match('rpc', args)

    def _match_nfs(self, args):
        """Match NFS values on current packet."""
        array = None
        isarg = True
        lhs, opr, rhs = self._split_match(args)

        if _nfsopmap.get(lhs):
            try:
                # Top level NFS packet info
                expr = self._process_match("self.pkt.nfs.", lhs, opr, rhs)
                return eval(expr)
            except Exception:
                return False

        try:
            array = self.pkt.nfs.argarray
        except Exception:
            try:
                array  = self.pkt.nfs.resarray
                isarg = False
            except Exception:
                # No NFS or no compound call/reply
                return False

        idx = 0
        for item in array:
            try:
                if isarg:
                    op  = "item.arg"
                else:
                    op  = "item.res"

                if lhs == 'op':
                    obj_prefix = op
                else:
                    obj_prefix = "item."

                # Get expression to eval
                expr = self._process_match(obj_prefix, lhs, opr, rhs)
                if eval(expr):
                    self.pkt.NFSop = item
                    self.pkt.NFSidx = idx
                    return True
            except Exception:
                # Continue searching
                pass
            idx += 1
        return False

    def match_nfs(self, args):
        """Match NFS values on current packet.

           In NFSv4, there is a single compound procedure with multiple
           operations, matching becomes a little bit tricky in order to make
           the matching expression easy to use. The NFS object's name space
           gets converted into a flat name space for the sole purpose of
           matching. In other words, all operation objects in argarray or
           resarray are treated as being part of the NFS object's top level
           attributes.

           Consider the following NFS object:
               nfsobj = COMPOUND4res(
                   status=NFS4_OK,
                   tag='NFSv4_tag',
                   resarray=[
                       nfs_resop4(
                           resop=OP_SEQUENCE,
                           opsequence=SEQUENCE4res(
                               sr_status=NFS4_OK,
                               sr_resok4=SEQUENCE4resok(
                                   sr_sessionid='sessionid',
                                   sr_sequenceid=25,
                                   sr_slotid=0,
                                   sr_highest_slotid=0,
                                   sr_target_highest_slotid=15,
                                   sr_status_flags=0,
                               )
                           )
                       ),
                       nfs_resop4(
                           resop=OP_PUTFH,
                           opputfh=PUTFH4res(
                               status=NFS4_OK
                           )
                       ),
                       ...
                   ]
               ),

           The result for operation PUTFH is the second in the list:
               putfh = nfsobj.resarray[1]

           From this putfh object the status operation can be accessed as:
               status = putfh.opputfh.status

           or simply as (this is how the NFS object works):
               status = putfh.status

           In this example, the following match expression 'NFS.status == 0'
           could match the top level status of the compound (nfsobj.status)
           or the putfh status (nfsobj.resarray[1].status)

           The following match expression 'NFS.sr_sequenceid == 25' will also
           match this packet as well, even though the actual expression should
           be 'nfsobj.resarray[0].opsequence.sr_resok4.sr_sequenceid == 25' or
           simply 'nfsobj.resarray[0].sr_sequenceid == 25'.

           This approach makes the match expressions simpler at the expense of
           having some ambiguities on where the actual matched occurred. If a
           match is desired on a specific operation, a more qualified name can
           be given. In the above example, in order to match the status of the
           PUTFH operation the match expression 'NFS.opputfh.status == 0' can
           be used. On the other hand, consider a compound having multiple
           PUTFH results the above match expression will always match the first
           occurrence of PUTFH where the status is 0. There is no way to tell
           the match engine to match the second or Nth occurrence of an
           operation.
        """
        texpr = self._match_nfs(args)
        self.dprint('PKT2', "    %d: match_nfs(%s) -> %r" % (self.pkt.record.index, args, texpr))
        return texpr

    def _convert_match(self, ast):
        """Convert a parser list match expression into their corresponding
           function calls.

           Example:
               expr = "TCP.flags.ACK == 1 and NFS.argop == 50"
               st = parser.expr(expr)
               ast = parser.st2list(st)
               data =  self._convert_match(ast)

               Returns:
               data = "(self.match_tcp('flags.ACK==1'))and(self.match_nfs('argop==50'))"
        """
        ret = ''
        isin = False
        if not isinstance(ast, list):
            if ast in _match_func_map:
                # Replace name by its corresponding function name
                return _match_func_map[ast]
            return ast
        if len(ast) == 2:
            return self._convert_match(ast[1])

        for a in ast[1:]:
            data = self._convert_match(a)
            if data == 'in':
                data = ' in '
                isin = True
                if ret[:5] == "self.":
                    # LHS in the 'in' operator is a packet object
                    self.inlhs = True
                else:
                    # LHS in the 'in' operator is a constant value
                    self.inlhs = False
            ret += data

        if _token_map[ast[0]] == "comparison":
            # Comparison
            if isin:
                m = re.search(r'(.*)(self\.match_\w+)\.(.*)', ret)
                func = m.group(2)
                args = m.group(1) + m.group(3)
            else:
                m = re.search(r"^(self\.match_\w+)\.(.*)", ret)
                func = m.group(1)
                args = m.group(2)
            # Escape all single quotes since the whole string will be quoted
            args = re.sub(r"'", "\\'", args)
            ret = "(%s('%s'))" % (func, args)

        return ret

    def match(self, expr, maxindex=None):
        """Return the packet that matches the given expression, also the packet
           index points to the next packet after the matched packet.
           Returns None if packet is not found and the packet index points
           to the packet at the beginning of the search.

           expr:
               String of expressions to be evaluated
           maxindex:
               The match fails if packet index hits this limit

           Examples:
               # Find the packet with both the ACK and SYN TCP flags set to 1
               pkt = x.match("TCP.flags.ACK == 1 and TCP.flags.SYN == 1")

               # Find the next NFS EXCHANGE_ID request
               pkt = x.match("NFS.argop == 42")

               # Find the next NFS EXCHANGE_ID or CREATE_SESSION request
               pkt = x.match("NFS.argop in [42,43]")

               # Find the next NFS OPEN request or reply
               pkt = x.match("NFS.op == 18")

               # Find all packets coming from subnet 192.168.1.0/24 using
               # a regular expression
               while x.match(r"IP.src == re('192\.168\.1\.\d*')"):
                   print x.pkt.tcp

               # Find packet having a GETATTR asking for FATTR4_FS_LAYOUT_TYPE(bit 62)
               pkt_call = x.match("NFS.attr_request & 0x4000000000000000L != 0")
               if pkt_call:
                   # Find GETATTR reply
                   xid = pkt_call.rpc.xid
                   # Find reply where the number 62 is in the array NFS.obj_attributes
                   pkt_reply = x.match("RPC.xid == %d and 62 in NFS.obj_attributes" % xid)

               # Find the next WRITE request
               pkt = x.match("NFS.argop == 38")
               if pkt:
                   print pkt.nfs

               # Same as above, but using membership test operator instead
               if ("NFS.argop == 38" in x):
                   print x.pkt.nfs

           See also:
               match_ethernet(), match_ip(), match_tcp(), match_rpc(), match_nfs()
        """
        # Save current position
        save_index = self.index

        # Parse match expression
        st = parser.expr(expr)
        smap = parser.st2list(st)
        pdata = self._convert_match(smap)
        self.dprint('PKT1', ">>> %d: match(%s)" % (self.index, expr))

        # Search one packet at a time
        for pkt in self:
            if maxindex and self.index > maxindex:
                # Hit maxindex limit
                break
            try:
                if eval(pdata):
                    # Return matched packet
                    self.dprint('PKT1', ">>> %d: match() -> True" % pkt.record.index)
                    return pkt
            except Exception:
                pass

        # No packet matched, re-position the file pointer back to where
        # the search started
        self.rewind(save_index)
        self.pkt = None
        self.dprint('PKT1', ">>> match() -> False")
        return None

    @staticmethod
    def escape(data):
        """Escape special characters.

           Examples:
               # Call as an instance
               escaped_data = x.escape(data)

               # Call as a class
               escaped_data = Pktt.escape(data)
        """
        # repr() can escape or not a single quote depending if a double
        # quote is present, just make sure both quotes are escaped correctly
        rdata = repr(data)
        if rdata[0] == '"':
            # Double quotes are escaped
            dquote = r'x22'
            squote = r'\x27'
        else:
            # Single quotes are escaped
            dquote = r'\x22'
            squote = r'x27'
        # Replace all double quotes to its corresponding hex value
        data = re.sub(r'"', dquote, rdata[1:-1])
        # Replace all single quotes to its corresponding hex value
        data = re.sub(r"'", squote, data)
        # Escape all backslashes
        data = re.sub(r'\\', r'\\\\', data)
        return data

    @staticmethod
    def ip_tcp_src_expr(ipaddr, port):
        """Return a match expression to find a packet coming from ipaddr:port.

           Examples:
               # Call as an instance
               expr = x.ip_tcp_src_expr('192.168.1.50', 2049)

               # Call as a class
               expr = Pktt.ip_tcp_src_expr('192.168.1.50', 2049)

               # Returns "IP.src == '192.168.1.50' and TCP.src_port == 2049"
               # Expression ready for x.match()
               pkt = x.match(expr)
        """
        return "IP.src == '%s' and TCP.src_port == %d" % (ipaddr, port)

    @staticmethod
    def ip_tcp_dst_expr(ipaddr, port):
        """Return a match expression to find a packet going to ipaddr:port.

           Examples:
               # Call as an instance
               expr = x.ip_tcp_dst_expr('192.168.1.50', 2049)

               # Call as a class
               expr = Pktt.ip_tcp_dst_expr('192.168.1.50', 2049)

               # Returns "IP.dst == '192.168.1.50' and TCP.dst_port == 2049"
               # Expression ready for x.match()
               pkt = x.match(expr)
        """
        return "IP.dst == '%s' and TCP.dst_port == %d" % (ipaddr, port)
Esempio n. 4
0
    def __init__(self, pktt):
        """Constructor

           Initialize object's private data.

           pktt:
               Packet trace object (packet.pktt.Pktt) so this layer has
               access to the parent layers.
        """
        # Decode the TCP layer header
        unpack = pktt.unpack
        ulist = unpack.unpack(20, "!HHIIHHHH")
        self.src_port = ulist[0]
        self.dst_port = ulist[1]
        self.seq_number = ulist[2]
        self.ack_number = ulist[3]
        self.hl = ulist[4] >> 12
        self.header_size = 4 * self.hl
        self.flags = Flags(ulist[4] & 0x1FF)
        self.window_size = ulist[5]
        self.checksum = ShortHex(ulist[6])
        self.urgent_ptr = ulist[7]

        pktt.pkt.tcp = self

        # Stream identifier
        ip = pktt.pkt.ip
        streamid = "%s:%d-%s:%d" % (ip.src, self.src_port, ip.dst,
                                    self.dst_port)

        if streamid not in pktt._tcp_stream_map:
            # Create TCP stream object
            pktt._tcp_stream_map[streamid] = Stream(self.seq_number)

        # De-reference stream map
        stream = pktt._tcp_stream_map[streamid]

        if self.flags.SYN:
            # Reset seq_base on SYN
            stream.seq_base = self.seq_number
            stream.last_seq = stream.seq_wrap

        # Convert sequence numbers to relative numbers
        seq = self.seq_number - stream.seq_base + stream.seq_wrap
        if seq < stream.seq_wrap:
            # Sequence number has reached the maximum and wrapped around
            stream.seq_wrap += 4294967296
            seq += 4294967296
        self.seq = seq

        if self.header_size > 20:
            self.options = []
            osize = self.header_size - 20
            optunpack = Unpack(unpack.read(osize))
            while optunpack.size():
                optobj = Option(optunpack)
                if optobj.kind == 0:
                    # End of option list
                    break
                elif optobj.kind > 0:
                    # Valid option
                    self.options.append(optobj)

        # Save length of TCP segment
        self.length = unpack.size()

        if seq < stream.last_seq and not stream.missing_fragment(seq):
            # This is a re-transmission, do not process
            return

        self._decode_payload(pktt, stream)

        if self.length > 0:
            stream.last_seq = seq
            stream.next_seq = seq + self.length
Esempio n. 5
0
    def __init__(self, pktt):
        """Constructor

           Initialize object's private data.

           pktt:
               Packet trace object (packet.pktt.Pktt) so this layer has
               access to the parent layers.
        """
        # Decode the TCP layer header
        unpack = pktt.unpack
        ulist = unpack.unpack(20, "!HHIIHHHH")
        self.src_port    = ulist[0]
        self.dst_port    = ulist[1]
        self.seq_number  = ulist[2]
        self.ack_number  = ulist[3]
        self.hl          = ulist[4] >> 12
        self.header_size = 4*self.hl
        self.flags       = Flags(ulist[4] & 0x1FF)
        self.window_size = ulist[5]
        self.checksum    = ShortHex(ulist[6])
        self.urgent_ptr  = ulist[7]

        pktt.pkt.tcp = self

        # Stream identifier
        ip = pktt.pkt.ip
        streamid = "%s:%d-%s:%d" % (ip.src, self.src_port, ip.dst, self.dst_port)

        if streamid not in pktt._tcp_stream_map:
            # Create TCP stream object
            pktt._tcp_stream_map[streamid] = Stream(self.seq_number)

        # De-reference stream map
        stream = pktt._tcp_stream_map[streamid]

        if self.flags.SYN:
            # Reset seq_base on SYN
            stream.seq_base = self.seq_number
            stream.last_seq = stream.seq_wrap

        # Convert sequence numbers to relative numbers
        seq = self.seq_number - stream.seq_base + stream.seq_wrap
        if seq < stream.seq_wrap:
            # Sequence number has reached the maximum and wrapped around
            stream.seq_wrap += 4294967296
            seq += 4294967296
        self.seq = seq

        if self.header_size > 20:
            self.options = []
            osize = self.header_size - 20
            optunpack = Unpack(unpack.read(osize))
            while optunpack.size():
                optobj = Option(optunpack)
                if optobj.kind == 0:
                    # End of option list
                    break
                elif optobj.kind > 0:
                    # Valid option
                    self.options.append(optobj)

        # Save length of TCP segment
        self.length = unpack.size()

        if seq < stream.last_seq and not stream.missing_fragment(seq):
            # This is a re-transmission, do not process
            return

        self._decode_payload(pktt, stream)

        if self.length > 0:
            stream.last_seq = seq
            stream.next_seq = seq + self.length