def parent(ip_version):
msg("============================================================")
msg("starting dig process USING IPv{}".format(ip_version))
p = Process(target=dig, args=(ip_version, ))
p.start()
msg("starting sniff")
pkts = sniff("eth0", lfilter=lambda x: (UDP in x and DNS in x), timeout=6)
msg("sniff done, joining dig")
p.join()
msg("\noriginal\n----------------------------------------")
pkts.nsummary()
msg("\nsave and reload 1\n----------------------------------------")
pktfile = "pkts2.pcap"
wrpcap(pktfile, pkts)
pkts2 = rdpcap(pktfile)
pkts2.nsummary()
msg("\nsave and reload 2\n----------------------------------------")
for p in pkts:
if IP in p:
del(p[IP].len)
if UDP in p:
del(p[UDP].len)
del(p[UDP].chksum)
pktfile = "pkts3.pcap"
wrpcap(pktfile, pkts)
pkts3 = rdpcap(pktfile)
pkts3.nsummary()
msg("----------------------------------------\n")
def combine_pcap(self, dest_pcap, src_pcap):
pkts = rdpcap(dest_pcap)
if len(pkts) != 1:
return
pkts_src = rdpcap(src_pcap)
pkts += pkts_src
wrpcap(dest_pcap, pkts)
def load_pcap(pcap):
# @todo: possibly generate a packet list using sniff
# sniff(offline=pcap,prn=method_filter_HTTP,store=0)
# read pcap into memory
packet_list = rdpcap(pcap)
count = len(packet_list)
print("[*]: Reading %d packets" % count)
# get human readable types
dns_type_enum = read_dns_record_enum()
# extract information
dns_queries = []
dns_responses = []
for packet in packet_list:
if packet.haslayer(DNSRR):
dnsr = packet[DNSRR]
rrname = dnsr.rrname.decode('UTF-8')
rdata = dnsr.rdata
rrtype = dns_type_enum[dnsr.rclass]
ttl = dnsr.ttl
dns_queries.append((rrname, rrtype))
dns_responses.append((rrname, rrtype, ttl, rdata))
elif packet.haslayer(DNSQR):
dnsr = packet[DNSQR]
query = dnsr.qname.decode('UTF-8')
query_type = dns_type_enum[dnsr.qtype]
dns_queries.append((query, query_type))
return dns_queries, dns_responses
def replay_packet(host):
global pcap_file
global speed
global quick
# global module
debugger("Load pcap")
packets = rdpcap(pcap_file)
# tamper = module
own_packet_index = get_packet_index(packets)
packet_num = len(packets)
info("Start replay packet")
t0 = time.time()
for i in range (0, packet_num):
if i in own_packet_index:
if (i != 0) and not quick:
delta = (packets[i].time - packets[i-1].time)/speed
time.sleep(delta)
send_packet(host, packets, i, t0)
else:
recv_packet(host, packets, t0)
info("Send all packets finished, connection will be closed")
if listen:
info("Server wiil continue listening on port %d" %port)
else:
info("Exit")
host.close()
sys.exit(0)
def replay(file):
packets = rdpcap(file)
# try:
# s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# s.connect(("127.0.0.1", 445))
# except:
# print>>sys.stderr, "err: connect"
# return
for p in packets:
try:
if p.haslayer(TCP) and p.getlayer(TCP).dport == 445 and len(
p.getlayer(TCP).payload) > 6:
try:
if p.getlayer(TCP).flags > 1 and "\x90" in p.getlayer(
TCP).load:
# s.sendall(str(p.getlayer(TCP).payload))
# print p.getlayer(TCP).payload
print repr(p.getlayer(TCP).load)
break
except:
print >> sys.stderr, "err: send"
return
except:
print >> sys.stderr, "err: read"
return
# time.sleep(1)
# s.shutdown(0)
return
def read_pcap_file(self, iface, filename):
try:
pcap_file = os.path.join(self.config['pcap_dir'], filename)
for pkt in rdpcap(pcap_file):
self.fprn(pkt, iface)
except Exception:
self.logger.exception('Cant read pcap file %s', pcap_file)
def pcap_to_csv(input_filename, output_handle, mappings):
'''This funciton takes a pcap (by filename), and for each packet between
any two of (client, server, thirdparty) and extracts:
timestamp
sender/receiver
size of payload (where "payload" is defined as everything after the TCP/UDP header
protocol ("IP/TCP", etc).
input_filename: filename of the input file ("foo.pcap")
output_handle: handle to direct output to (open("foo.csv"))
mappings: a dict mapping of ip address to role, where role is one of:
"client", "server", or "thirdparty". For example:
{ "10.10.5.7" : "client1", "192.168.2.7" : "client2",
"10.15.20.30": "server", "10.40.50.70" : "thirdparty" }
returns: nothing
'''
fields = ["time", "direction", "payloadlength", "protocol"]
# rdpcap returns pcap, essentially an array of packets
# Packet fields can be read via packet[layer].field
# layers are in scapy.layers
# packet.show() displays the contents of each packet
pcap = rdpcap(input_filename)
csvwriter = csv.DictWriter(output_handle, fields, delimiter=',',
quotechar='"', quoting=csv.QUOTE_MINIMAL)
csvwriter.writeheader()
for packet in pcap:
row = get_packet_info(packet, mappings)
if row != None:
csvwriter.writerow(row)
def send_pkts(args, rewriteinfo):
"""Replays the pcap after rewriting with supplied details"""
proto, iface, ethsrc, ethdst, ipsrc, ipdst = rewriteinfo
pkts = rdpcap('{}.pcap'.format(proto))
for p in pkts:
# Update Ether common for all proto
p.getlayer(Ether).src = ethsrc
p.getlayer(Ether).dst = ethdst
if proto == 'sgi':
continue
del p[IP].chksum
del p[UDP].chksum
p.getlayer(IP).src = ipsrc
p.getlayer(IP).dst = ipdst
if proto == 's11':
# Update s11 MME GTPC IP for Create Session
if p.getlayer(UDP).gtp_type == 32:
p.getlayer(UDP).IE_list[8].ipv4 = ipsrc
# Update s11 MME GTPC IP and s1u ENB GTPU IP for Modify Bearer
if p.getlayer(UDP).gtp_type == 34:
p.getlayer(UDP).IE_list[0][2].ipv4 = args.enb.addr
p.getlayer(UDP).IE_list[1].ipv4 = ipsrc
checksum_silent(p)
wrpcap('tosend-{}.pcap'.format(proto), pkts)
def load_sniff_packets(index=''):
pkts = []
child_exit = False
if index in SNIFF_PIDS.keys():
pipe, intf, timeout = SNIFF_PIDS[index]
time_elapse = int(time.time() - float(index))
while time_elapse < timeout:
if pipe.poll() is not None:
child_exit = True
break
time.sleep(1)
time_elapse += 1
if not child_exit:
pipe.send_signal(signal.SIGINT)
pipe.wait()
# wait pcap file ready
time.sleep(1)
try:
cap_pkts = rdpcap("/tmp/sniff_%s.pcap" % intf)
for pkt in cap_pkts:
# packet gen should be scapy
packet = Packet(tx_port=intf)
packet.pktgen.assign_pkt(pkt)
pkts.append(packet)
except:
pass
return pkts
def stop_sniffing(self):
self.tcmpdump_proc.terminate()
self.tcmpdump_proc.wait()
for packet in rdpcap(self.pcap_file_path):
if IP in packet:
self.collect_packet(packet[IP])
return self.packets
def process_pcap(file_name):
head = '424d36d51b0000000000360000002800000060090000be00000001002000000000000000000000000000000000000000000000000000'
f = [b'' for _ in range(22)]
of = open('fparse.bmp', 'wb')
s = rdpcap(file_name).sessions()
for s_name in s:
recflag = False
idx = 0
for p in s[s_name]:
try:
raw = p[TCP].load
if recflag and len(raw) > 1000:
f[idx] += raw
if raw.startswith(b'\x42\x01') and len(
raw) == 40: #MPI (BTL) header
idx = raw[12]
recflag = True
except:
pass
f[idx] = f[idx][24:]
of.write(bytes.fromhex(head))
for d in f:
of.write(d)
of.close()
def get_chksums(self, pcap=None):
"""
get chksum values of Outer and Inner packet L3&L4
Skip outer udp for it will be calculated by software
"""
chk_sums = {}
pkts = rdpcap(pcap)
for number in range(len(pkts)):
if pkts[number].guess_payload_class(pkts[number]).name == "gre":
payload = pkts[number][GRE]
else:
payload = pkts[number]
if payload.guess_payload_class(payload).name == "IP":
chk_sums['outer_ip'] = hex(payload[IP].chksum)
if pkts[number].haslayer(GRE) == 1:
inner = pkts[number][GRE]
if inner.haslayer(IP) == 1:
chk_sums['inner_ip'] = hex(inner[IP].chksum)
if inner[IP].proto == 6:
chk_sums['inner_tcp'] = hex(inner[TCP].chksum)
if inner[IP].proto == 17:
chk_sums['inner_udp'] = hex(inner[UDP].chksum)
if inner[IP].proto == 132:
chk_sums['inner_sctp'] = hex(inner[SCTP].chksum)
break
return chk_sums
def __init__(self, packets, localport=50002, remoteport=4172, isUDP=True):
'''
Initialise a conversation from a pcap file or a list otherwise obtained from scapy
using scapy.rdpcap (also available as udpanal.rdpcap).
Args:
* packets - either string representing relative or absolute filename for pcap file
or PacketList object returned by rdpcap
* localport - the UDP port you communicated from
* remoteport - the UDP port you are communicating with
* isUDP - for future use when TCP & SCTP are also implemented
'''
if type(packets) == type(''):
pktlist = rdpcap(packets)
elif type(PacketList()) == type(packets):
pktlist = packets # re-initialise, take the penalty to kill that annoying 'filter multiplicity)
else:
self = packets
self.lport = localport
self.rport = remoteport
if isUDP:
pktlist = pktlist.filter(lambda x: x.haslayer(UDP))
pktlist = pktlist.filter(
lambda x: x.getlayer(UDP).dport == self.lport or x.getlayer(
UDP).sport == self.lport or x.getlayer(UDP).dport == self.
rport or x.getlayer(UDP).sport == self.rport)
self.pktlist = PacketList(pktlist)
self.count = len(self.pktlist)
return
def injection_goose(interface):
pcap_name = input(
"\n[*] Enter the name of the PCAP file to be used (without extension): "
)
traffic = rdpcap(pcap_name + '.pcap') # name of the.pcap
for frame in traffic: # frame = line
if frame.haslayer(Ether) == 1 and frame.haslayer(
Dot1Q) == 1 and frame.haslayer(Raw) == 1:
frame.src = "00:50:56:3C:BB:7C"
print(frame)
sendp(frame, iface=interface)
time.sleep(0.1)
'''
header_content = Ether()
header_content.dst = "00:50:56:3D:9E:FD"
header_content.src = "00:50:56:3C:BB:7B"
header_content.type = 0x8100
# CONSTRUCTING VLAN HEADER 0x88b8
header_VLAN = Dot1Q()
header_VLAN.prio = 4
header_VLAN.id = 0
header_VLAN.vlan = 0
header_VLAN.type = 0x88b8
# CONSTRUCTING GOOSE MESSAGE
goose_msg = Raw()
goose_msg.load = "b'\x00\x01\x00P\x00\x00\x00\x00aF\x80\tLLN0$gcb1\x81\x02\x0f\xa0\x82\x08LLN0$DS4\x83\x02G1\x84\x08Y\xde8\xa2\xd6\x04\x13x\x85\x01\x07\x86\x01\x11\x87\x01\x01\x88\x01\x01\x89\x01\x00\x8a\x01\x03\xab\x0b\x83\x01\x01\x85\x01\n\x84\x03\x03@\x00'"
# blablabla
ls(header_VLAN)
ls(goose_msg)
ls(header_content)
new_Goose_Frame = header_content / header_VLAN / goose_msg
sendp(new_Goose_Frame , iface=interface)
'''
break
def test_pcap_drop(self):
""" Drop Packet Capture Filter Test """
self.cli("pcap trace drop max 1000 "
"error {ip4-udp-lookup}.{No listener for dst port} "
"file vpp_test_trace_filter_test_pcap_drop.pcap")
# the packet we are trying to match
p = list()
for i in range(17):
# this packet should be forwarded
p.append((
Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
IP(src=self.pg0.remote_hosts[0].ip4, dst=self.pg1.remote_ip4) /
UDP(sport=2345, dport=1234) / Raw('\xa5' * 100)))
# this packet should be captured (no listener)
p.append(
(Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
IP(src=self.pg0.remote_hosts[0].ip4, dst=self.pg0.local_ip4) /
UDP(sport=2345, dport=1234) / Raw('\xa5' * 100)))
# this packet will be blackholed but not captured
p.append((Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
IP(src=self.pg0.remote_hosts[0].ip4, dst="0.0.0.0") /
UDP(sport=2345, dport=1234) / Raw('\xa5' * 100)))
self.send_and_expect(self.pg0, p, self.pg1, n_rx=17, trace=False)
self.cli("pcap trace drop off")
# check captured pcap
pcap = rdpcap("/tmp/vpp_test_trace_filter_test_pcap_drop.pcap")
self.assertEqual(len(pcap), 17)
def extract_data(self):
# First of all, sleep for 1 minute
self._log.info(self.__class__.__name__, 'Sleeping waiting for data to extract.')
time.sleep(15)
self._log.info(self.__class__.__name__, 'I woke up. I am starting to extract data.')
# Load the sniff
pkts = rdpcap(self._fs.get_tmp_folder() + '/sniff.pcap')
# The list of all openflow packets in the sniffing.
openflow_packets = []
for pkt in pkts:
# OpenFlow is not yet implemented as dissector in Scapy, thus just count TCP packets from/to standard
# OpenFlow controller port.
if TCP in pkt and (pkt[TCP].sport == 6633 or pkt[TCP].dport == 6633):
if TCP in pkt:
# Add to the openflow_packet list
openflow_packets.append(pkt)
self._log.debug(self.__class__.__name__, 'Calculating the time of the of the last sniffed packet.')
# Take the time of the last sniffed packet
time_last_packet = openflow_packets[len(openflow_packets) - 1].time
self._log.debug(self.__class__.__name__, 'Calculating the time of the of the first sniffed packet.')
# Take the time of the first sniffed packet
time_first_packet = openflow_packets[0].time
self._log.debug(self.__class__.__name__, 'Calculating the convergence time.')
# Calculate the convergence time
convergence_time = time_last_packet - time_first_packet
self._log.debug(self.__class__.__name__, 'Starting to write the convergence time into extractor folder.')
# Write it into a file inside the extractor folder
output_file_name = self._simulation_path + '/' + self._extractor_folder + '/time.data'
output_file = open(output_file_name, 'w')
output_file.write('Convergence time (seconds): %s' % str(convergence_time))
self._log.info(self.__class__.__name__, 'All data has been correctly extracted.')
# Notify all observers
self.notify_all()
def load_sniff_packets(index=''):
"""
Stop sniffer and return packet objects
"""
pkts = []
child_exit = False
if index in SNIFF_PIDS.keys():
pipe, intf, timeout = SNIFF_PIDS[index]
time_elapse = int(time.time() - float(index))
while time_elapse < timeout:
if pipe.poll() is not None:
child_exit = True
break
time.sleep(1)
time_elapse += 1
if not child_exit:
pipe.send_signal(signal.SIGINT)
pipe.wait()
# wait pcap file ready
time.sleep(1)
try:
cap_pkts = rdpcap("/tmp/sniff_%s.pcap" % intf)
for pkt in cap_pkts:
# packet gen should be scapy
packet = Packet(tx_port=intf)
packet.pktgen.assign_pkt(pkt)
pkts.append(packet)
except:
pass
return pkts
def get_pcap_info(file_prefix):
"""Get the Dest IP from the RX pcap file
:param file_prefix: the test case pcap file prefix
:type file_prefix: str
:returns: packet counts, dest ip, is or not ipv4
:rtype: tuple(int, str, bool).
"""
exec_dir = BuiltIn().get_variable_value("${EXECDIR}")
rx_pcapfile = '{0}/{1}/{2}_rx.pcap' \
.format(exec_dir, con.TLDK_TESTCONFIG, file_prefix)
packets = rdpcap(rx_pcapfile)
count = len(packets)
### the first packet
pkt = packets[0]
if pkt.type == 0x0800:
### this is a IPv4 packet
dest_ip = pkt[IP].dst
is_ipv4 = True
elif pkt.type == 0x86dd:
### this is a IPv6 packet
dest_ip = pkt[IPv6].dst
is_ipv4 = False
return count, dest_ip, is_ipv4
def get_capture(self, remark=None, filter_fn=is_ipv6_misc):
"""
Get captured packets
:param remark: remark printed into debug logs
:param filter_fn: filter applied to each packet, packets for which
the filter returns True are removed from capture
:returns: iterable packets
"""
try:
self.wait_for_capture_file()
output = rdpcap(self.out_path)
self.test.logger.debug("Capture has %s packets" % len(output.res))
except IOError: # TODO
self.test.logger.debug(
"File %s does not exist, probably because no"
" packets arrived" % self.out_path)
if remark:
raise Exception("No packets captured on %s(%s)" %
(self.name, remark))
else:
raise Exception("No packets captured on %s" % self.name)
before = len(output.res)
if filter_fn:
output.res = [p for p in output.res if not filter_fn(p)]
removed = len(output.res) - before
if removed:
self.test.logger.debug(
"Filtered out %s packets from capture (returning %s)" %
(removed, len(output.res)))
return output
def stop_sniffing(self):
self.tcmpdump_proc.terminate()
self.tcmpdump_proc.wait()
for packet in rdpcap(self.pcap_file_path):
if IP in packet:
self.collect_packet(packet[IP])
return self.packets
def timeCSV(folder):
"""
This method creates a CSV file of all the times each IP address sends a packet to the given IoT device
Args:
folder: folder containing pcap files
"""
ipAddresses = []
ipandTimes = []
old_mac_address = folder[len(folder)-12:len(folder)]
mac_address = ""
# The MAC address for the device
for i in range(len(old_mac_address)//2 - 1):
mac_address += old_mac_address[i * 2] + old_mac_address[i * 2 + 1] + ":"
mac_address += old_mac_address[-2] + old_mac_address[-1]
output_file_name = "./results/CSVtimes/CSVtimes" + old_mac_address + ".csv"
out_file = open(output_file_name,'w')
# Ordering Files in the directory (useful for window purposes)
files = sorted(os.listdir(folder))
for filename in files:
if not filename.endswith(".pcap"):
print("Not processed {} ...".format(filename))
continue
file_name = folder + "/" + filename
print("Processing {} ...".format(file_name))
packets = rdpcap(file_name)
for ether_pkt in packets:
if 'type' not in ether_pkt.fields:
# LLC frames will have 'len' instead of 'type'.
# We disregard those
continue
if ether_pkt.type != protocol_mapping_l2.get('IPv4'):
continue
ip_pkt = ether_pkt[IP]
# Compare to Mac Address, as IP address is variable due to the network
if ether_pkt.dst != mac_address:
continue
if not ip_pkt.src in ipAddresses:
ipAddresses.append(ip_pkt.src)
ipandTimes.append([ip_pkt.src,float(ether_pkt.time)])
else:
for item in ipandTimes:
if item[0] == ip_pkt.src:
item.append(float(ether_pkt.time))
for item in ipandTimes:
out_file.write("IPAddress: {}, {}\n".format(item[0], str(item[1:len(item)]).replace(']','').replace('[','')))
def test__update_twotupleuni_update():
afg = AnubisFG(bidirectional=False)
capture = rdpcap('tests/data/test_100_rows.pcap')
# Second packet is a SYN TCP packet.
packet = capture[1]
ip_src = '172.16.0.5'
ip_dst = '192.168.50.1'
timestamp = datetime(2018, 12, 1, 13, 17, 11, 183810)
src_port = 60675
dst_port = 80
protocol = 6
hdr_len = 20
length = 74
ttl = 63
pkt_flag_counter = [0] * 8
# SYN flag
pkt_flag_counter[1] = 1
# Creating
afg._update_twotupleuni(packet)
expected = {
'fst_timestamp': timestamp,
'lst_timestamp': timestamp,
'set_src_ports': {src_port},
'set_dst_ports': {dst_port},
'pkt_flag_counter': pkt_flag_counter,
'pkt_protocol_counter': {
protocol: 1
},
'tot_header_len': hdr_len,
'tot_packet_len': length,
'tot_ttl': ttl
}
assert len(afg.memory_twotup) == 1
assert afg.memory_twotup[(ip_src, ip_dst)].__dict__ == expected
# Updating
# Third packet is another SYN TCP packet with same IPs and Ports
packet = capture[2]
new_timestamp = datetime(2018, 12, 1, 13, 17, 11, 183813)
# SYN flag
pkt_flag_counter[1] += 1
afg._update_twotupleuni(packet)
expected = {
'fst_timestamp': timestamp,
'lst_timestamp': new_timestamp,
'set_src_ports': {src_port},
'set_dst_ports': {dst_port},
'pkt_flag_counter': pkt_flag_counter,
'pkt_protocol_counter': {
protocol: 2
},
'tot_header_len': hdr_len * 2,
'tot_packet_len': length * 2,
'tot_ttl': ttl * 2
}
assert len(afg.memory_twotup) == 1
assert afg.memory_twotup[(ip_src, ip_dst)].__dict__ == expected
def extract_iodine(root, source, destination):
dns_packets = rdpcap(source)
downstream = b''
upstream = b''
is_transfer = False
real_packets = []
for packet in dns_packets:
if not packet.haslayer(DNS):
continue
if DNSRR in packet and len(packet[DNSRR].rdata) > 0:
# downstream
data = packet[DNSRR].rdata
if isinstance(data, str):
# should be some bug in scapy?
data = data.encode()
if not is_transfer:
continue
downstream += data[2:]
headers = ServerHeader(data)
if headers.last and len(downstream) > 0:
try:
raw_data = zlib.decompress(downstream)
real_packets.append(IP(raw_data[4:]))
except zlib.error:
pass
downstream = b''
elif DNSQR in packet:
# client
hostname = packet[DNSQR].qname
if hostname[0] not in b"0123456789abcdefABCDEF":
continue
is_transfer = True
if not hostname.endswith(root):
print("Warning: skipped upstream packet:", hostname, file=sys.stderr)
continue
upstream += hostname[5:-len(root)].replace(b".", b"")
headers = ClientHeader(hostname)
if headers.last and len(upstream) > 0:
try:
raw_data = zlib.decompress(b128decode(upstream))
real_packets.append(IP(raw_data[4:]))
except zlib.error:
pass
upstream = b''
wrpcap(destination, real_packets)
def read_all(self, ipg_usec, min_ipg_usec, speedup, split_mode=None):
# get the packets
if split_mode is None:
pkts = RawPcapReader(self.pcap_file).read_all()
else:
pkts = rdpcap(self.pcap_file)
if not pkts:
raise STLError("'%s' does not contain any packets." %
self.pcap_file)
self.pkts_arr = []
last_ts = 0
# fix times
for pkt in pkts:
if split_mode is None:
pkt_data, meta = pkt
ts_usec = meta[0] * 1e6 + meta[1]
else:
pkt_data = pkt
ts_usec = pkt.time * 1e6
if ipg_usec is None:
loco = locals()
if 'prev_time' in loco:
delta_usec = (ts_usec - loco['prev_time']) / float(speedup)
else:
delta_usec = 0
if min_ipg_usec and delta_usec < min_ipg_usec:
delta_usec = min_ipg_usec
prev_time = ts_usec
last_ts += delta_usec
else: # user specified ipg
if min_ipg_usec:
last_ts += min_ipg_usec
elif ipg_usec:
last_ts += ipg_usec / float(speedup)
else:
raise STLError(
'Please specify either min_ipg_usec or ipg_usec, not both.'
)
self.pkts_arr.append([pkt_data, last_ts])
if split_mode is None:
return self.pkts_arr
# we need to split
self.graph = Graph()
self.pkt_groups = [[], []]
if split_mode == 'MAC':
self.generate_mac_groups()
elif split_mode == 'IP':
self.generate_ip_groups()
else:
raise STLError('unknown split mode for PCAP')
return self.pkt_groups
def read_pcap(self, file):
pcap_pkts = []
try:
pcap_pkts = rdpcap(file)
except:
pass
return pcap_pkts
def read_pcap_file(self, pcap_file):
pcap_pkts = []
try:
pcap_pkts = rdpcap(pcap_file)
except:
raise Exception("write pcap error")
return pcap_pkts
def send_packet(intf, fname, pkt_cnt):
pkts = rdpcap(fname)
for pkt in pkts:
#logging.debug("Tx packet: {}".format(pkt.show()))
logging.info('[%s] Sending %d packets on interface %s' %
(get_curr_time(), int(pkt_cnt), intf))
sendp(pkt, iface=intf, count=pkt_cnt)
def main():
pcap_file = rdpcap("SynFloodSample.pcap")
# create set with all ip's from packets with sync flag
black_set = {p[IP].src for p in pcap_file if p[TCP].flags == 'S'}
# remove all the ip's that answered with ack
black_set.difference_update({p[IP].src for p in pcap_file if 'A' in p[TCP].flags})
with open('blacklist ips.txt', 'w') as ips_file:
ips_file.write('\n'.join(sorted(black_set)))
def main():
file = rdpcap('arpspoofing.pcap')
for i, bman in enumerate(file):
if (bman.haslayer(ARP)):
getting(bman)
found = identity(bman)
printing(found, i + 1)
def __init__(self, pcapfilename, importLayer=5):
# l5msgs = PCAPImporter.readFile(pcap, importLayer=absLayer).values() # type: List[AbstractMessage]
self.importLayer = importLayer
self.packets = rdpcap(pcapfilename)
self._messages = SortedTypedList(AbstractMessage)
self._rawmessages = SortedTypedList(AbstractMessage)
for pkt in self.packets: # type: Packet
self.packetHandler(pkt)
def pg_get_capture(cls, o):
pcap_filename = "/tmp/pg%u_out.pcap" % o
try:
output = rdpcap(pcap_filename)
except IOError: # TODO
cls.log("WARNING: File %s does not exist, probably because no"
" packets arrived" % pcap_filename)
return []
return output
def cmp_left_to_right(file1, file2):
pkt_match_cnt = 0
pkts1 = rdpcap(file1)
try:
pkts2 = rdpcap(file2)
except IOError:
#there was no PCAP with received packets, assume nothing was received
return False
pkts1 = map(lambda x: str(x), pkts1)
pkts2 = map(lambda x: str(x), pkts2)
for p1 in pkts1:
for i in range(len(pkts2)):
try:
p2 = pkts2[i]
except IndexError:
#print
#print 'Packet with index %s has been already matched' % i
continue
if pkt_cmp(p1, p2):
pkt_match_cnt += 1
"""
Once the packet is matched remove it from the list of
received packets. This helps to avoid double matching
a packet if there are more than one identical packets contained in a given
PCAP
"""
del pkts2[i]
if VERBOSE:
print
print "%s packets matched out of %s sent" % (pkt_match_cnt, len(pkts1))
print "[%s/%s]" % (pkt_match_cnt, len(pkts1))
if pkt_match_cnt == len(pkts1):
return True
else:
return False
def test__update_fivetuplebi_noupdate():
afg = AnubisFG(bidirectional=True)
capture = rdpcap('tests/data/test_100_rows.pcap')
# First packet is a STP packet that should not be read.
packet = capture[0]
afg._update_fivetuplebi(packet)
assert afg.memory_fivetup == dict()
with pytest.raises(IndexError, match='Packet does not have an IP layer'):
afg._update_fivetuplebi(packet, ignore_errors=False)
def load_cap(file_name) -> PacketList:
"""
Load .cap into scapy.plist
"""
try:
cap = rdpcap(f"{CAP_PATH}{file_name}{CAP_EXTENSION}")
logger.info(f"\"{file_name}{CAP_EXTENSION}\" loaded")
return cap
except FileNotFoundError as error:
logger.warning(f"{type(error).__name__}: \"{format(error)}\"")
def check_outputs(self):
""" Checks if the output of the filter matches expectations """
report_output(self.outputs["stdout"],
self.options.verbose, "Comparing outputs")
direction = "out"
for file in glob(self.filename('*', direction)):
report_output(self.outputs["stdout"],
self.options.verbose, "Checking file %s" % file)
interface = self.interface_of_filename(file)
if os.stat(file).st_size == 0:
packets = []
else:
try:
packets = rdpcap(file)
except Exception as e:
report_err(self.outputs["stderr"],
"Corrupt pcap file", file, e)
self.showLog()
return FAILURE
if interface not in self.expected:
expected = []
else:
# Check for expected packets.
if self.expected[interface]["any"]:
if self.expected[interface]["pkts"]:
report_err(self.outputs["stderr"],
("Interface " + interface +
" has both expected with"
" packets and without"))
continue
expected = self.expected[interface]["pkts"]
if len(expected) != len(packets):
report_err(self.outputs["stderr"], "Expected", len(
expected), "packets on port",
str(interface), "got", len(packets))
return FAILURE
for i in range(0, len(expected)):
cmp = compare_pkt(
self.outputs, expected[i], packets[i])
if cmp != SUCCESS:
report_err(self.outputs["stderr"], "Packet", i, "on port",
str(interface), "differs")
return cmp
# Remove successfully checked interfaces
if interface in self.expected:
del self.expected[interface]
if len(self.expected) != 0:
# Didn't find all the expects we were expecting
report_err(self.outputs["stderr"], "Expected packets on port(s)",
self.expected.keys(), "not received")
return FAILURE
report_output(self.outputs["stdout"],
self.options.verbose, "All went well.")
return SUCCESS
def test_omni(self):
sniffer = self.get_sniffer()
packets = rdpcap(get_full_path(self.PCAP_FILE))
for i, packet in enumerate(packets):
try:
message = sniffer.message_from_packet(packet)
print ('TEST OMNI DUMP MESSAGE(%d): %s' % (i, message))
if i in self.PCAP_MESSAGES:
self.assertIsInstance(message, self.PCAP_MESSAGES[i])
except (BadPacket, struct.error) as ex:
# exception happens on TCP SYN, RST and so on
pass
def main():
mp = MuninProfiler()
for pkt in rdpcap(sys.argv[1]):
mp.handle_packet(pkt)
print("Client idle time during connection: %.2fs" % sum(mp.idles))
times = [(key, sum(value)) for key, value in mp.times.items()]
times.sort(key=lambda tpl: -tpl[1])
total = sum(value for key, value in times)
print("Total time waiting for the node: %.2fs" % total)
print("Top 10 plugins using most of the time")
for key, value in times[:10]:
print("%-40s: %.2fs (%d%%)" % (key, value, 100 * value / total))
def process_file(file_name):
connections = extract_connections(rdpcap(file_name))
orig_retrans, scan_retrans = extract_retransmissions(connections)
for connection in connections.values():
if not has_exponential_backoff(connection):
print "Connections don't follow exponential backoff."
analyse_retransmissions(orig_retrans, scan_retrans)
return 0
def use_pcap(prn=None, lfilter=None, filename=None):
pcp = rdpcap(filename=filename)
if prn is None:
prn = lambda pkt: pkt
if lfilter is None:
lfilter = lambda pkt: True
for packet in pcp:
if lfilter(packet):
out_line = prn(packet)
if out_line:
print out_line
def main(argv):
inputfile = ''
outputfile = ''
hookfile = ''
try:
opts, args = getopt.getopt(argv,"hi:o:t:",["ifile=","ofile=","transformation="])
except getopt.GetoptError:
print sys.argv[0] + ' -i inputfile -o outputfile -t [hook script]'
print sys.argv[0] + ' -i sample.pcap -o result.pcap -t example'
sys.exit(2)
for opt, arg in opts:
if opt == '-h':
print 'test.py -i <inputfile> -o <outputfile>'
sys.exit()
elif opt in ("-i", "--ifile"):
inputfile = arg
elif opt in ("-o", "--ofile"):
outputfile = arg
elif opt in ("-t", "--transformation"):
hookfile = arg
pkts=rdpcap(inputfile)
for pkt in pkts:
try:
my_array = []
if pkt.haslayer(TCP):
for d in str(pkt.getlayer(TCP).payload):
my_array.append(d)
if pkt.haslayer(UDP):
for d in str(pkt.getlayer(UDP).payload):
my_array.append(d)
modname = "hooks." + hookfile
module = __import__(modname, globals(), locals(), ['modify_payload'])
func = getattr(module, "modify_payload")
data = func(my_array)
str1 = ''.join(data)
#replace payload in origional packet
if pkt.haslayer(TCP):
pkt.getlayer(TCP).payload=str1
if pkt.haslayer(UDP):
pkt.getlayer(UDP).payload=str1
except:
raise
wrpcap(outputfile, pkts)
def main():
"""
:return: void
"""
# Parse arguments & scan each packet
parser = argparse.ArgumentParser()
parser.add_argument('source_file')
args = parser.parse_args()
found_attack = 0
packets = rdpcap(args.source_file)
for pkt in packets:
update_icmp_dict(pkt)
found_attack += find_icmp_tunneling()
found_attack += find_syn_flood(packets)
found_attack += find_ftp_bounce(packets)
report_attack(found_attack)
def _get_capture(self, timeout, filter_out_fn=is_ipv6_misc):
""" Helper method to get capture and filter it """
try:
if not self.wait_for_capture_file(timeout):
return None
output = rdpcap(self.out_path)
self.test.logger.debug("Capture has %s packets" % len(output.res))
except:
self.test.logger.debug("Exception in scapy.rdpcap (%s): %s" %
(self.out_path, format_exc()))
return None
before = len(output.res)
if filter_out_fn:
output.res = [p for p in output.res if not filter_out_fn(p)]
removed = before - len(output.res)
if removed:
self.test.logger.debug(
"Filtered out %s packets from capture (returning %s)" %
(removed, len(output.res)))
return output
def b_Darbeleme(pcap_file):
packets = rdpcap(pcap_file)
for packet_content in packets:
packet_list = []
if packet_content.haslayer(TCP) and packet_content.dport == int(args.port):
for packet_payload in str(packet_content.getlayer(TCP).payload):
if len(packet_payload) != 0:
packet_list.append(packet_payload)
if packet_content.haslayer(UDP) and packet_content.dport == int(args.port):
for packet_payload in str(packet_content.getlayer(UDP).payload):
if len(packet_payload) != 0:
packet_list.append(packet_payload)
#if len packet_list == 0
#XXX
data = " ".join("{:02x}".format(ord(sla)) for sla in packet_list).split()
if args.byteflip == True:
fuzzed_list = b_Flip(data)
elif args.smash == True:
fuzzed_list = b_Smash(data)
else:
print "[!] Wrong method was chosen!"
sys.exit(1)
i = 0
for sending_now in fuzzed_list:
count_packet = range(len(sending_now))
if i > len(sending_now)-1:
i = 0
i += 1
last_tsend = "".join(sending_now).decode("hex")
b_Connection(last_tsend, count_packet[i-1])
def extract_data(self):
# First of all, sleep for 1 minute
self._log.info(self.__class__.__name__, 'Sleeping waiting for data to extract.')
time.sleep(15)
self._log.info(self.__class__.__name__, 'I woke up. I am starting to extract data.')
# Load the sniff
pkts = rdpcap(self._fs.get_tmp_folder() + '/sniff.pcap')
# Counter for counting all openflow packets included into the sniffing.
count = 0
self._log.debug(self.__class__.__name__, 'Calculating the total number of exchanged control plane messages.')
for pkt in pkts:
# OpenFlow is not yet implemented as dissector in Scapy, thus just count TCP packets from/to standard
# OpenFlow controller port.
if TCP in pkt and (pkt[TCP].sport == 6633 or pkt[TCP].dport == 6633):
if TCP in pkt:
count += 1
self._log.debug(self.__class__.__name__, 'Starting to write the convergence time into extractor folder.')
# Write it into a file inside the extractor folder
output_file_name = self._simulation_path + '/' + self._extractor_folder + '/overhead.data'
output_file = open(output_file_name, 'w')
output_file.write('Exchanged packets: %s' % str(count))
self._log.info(self.__class__.__name__, 'All data has been correctly extracted.')
# Notify all observers
self.notify_all()
#!/usr/bin/python
__author__ = 'kilroy'
# (c) 2014, WasHere Consulting, Inc.
# Written for Infinite Skills
from scapy.all import *
from scapy.utils import rdpcap
src_mac = "12:45:ff:aa:bb:3d"
dst_mac = "05:34:10:df:ef:ab"
src_ip = "1.5.4.2"
dst_ip = "4.5.4.2"
frames=rdpcap("file.pcap") # could also read in only a small number of packets
for frame in frames:
try:
frame[Ether].src = src_mac
frame[Ether].dst = dst_mac
if IP in frame:
frame[IP].src = src_ip
frame[IP].dst = dst_ip
sendp(frame)
except Exception as e:
print(e)
try:
parser = argparse.ArgumentParser("Replay packets from a pcap_file")
parser.add_argument("pcap_file_path", type=str, help ="The path of the pcap file to replay")
args = parser.parse_args()
pcap_path, pcap_file_name = path.split(args.pcap_file_path)
pcap_file_name, ext = path.splitext(pcap_file_name)
print (pcap_path, pcap_file_name)
subprocess.call(['editcap','-c','1024','-F','libpcap',args.pcap_file_path,'_'+pcap_file_name+'_out.pcap'])
out,err = subprocess.Popen(['ls | grep '+pcap_file_name+'_out'], stdout=subprocess.PIPE, shell=True).communicate()
fragments = {}
for pcap_file in out.splitlines():
print 'Processing %s'%(pcap_file)
pkts = rdpcap(pcap_file)
timestamp = pkts[0].time
for pkt in pkts:
if pkt.haslayer('IP'):
dst = pkt['IP'].dst
if dst in mcastsocket.keys():
print "id: %d offset: %d"%(pkt['IP'].id,pkt['IP'].frag*8)
time.sleep((pkt.time - timestamp)*scale)
timestamp = pkt.time
if pkt['IP'].flags == 1:
#print [(pkt.time, fragment_id, fragments[fragment_id].len) for fragment_id in fragments.keys()]
if pkt['IP'].frag == 0:
#fragments[pkt['IP'].id] = [pkt]
#print pkt['IP'].payload
buffer=StringIO.StringIO()
buffer.seek(pkt['IP'].frag*8)
#!/usr/bin/env python
import sys
from scapy.all import *
from scapy.utils import rdpcap
pkts=rdpcap(sys.argv[1]) # could be used like this rdpcap("filename",500) fetches first 500 pkts
for pkt in pkts:
print """____________________________________"""
pkt.show()
print ""
protocol = __import__('matcher.' + p, fromlist=['*'])
protocol.config(pconf)
else:
protocol = __import__('matcher.' + optValue, fromlist=['*'])
if 'protocol' not in locals():
protocol = __import__('pcap.raw', fromlist=['*'])
print 'Run as', mode, 'mode'
print 'Decode packet as ', protocol
print "replace ", replace, "to", [address,port]
for cap in caps:
f,opts = cap[0],cap[1:]
m_conf = conf.copy()
for opt in opts:
if opt == "wrap":
m_conf["wrap"] = True
pkts = [replace_pkt_header(pkt, replace, [address,int(port)]) for pkt in rdpcap(f)]
print "pcap file :", f, "contains", len(pkts), "packets"
for index, pkt in enumerate(pkts):
if has_load(pkt):
print index, [pkt[IP].src,pkt[TCP].sport], "->", [pkt[IP].dst,pkt[TCP].dport], " load:", repr(pkt.load)
matchers.append(PcapMatcher(pkts, m_conf, protocol))
if mode == "server":
sniff(prn=lambda x : monitor_callback(x), filter="dst port %d and dst host %s" % (port, address), iface=interface, store=0)
elif mode == "client":
play(pkts)
ether = Ether();
ether.type = 0x86dd;
ether.src = pkt.src;
ether.dst = pkt.dst;
header6 = header4to6 (pkt['IP']);
if ('TCP' in pkt):
l4type = 'TCP';
elif ('UDP' in pkt):
l4type = 'UDP';
else:
l4type = None;
if (l4type == 'TCP' or l4type == 'UDP'):
newpayload = payload4to6(pkt[l4type].payload);
pkt[l4type].remove_payload();
newpkt = ether /header6 / pkt[l4type] / newpayload;
del pkt[l4type].chksum;
else:
newpkt = ether /header6 / pkt['IP'].payload;
return newpkt;
if __name__ == "__main__":
if (len(sys.argv) != 2):
print "./pcap4to6.py <ipv4_pcap_file>";
sys.exit(0);
pkts = rdpcap (sys.argv[1]);
newpkts = [];
for pkt in pkts:
newpkts.append (convert4to6 (pkt));
wrpcap ("out.pcap", newpkts);
def load(pcap_file_paths=[]):
return list(chain(*[rdpcap(_file) for _file in pcap_file_paths]))
def to_hosts(pcap_file):
addrs = dict() # ip : mac, hostname, relations
requested_local_hosts = dict() # requested_addr : (mac, hostname)
local_hosts = dict() # IP: [mac, hostname]
dns_servers = set()
macs_count = dict() # mac : count
router_mac = ''
print("Reading pcap...")
pkts = rdpcap(pcap_file)
print("Examining {} packets...".format(len(pkts)))
# time duration of pcap
s1 = datetime.utcfromtimestamp(pkts[0].time)
s2 = datetime.utcfromtimestamp(pkts[len(pkts)-1].time)
dur = round((s2 - s1).total_seconds()/60, 2)
print("Packet Duration: {} minutes".format(dur))
ip_re = re.compile("^\d{1,3}(\.\d{1,3}){3}$")
for i, pkt in enumerate(pkts):
try:
if (pkt.getlayer('IP') and pkt.getlayer('DHCP options') and
pkt.getlayer('BOOTP') and pkt[BOOTP].op == 1):
# DHCP REQUEST
mac = check_mac(pkt.src)
hostname = ''
ip = ''
for t in pkt[DHCP].options:
if t[0] == 'hostname':
hostname = t[1].decode('utf-8', 'ignore')
elif t[0] == 'requested_addr':
ip = t[1]
requested_local_hosts[ip] = [mac, hostname]
elif (pkt.getlayer('IP') and pkt.getlayer('DHCP options') and
pkt.getlayer('BOOTP') and pkt[BOOTP].op == 2):
# DHCP ACK
ip = pkt[BOOTP].yiaddr
hostname = ''
mac = ''
for t in pkt[DHCP].options:
if t[0] == 'name_server':
dns_servers.add(t[1])
if requested_local_hosts.get(ip):
req = requested_local_hosts[ip]
mac = req[0]
hostname = req[1]
local_hosts[ip] = [mac, hostname]
relations = set()
if addrs.get(ip):
relations = addrs[ip][2]
addrs[ip] = [mac, hostname, relations]
elif (pkt.getlayer('DNS') and pkt[DNS].an):
# Local DNS Resolution
router_mac = pkt.src
"""
rdata is IP address of remote server (REGEX to verify)
rrname is the hostname of the remote server
ip.dst is the IP requesting to resolve the server
"""
ip = str(pkt[DNS].an.lastlayer().rdata)
if ip_re.match(ip): # check if IP resolved
hostname = pkt[DNS].an.lastlayer().rrname.decode('utf-8', 'ignore')[:-1]
mac = ''
relations = set()
if addrs.get(ip):
mac = addrs[ip][0]
relations = addrs[ip][2]
if mac == '':
mac = check_mac(pkt.dst)
relations.add(pkt.getlayer('IP').dst)
addrs[ip] = [mac, hostname, relations]
elif (pkt.getlayer('DNS') and pkt[DNS].qd and
pkt[DNS].qd.getlayer('DNS Question Record') and
pkt[DNS].rcode == 0):
dns_servers.add(pkt.getlayer('IP').dst)
elif pkt.getlayer('IP'):
# Add connections
srcip = pkt[IP].src
dstip = pkt[IP].dst
# for source
src_mac = ''
hostname = srcip
relations = set()
if addrs.get(srcip):
src_mac = addrs[srcip][0]
hostname = addrs[srcip][1]
relations = addrs[srcip][2]
relations.add(dstip)
if src_mac == '':
src_mac = check_mac(pkt.dst)
# for destination
dst_mac = ''
dsthostname = dstip
dstrelations = set()
if addrs.get(dstip):
dst_mac = addrs[dstip][0]
dsthostname = addrs[dstip][1]
dstrelations = addrs[dstip][2]
dstrelations.add(srcip)
addrs[srcip] = [src_mac, hostname, relations]
addrs[dstip] = [dst_mac, dsthostname, dstrelations]
except TypeError as e:
continue
print('Router Mac Address: {}'.format(router_mac))
hosts = dict()
for ip, vals in addrs.items():
mac = ''
hostname = ''
relations = ''
mac, hostname, relations = vals[0], vals[1], vals[2]
if mac != '' and mac == router_mac:
# check if already local host
if requested_local_hosts.get(ip) and not local_hosts.get(ip):
req = requested_local_hosts[ip]
mac = req[0]
hostname = req[1]
local_hosts[ip] = [mac, hostname]
else:
local_hosts[ip] = [mac, hostname]
hosts[ip] = Host(ip, hostname, relations)
"\n".join(" {}: {}".format(v.hostname, k) for k, v in hosts.items())
resp = ("{} DNS Servers:\n".format(len(dns_servers)) +
"\n".join(" {}".format(dns) for dns in dns_servers))
resp += ("\n{} Local hosts\n".format(len(local_hosts)) +
"\n".join(" {}: {} [{}]".format(v[1], k, v[0]) for k, v in local_hosts.items()))
return (resp, local_hosts, dns_servers, hosts)
class Display(object):
def __init__(self, pkts):
self.pkts = pkts
def show(self, seq):
self.pkts[seq].show()
def __getitem__(self, key):
self.show(key)
def walk(self, index=0):
while index < len(self.pkts):
self.show(index)
try:
input("(current packet - %s) Next packet?" % index)
except Exception as e:
pass
index += 1
if __name__ == '__main__':
from scapy.utils import rdpcap
import sys
import code
packets = rdpcap(sys.argv[1])
p = Display(packets)
def walk(index=0):
p.walk(index=index)
code.interact(local=locals())
CWR = 0x80
MY_IPADDR = '10.53.191.187'
TOTAL_BYTES = 0
cmhs_servers = {
'cmhs1':'144.160.173.30',
'cmhs2':'144.160.173.31',
'cmhs3':'144.160.231.24',
'cmhs4':'144.160.231.25',
}
PRIMARY_CMHS = '144.160.231.24'
SECONDARY_CMHS = '144.160.173.30'
pkts = rdpcap('usb0.pcap')
for pkt in pkts:
if 'IP' in pkt:
# if pkt is goting to or coming from one of the cmhs servers, process it
#print pkt['IP'].src, pkt['IP'].dst
if pkt['IP'].src in cmhs_servers.values() or pkt['IP'].dst in cmhs_servers.values():
# add pkt length in total bytes
timestamp = datetime.datetime.fromtimestamp(pkt.time).strftime('%Y-%m-%d %H:%M:%S')
TOTAL_BYTES += len(pkt)
if 'TCP' in pkt:
FLAGS = pkt['TCP'].flags
if FLAGS & SYN and pkt['IP'].src == MY_IPADDR:
print timestamp,':', pkt['IP'].src, '->', pkt['IP'].dst, 'SYNC'
if FLAGS & FIN:
print timestamp,':', pkt['IP'].src, '->', pkt['IP'].dst, 'FIN'
if FLAGS & RST:
#!/bin/env python
from NFTest import *
from scapy.utils import rdpcap
from reg_defines_secret_flow import *
phy2loop0 = ('../connections/conn', [])
nftest_init(sim_loop = [], hw_config = [phy2loop0])
nftest_start()
pkts = rdpcap("udp.pcap")
pkt=pkts[0]
secret_pkts = rdpcap("udp-secret.pcap")
secret_pkt=secret_pkts[0]
key = 0xdeadbeef;
nftest_regwrite(SECRET_FLOW_KEY_REG(),key);
nftest_regread_expect(SECRET_FLOW_KEY_REG(),key);
nftest_send_phy('nf2c0', pkt)
nftest_expect_phy('nf2c1', secret_pkt)
if not isHW():
nftest_expect_phy('nf2c2', secret_pkt)
nftest_expect_phy('nf2c3', secret_pkt)
nftest_barrier()
total_errors = 0
from scapy.all import *
from scapy.utils import rdpcap
import Ubertooth
a=rdpcap("kevo-token.pcap")
ubertooth = Ubertooth.Ubertooth(0)
print "Serial Number: %s" % ubertooth.serialnum()
print "Board ID: %s" % ubertooth.boardid()
print "Part Number: %s" % ubertooth.partnum()
print "Revision Number: %s" % ubertooth.revnum()
# ubertooth.reset()
for i in a:
ubertooth.packetbuff(str(i)[24:])
print ubertooth.packetbuff()
def main(argv):
inputfile = ''
outputfile = ''
hookfile = ''
try:
opts, args = getopt.getopt(argv,"hi:o:t:",["ifile=","ofile=","transformation="])
except getopt.GetoptError:
print sys.argv[0] + ' -i inputfile -o outputfile -t [hook script]'
print sys.argv[0] + ' -i sample.pcap -o result.pcap -t example'
sys.exit(2)
for opt, arg in opts:
if opt == '-h':
print 'test.py -i <inputfile> -o <outputfile>'
sys.exit()
elif opt in ("-i", "--ifile"):
inputfile = arg
elif opt in ("-o", "--ofile"):
outputfile = arg
elif opt in ("-t", "--transformation"):
hookfile = arg
#copy packet data to dictionary object
pktdict={}
pkts=rdpcap(inputfile)
i=0
for pkt in pkts:
try:
my_array = []
if pkt.haslayer(TCP):
for d in str(pkt.getlayer(TCP).payload):
my_array.append(d)
if pkt.haslayer(UDP):
for d in str(pkt.getlayer(UDP).payload):
my_array.append(d)
#reverse packet for backtrace on needleman wunch
pktdict[i] = list("".join(reversed(my_array)))
i=i+1
except:
raise
#Create distance matrix
dictSize = len(pktdict)
diffMatrix = zeros((packetsToSample,packetsToSample))
x=0
while x < packetsToSample:
y=0
print ""
print "Packet " + str(x) + ": " + str(pktdict[x])
while y < packetsToSample:
#calculate common substring length between packets
#similarity = lcs(pktdict[x], pktdict[y])
gms, similarity, distance, alignedseq1Discard, alignedseq2Discard = sequencealignment(pktdict[x], pktdict[y])
#distance = 1 - (similarity + 1)/2
print "Packet " + str(x) + " similarity to packet " + str(y) + " = " + str(similarity)
print "Packet " + str(x) + " distance from packet " + str(y) + " = " + str(distance)
#assign value to symmetrically opposite cells
#as Smith-Waterman score follows triangle equality rule
diffMatrix[x][y]=distance
diffMatrix[y][x]=distance
y=y+1
x=x+1
print " "
print "Distance Matrix:"
print diffMatrix
print ""
#Multi-Dimensional Scaling from distances to XY points
#
# Source: http://scikit-learn.org/stable/auto_examples/manifold/plot_mds.html#example-manifold-plot-mds-py
#
seed = np.random.RandomState(seed=3)
mds = manifold.MDS(n_components=2, max_iter=1000, eps=0.8, random_state=seed, dissimilarity="precomputed", n_jobs=1)
pos = mds.fit(diffMatrix).embedding_
pos = manifold.MDS(dissimilarity="precomputed").fit_transform(diffMatrix)
pos *= np.sqrt(100000) / np.sqrt((pos ** 2).sum())
clf = PCA(n_components=2)
pos = clf.fit_transform(pos)
#Display distance matrix
print "Coordinates of plotted packets: "
for p in pos:
print p.astype(int)
#Calculate number of clusters
#
# Source: http://scikit-learn.org/stable/auto_examples/cluster/plot_mean_shift.html
#
print ""
bandwidth = estimate_bandwidth(pos, quantile=0.2, n_samples=500)
ms = MeanShift(bandwidth=bandwidth, bin_seeding=True)
ms.fit(pos)
labels = ms.labels_
cluster_centers = ms.cluster_centers_
labels_unique = np.unique(labels)
n_clusters_ = len(labels_unique)
print("Estimated number of clusters (k): %d" % n_clusters_)
#Plot on graph
pl.figure(1)
pl.clf()
colors = cycle('bgrcmykbgrcmykbgrcmykbgrcmyk')
for k, col in zip(range(n_clusters_), colors):
my_members = labels == k
cluster_center = cluster_centers[k]
pl.plot(pos[my_members, 0], pos[my_members, 1], col + '.')
print ""
print "Cluster: " + str(k)
#print str(my_members)
#Create GMS for cluster using Needleman-Wunch
#
#This section is not part of the clustering code
#
clusterPackets = [];
origionalClusterPackets = [];
offset = 0;
#extract packets from each cluster
for val in my_members:
if(str(val) == "True"):
clusterPackets.append(pktdict[offset]);
offset += 1;
origionalClusterPackets = copy.deepcopy(clusterPackets);
print 'Compressing GMS .',
#compress all GMS pairs to single GMS for the cluster
while len(clusterPackets) > 1:
print '.',
gmsList1 = [];
#calculate generic message sequence for each pair of messages
for i in xrange(len(clusterPackets) - 1):
current_item, next_item = clusterPackets[i], clusterPackets[i + 1]
gms, totalMatch, totalDifference, alignedseq1Discard, alignedseq2Discard = sequencealignment(current_item, next_item)
gmsList1.append(gms)
clusterPackets = copy.deepcopy(gmsList1)
print ""
gmspkt = list(reversed(clusterPackets[0]))
#gmsbin = str("".join(gmspkt))
#compress all substitution characters to a single character
beforeGmsLen = len(gmspkt)+1
afterGmsLen = len(gmspkt)
while(beforeGmsLen > afterGmsLen):
beforeGmsLen = len(gmspkt)
for i in xrange(len(gmspkt) - 1, 0, -1):
if(gmspkt[i] == "-" and gmspkt[i-1] == "-"):
del gmspkt[i]
afterGmsLen = len(gmspkt)
print str(gmspkt)
#print list(reversed(gmspkt))
print ""
#enumerate ngrams in variable data
clusterTokens = [];
for clusPkt in origionalClusterPackets:
gmsDiscard, similarityDiscard, distanceDiscard, alignedseq1Keep, alignedseq2Keep = sequencealignment(clusPkt, list(reversed(gmspkt)))
pktAlignedGMS1 = list(reversed(alignedseq1Keep))
GMSAlignedData = list(reversed(alignedseq2Keep))
tmpData = copy.deepcopy(GMSAlignedData)
packettokens = [];
packettoken = [];
gmsoffset = 0
while gmsoffset < len(GMSAlignedData):
if pktAlignedGMS1[gmsoffset]:
if(pktAlignedGMS1[gmsoffset] != "-"):
tmpData[gmsoffset] = "-"
gmsoffset+=1;
packettokens = copy.deepcopy(tmpData)
splittoken = [];
splittokens = [];
gmsoffset = 0
while gmsoffset < len(packettokens):
if packettokens[gmsoffset]:
if(packettokens[gmsoffset] != "-"):
splittoken.append(copy.deepcopy(packettokens[gmsoffset]))
if(gmsoffset+1 < len(packettokens)):
if(packettokens[gmsoffset+1] == "-"):
if(len(splittoken) > 0):
#TODO:
# having problems with passing by reference
# the beginning of the list vanishes.
splittokens.append(copy.deepcopy(splittoken))
del splittoken[:]
gmsoffset+=1
clusterTokens.append(splittokens)
print
print "GMS: " + str(pktAlignedGMS1)
print "Data: " + str(GMSAlignedData)
print "Masked Data: " + str(tmpData)
print "Tokens: " + str(packettokens)
print "Split Tokens: " + str(splittokens)
print
print ""
#infer token data type
#integer, float, character, string
fieldtype = "Blob"
for tokens in clusterTokens:
for token in tokens:
singleToken = ''.join(token)
newToken = str(singleToken)
if newToken == 'True' or newToken == 'False':
fieldtype = "Flag"
else:
try:
int(newToken)
fieldtype = "Number"
except ValueError:
try:
float(newToken)
fieldtype = "Number"
except ValueError:
fieldtype = "Blob"
chunkOffset = 0;
staticFieldBuff = [];
fieldSwitch = 0;
fieldLength = 1;
print '<DataModel name="cluster' + str(k) + '">'
while chunkOffset < len(gmspkt):
#print conditions
if gmspkt[chunkOffset]:
if(gmspkt[chunkOffset] != "-"):
staticFieldBuff.append(gmspkt[chunkOffset])
if(chunkOffset+1 < len(gmspkt)):
if(gmspkt[chunkOffset] != "-" and gmspkt[chunkOffset+1] == "-"):
#print '<Blob valueType="hex" value="' + str(staticFieldBuff).replace("[", "").replace("]", "").replace("'", "").replace("\\x", "") + '" mutable="false"/>'
print '<Blob valueType="hex" value="',
for c in staticFieldBuff:
print binascii.hexlify(c),
print '" mutable="false"/>'
del staticFieldBuff[:]
if(chunkOffset == 0 and gmspkt[chunkOffset] == "-"):
fieldSwitch = 1
if(chunkOffset-1 > 0):
if(gmspkt[chunkOffset] == "-" and gmspkt[chunkOffset-1] != "-"):
fieldSwitch = 1
if(fieldSwitch == 1):
print '<' + str(fieldtype) + ' mutable="true"/>'
fieldLength=0
fieldSwitch = 0
chunkOffset+=1
fieldLength+=1
print '</DataModel>'
pl.plot(cluster_center[0], cluster_center[1], 'o', markerfacecolor=col, markeredgecolor='k', markersize=8)
pl.title('Estimated number of clusters: %d' % n_clusters_)
pl.show()
def get_ip_address(ifname): #Get IP Address
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
return socket.inet_ntoa(fcntl.ioctl(
s.fileno(),
0x8915, # SIOCGIFADDR
struct.pack('256s', ifname[:15])
)[20:24])
def get_node_id(ip): #Gets the NodeID of this node from the list of NodeIDs
with open("Device List") as deviceList:
for i, line in enumerate(deviceList,1):
if ip in line:
deviceList.close
return i
pkts=rdpcap("FILE2.pcap") #Seeks packets in a PCAP file. This will need to be replaced to be able to do this 'live'
ip = get_ip_address('eth0') #Gets IP of network device executing the code
node = hex((get_node_id(ip)))[2:].zfill(2) #Gets the NodeID
routeFile = open('Routes','w') #Creates a file to record all the routes of packets exiting the network or ending at this node
for pkt in pkts:
if IP in pkt:
del pkt.chksum #Deletes the packet's checksum. Scapy recalculates the checksum later
#Add Marker at Source
if pkt[IP].src == ip: #If the packet originated at this node
pkt = pkt/"gourd" #Add the marker
pkt = pkt/node #Also add the NodeID
#Add Node Number
pkt = pkt/node #If the packet is just passing through this node, add the NodeID
#Delete Marker at Destination
def generatepacket (binfile):
pkts=rdpcap(binfile) # could be used like this rdpcap("filename",500) fetches first 500 pkts
for pkt in pkts:
sendp(pkt) #sending packet at layer 2
import datetime
FIN = 0x01
SYN = 0x02
RST = 0x04
PSH = 0x08
ACK = 0x10
URG = 0x20
ECE = 0x40
CWR = 0x80
"""
cmhs1-gr1.dlife.att.com: 144.160.173.30
cmhs2-gr1.dlife.att.com: 144.160.173.31
cmhs3-gr1.dlife.att.com: 144.160.231.24
cmhs4-gr1.dlife.att.com: 144.160.231.25
"""
pkts1=rdpcap("hbtesting_3g.pcap")
pkts2=rdpcap("hbtesting_bb.pcap")
pkts3=rdpcap("hbtesting_3g_2nd.pcap")
dlc="10.55.65.83"
cmhs1="144.160.173.30"
cmhs2="144.160.173.31"
cmhs3="144.160.231.24"
cmhs4="144.160.173.35"
servers = [cmhs1, cmhs2, cmhs3, cmhs4]
#print len(pkts)
for num, pkt in enumerate(pkts3):
if 'DNSQR' in pkt and pkt.dport == 53:
QRid = pkt[DNS].id
