def dotransform(request, response):
# Download GeoIP Database from MaxMinds
if not os.path.exists('/opt/geoipdb/geoipdb.dat'):
return response + UIMessage('Need local install of MaxMinds Geo IP database, use the download script in resource/external/geoipdownload.sh')
gi = pygeoip.GeoIP('/opt/geoipdb/geoipdb.dat')
pcap = request.value
pkts = rdpcap(pcap)
ip_raw = []
ip_geo = []
ip_exclusions = ['192.168.', '172.16.', '10.']
for x in pkts:
if x.haslayer(IP):
src = x.getlayer(IP).src
if src != '0.0.0.0':
if src not in ip_raw:
ip_raw.append(src)
for s in ip_raw:
if ip_exclusions[0] in s or ip_exclusions[1] in s or ip_exclusions[2] in s:
pass
else:
rec = gi.record_by_addr(s)
city = rec['city']
postcode = rec['postal_code']
country = rec['country_name']
lng = rec['longitude']
lat = rec['latitude']
ccode = rec['country_code']
google_map_url = 'https://maps.google.co.uk/maps?z=20&q=%s,%s' %(lat, lng)
geo_ip = s,city, postcode, country, ccode, str(lng), str(lat), google_map_url
if geo_ip not in ip_geo:
ip_geo.append(geo_ip)
for ip, city, postcode, country, ccode, lng, lat, gmap in ip_geo:
e = Location(country)
e.country = country
e.city = city
e.linkcolor = 0x2314CA
e.linklabel = ip
e.areacode = postcode
e.longitude = float(lng)
e.latitude = float(lat)
e.countrycode = ccode
e += Field('ipaddress', ip, displayname='IP Address')
e += Field('geomapurl', gmap, displayname='Google Map URL')
e += Field('pcapsrc', pcap, displayname='Original pcap File')
response += e
return response
