def dotransform(request, response):
try:
folder = request.fields['sniffMyPackets.outputfld']
except:
return response + UIMessage(
'No output folder defined, run the L0 - Prepare pcap transform')
tmpfolder = folder + '/files'
if not os.path.exists(tmpfolder):
os.makedirs(tmpfolder)
list_files = []
file_types = []
objects = []
dissector = Dissector() # instance of dissector class
dissector.change_dfolder(tmpfolder)
pkts = dissector.dissect_pkts(request.value)
list_files = glob.glob(tmpfolder + '/*')
for i in list_files:
if 'stream' not in i:
cmd = 'file ' + i
x = os.popen(cmd).read()
fhash = ''
fh = open(i, 'rb')
fhash = hashlib.sha1(fh.read()).hexdigest()
file_details = x, fhash
if file_details not in file_types:
file_types.append(file_details)
for x, fhash in file_types:
for t in re.finditer('^([^:]*)', x):
fpath = t.group(1)
for s in re.finditer('([^:]*)(\s)', x):
ftype = s.group(1)
z = fpath, ftype, fhash
if z not in objects:
objects.append(z)
for fpath, ftype, fhash in objects:
e = RebuiltFile(fpath)
e.ftype = ftype
e.fhash = fhash
e += Field('pcapsrc',
request.value,
displayname='Original pcap File',
matchingrule='loose')
e += Field('sniffMyPackets.outputfld',
folder,
displayname='Folder Location')
e.linklabel = ftype
e.linkcolor = 0xFF9900
response += e
return response
def dotransform(request, response):
pkts = rdpcap(request.value)
artifact = 'Content-Type: application/pdf'
ack = ''
cfile = []
start = str('%PDF-')
end = ['%%EOF','.%%EOF', '.%%EOF.', '..%%EOF..']
tmpfile = '/tmp/tmp.pdf'
tmpfolder = request.fields['sniffMyPackets.outputfld']
pdffile = tmpfolder + '/output.pdf'
outfile = open(tmpfile, 'w')
outfile2 = open(pdffile , 'w')
for x in pkts:
if x.haslayer(Raw):
raw = x.getlayer(Raw).load
if artifact in raw:
ack = str(x.getlayer(TCP).ack)
for p in pkts:
if p.haslayer(TCP) and p.haslayer(Raw) and (p.getlayer(TCP).ack == int(ack) or p.getlayer(TCP).seq == int(ack)):
raw = p.getlayer(Raw).load
cfile.append(raw)
x = ''.join(cfile)
# Write the file out to outfile variable
outfile.writelines(x)
outfile.close()
# Open the temp file, cut the HTTP headers out and then save it again as a PDF
total_lines = ''
firstcut = ''
secondcut = ''
final_cut = ''
f = open(tmpfile, 'rb').readlines()
total_lines = len(f)
for x, line in enumerate(f):
if start in line:
firstcut = int(x)
for y, line in enumerate(f):
for t in end:
if t in line:
# print t, y
secondcut = int(y)# + 1
f = f[firstcut:]
if int(total_lines) - int(secondcut) != 0:
final_cut = int(total_lines) - int(secondcut)
f = f[:-final_cut]
outfile2.writelines(f)
outfile2.close()
else:
outfile2.writelines(f)
outfile2.close()
e = RebuiltFile(pdffile)
e.linklabel = 'PDF File'
e += Field('pcapsrc', request.value, displayname='Original pcap File', matchingrule='loose')
e += Field('sniffMyPackets.outputfld', tmpfolder, displayname='Folder Location')
e.linkcolor = 0xFF9900
response += e
return response
