def read_pcap_raw(my_pcap_file: str = '../test.pcap') -> [FireData]:
"""
reads the pcap file and get raw content from it
:param my_pcap_file:
:return:
"""
testcap = open(my_pcap_file, 'rb')
capfile = savefile.load_savefile(testcap, verbose=False)
testcap.close()
fire_data_collection = []
for cap in capfile.packets:
try:
packet, header = next_bytes(cap.raw(), 42)
packet, payload = next_bytes(packet, 1206)
packet, block_fire_data = next_bytes(payload, 1200)
# fire_data = []
for i in range(12):
block_fire_data, data = next_bytes(block_fire_data, 100)
fire_data_collection.append(FireData.FireData.create_with_date(data))
# fire_data_collection.append(fire_data)
except ValueError:
# TODO this value error is caused because of packets being not containing
# exactly what the documentation claims
# FIX later
pass
return fire_data_collection
def extract_credentials_from_pcap(pcap_file):
from pcapfile import savefile
print("Loading and parsing pcap file:")
testcap = open(pcap_file, 'rb')
capfile = savefile.load_savefile(testcap, layers=1, verbose=True)
print("\n")
for packet in capfile.packets:
packet = bytearray(binascii.unhexlify(packet.packet.payload))
if (len(packet) <= 40): # tcp header
continue
packet = packet[40:] # tcp header
command = get_command_from_header(packet)
if command != 513:
if g_debug:
print("Not control command, continuing to next packet, command: %d" % command)
continue
device_id = binascii.hexlify(packet[40:43]).decode("utf-8")
phone_id = binascii.hexlify(packet[44:46]).decode("utf-8")
device_pass = binascii.hexlify(packet[48:52]).decode("utf-8")
return device_id, phone_id, device_pass
print("ERROR: Didn't find ids in pcap file")
exit(-1)
def main():
if(len(sys.argv) != 2):
print("Usage: python parsePcap.py <pcap.file>")
return
fileIn = open(sys.argv[1])
capFile = savefile.load_savefile(fileIn, verbose=True)
previousMouseState = 0
for packet in capFile.packets:
if(len(hexlify(packet.raw())) == 70):
leftoverPacketData = hexlify(packet.raw())[54:]
if(hexlify(packet.raw())[43] == '1'):
keyPressed = int(leftoverPacketData[4:6], 16);
if keyPressed in hidMap:
if(keyPressed == 0):
print(leftoverPacketData)
else:
print(hidMap[keyPressed])
else:
clicked = int(leftoverPacketData[0:2], 16)
if(clicked == 1):
print("Mouse clicked!"+str(packet.timestamp))
else:
print("Mouse unclicked!")
def output_packets(fname, num_packets):
print("PCAP file is ", fname)
fp = open(fname, 'rb')
pcap = savefile.load_savefile(fp, layers=3, verbose=True)
print(pcap)
if len(pcap.packets) < num_packets:
max_packet = len(pcap.packets)
else:
max_packet = num_packets
for i in range(0, max_packet):
eth_frame = pcap.packets[i]
print(eth_frame)
type = eth_frame.packet.type
if type == 0x0800: # IP
ip_packet = eth_frame.packet.payload
print(ip_packet)
layer3_packet = ip_packet.payload
print(layer3_packet)
elif type == 0x8100: # VLAN
vlan_packet = eth_frame.packet.payload
print(vlan_packet)
ip_packet = vlan_packet.payload
print(ip_packet)
layer3_packet = ip_packet.payload
print(layer3_packet)
print()
def pcapinfo():
import sys
from pcapfile import savefile
testcap = open('E:/Cyber/test.pcap', 'rb')
capfile = savefile.load_savefile(testcap, verbose=True)
sys.stdout = open('E:/Cyber/pcapinfo.txt', 'w')
print capfile
def test_lazy_import(self):
"""
Test the lazy packet parsing against the regular implementation.
"""
# Load the savefile again, but create an iterator for the
# packets instead of reading them all into memory at once.
tfile = create_pcap()
capfile_gen = savefile.load_savefile(tfile, lazy=True)
# Create a list of packets using the iterator. This way the
# length can be checked before comparing any content.
packets = list(capfile_gen.packets)
tfile.close()
if os.path.exists(tfile.name):
os.unlink(tfile.name)
self.assertEqual(len(packets), len(self.capfile.packets),
'lazy parsing gives different number of packets!')
# Compare the relevant parts of the packets.
fields = ['timestamp', 'timestamp_us', 'capture_len',
'packet_len', 'packet']
for act, ref in zip(packets, capfile_gen.packets):
for field in fields:
self.assertEqual(getattr(act, field), getattr(ref, field),
'lazy parsing gives different data!')
def main():
s=""
lastt=0
if(len(sys.argv) != 2):
print("Usage: python parsePcap.py <pcap.file>")
return
fileIn = open(sys.argv[1])
capFile = savefile.load_savefile(fileIn, verbose=True)
for packet in capFile.packets:
if(len(hexlify(packet.raw())) == 0x41*2):
leftoverPacketData = hexlify(packet.raw())[-2:]
t=packet.timestamp*1000+packet.timestamp_ms
diff=t-lastt
lastt=t
if diff>100000:
continue
if leftoverPacketData!="03":
if diff>300:
s+="_"
else:
s+="."
else:
if diff<300:
s+=""
else:
s+=" "
print s
def parsepcapfilejoin(s, filename):
global basetimestamp
global lastfiletimestamp
global lastcount
testcap = open(filename, 'rb')
capfile = savefile.load_savefile(testcap, verbose=True)
count = 1
prevtimestamp = capfile.packets[0].timestamp
if (basetimestamp == 0):
basetimestamp = prevtimestamp
else:
if (lastfiletimestamp == prevtimestamp):
count = lastcount
print "process:", filename, "len(capfile.packets):", len(capfile.packets)
print basetimestamp
ts = np.array([])
for pkt in capfile.packets[1:]:
timestamp = pkt.timestamp
d = timestamp - prevtimestamp
if (d == 0):
count += 1
else:
#print prevtimestamp, "count:", count
if (count > THRESH_PKT):
s = np.append(s, prevtimestamp - basetimestamp)
prevtimestamp = timestamp
count = 1
#print prevtimestamp, "count:", count
if (count > THRESH_PKT):
s = np.append(s, prevtimestamp - basetimestamp)
lastfiletimestamp = timestamp
lastcount = count
s = np.unique(s)
return s
def init_capfile(self, layers=0):
"""Initialise the capture file."""
tfile = create_pcap()
self.capfile = savefile.load_savefile(tfile, layers=layers)
tfile.close()
if os.path.exists(tfile.name):
os.unlink(tfile.name)
def test_lazy_import(self):
"""
Test the lazy packet parsing against the regular implementation.
"""
# Load the savefile again, but create an iterator for the
# packets instead of reading them all into memory at once.
tfile = create_pcap()
capfile_gen = savefile.load_savefile(tfile, lazy=True)
# Create a list of packets using the iterator. This way the
# length can be checked before comparing any content.
packets = list(capfile_gen.packets)
tfile.close()
if os.path.exists(tfile.name):
os.unlink(tfile.name)
self.assertEqual(len(packets), len(self.capfile.packets),
'lazy parsing gives different number of packets!')
# Compare the relevant parts of the packets.
fields = [
'timestamp', 'timestamp_us', 'capture_len', 'packet_len', 'packet'
]
for act, ref in zip(packets, capfile_gen.packets):
for field in fields:
self.assertEqual(getattr(act, field), getattr(ref, field),
'lazy parsing gives different data!')
def init_capfile(self, layers=0):
"""Initialise the capture file."""
tfile = create_pcap()
self.capfile = savefile.load_savefile(tfile, layers=layers)
tfile.close()
if os.path.exists(tfile.name):
os.unlink(tfile.name)
def parsepcapfilesingle(s, cs, filename):
testcap = open(filename, 'rb')
capfile = savefile.load_savefile(testcap, verbose=True)
count = 1
prevtimestamp = getTimeStamp(capfile.packets[0])
basetimestamp = prevtimestamp
print "filename:", filename, "len(capfile.packets):", len(capfile.packets)
print basetimestamp
ts = np.array([])
for pkt in capfile.packets[1:]:
timestamp = getTimeStamp(pkt)
d = timestamp - prevtimestamp
if (d == 0):
count += 1
else:
#print "count:", count
if (count > THRESH_PKT):
#print prevtimestamp-basetimestamp, "count:", count
s = np.append(s, prevtimestamp - basetimestamp)
cs = np.append(cs, count)
prevtimestamp = timestamp
count = 1
#print prevtimestamp, "count:", count
if (count > THRESH_PKT):
s = np.append(s, prevtimestamp - basetimestamp)
lastfiletimestamp = timestamp
lastcount = count
s = np.unique(s)
return s, cs
def read_file():
testcap = open('cia.pcap', 'rb')
capfile = savefile.load_savefile(testcap, layers=2, verbose=True)
# print the packets
#print ('timestamp\teth src\t\t\teth dst\t\t\tIP src\t\tIP dst')
pkt_list = []
for pkt in capfile.packets:
timestamp = pkt.timestamp
# all data is ASCII encoded (byte arrays). If we want to compare with strings
# we need to decode the byte arrays into UTF8 coded strings
eth_src = pkt.packet.src.decode('UTF8')
eth_dst = pkt.packet.dst.decode('UTF8')
ip_src = pkt.packet.payload.src.decode('UTF8')
ip_dst = pkt.packet.payload.dst.decode('UTF8')
#print ('{}\t\t{}\t{}\t{}\t{}'.format(timestamp, eth_src, eth_dst, ip_src, ip_dst))
a = {
"eth_src": eth_src,
"eth_dst": eth_dst,
"ip_src": ip_src,
"ip_dst": ip_dst
}
pkt_list.append(a)
#print(pkt_list)
return (pkt_list)
def convertmf_image(arguments):
'''
Read PCAP frame by frame. The packet contains 4 bytes of timestamp, 2 bytes of fragment index
'''
while True:
filename_in = arguments["--filein"]
filename_out = arguments["--fileout"]
offset_str = arguments["--offset"]
(result, filecap) = open_file(filename_in, 'rb')
if not result:
logger.error("Failed to open file '{0}' for reading".format(filename_in))
break
(result, width, height) = parse_arguments_resolution(arguments["--resolution"])
if not result:
break
(result, ffmpeg_path) = parse_arguments_ffmpeg(arguments)
if not result:
logger.error("This mode requires correct ffmpeg path. Exiting.")
break
packets = savefile.load_savefile(filecap, verbose=True).packets
logger.info("Processing '{0}' packets, resolution {1}x{2}".format(
len(packets), width, height))
files = convertmf_dump_pcap(packets, filename_out)
frame_index = 0
for filename_out in files:
convertmf_rgb565_png(filename_out, frame_index, width, height, ffmpeg_path)
frame_index = frame_index + 1
break
def read_packet_dump():
print('[DEBUG] Starting read_packet() method')
testcap = open('example.pcap', 'rb')
packet_dump = savefile.load_savefile(testcap, verbose=True)
print('[INFO] Packet quantity: ' + str(len(packet_dump.packets)))
print('[DEBUG] Returning packet dump')
return packet_dump
def start_pcap_parser(r, w, interface):
""" Start parsing incoming packets """
from pcapfile import savefile
from os import write, close, fdopen
try:
cap = savefile.load_savefile(fdopen(r, 'rb'), verbose=False, lazy=True, layers=3)
# packets are loaded lazily via a generator, so we just iterate over them
for p in cap.packets:
payload = p.packet.payload
# discard L1/L2 packets
if isinstance(payload, bytes):
continue
src_port, dst_port = payload.payload.src_port, payload.payload.dst_port
src, dst = payload.src.decode('utf-8'), payload.dst.decode('utf-8')
# {src}:{src_port} {dst}:{dst_port} {interface} {payload}
data_string = '{}:{} {}:{} {} {}\n'.format(src, src_port, dst, dst_port, interface,
payload.payload.payload.decode('utf-8'))
# convert to byte buffer and write to the output pipe
buf = bytes(data_string, 'utf-8')
write(w, buf)
except KeyboardInterrupt:
pass
close(w)
def sanitize(filepath_in,
filepath_out=None,
sequential=True,
ipv4_mask=0,
ipv6_mask=0,
mac_mask=0,
start_ipv4='10.0.0.1',
start_ipv6='2001:aa::1',
start_mac='00:aa:00:00:00:00'):
if not filepath_out:
timestamp = datetime.datetime.now().strftime('%y%m%d-%H%m%S')
filepath_out = os.path.splitext(filepath_in)[
0] + '_sanitized_' + timestamp + os.path.splitext(filepath_in)[1]
mac_gen = MACGenerator(sequential=sequential,
mask=mac_mask,
start_mac=start_mac)
ip4_gen = IPv4Generator(sequential=sequential,
mask=ipv4_mask,
start_ip=start_ipv4)
ip6_gen = IPv6Generator(sequential=sequential,
mask=ipv6_mask,
start_ip=start_ipv6)
with open(filepath_in) as capfile:
#open cap file with pcapfile
cap = savefile.load_savefile(capfile, verbose=False)
#use scapy's pcapwriter
pktwriter = PcapWriter(filepath_out, append=True)
try:
for pkt in cap.packets:
#create scapy packet from pcapfile packet raw output
pkt = Ether(pkt.raw())
#MAC addresses
pkt.src = mac_gen.get_mac(pkt.src)
pkt.dst = mac_gen.get_mac(pkt.dst)
#IP Address
try:
pkt['IP'].src = ip4_gen.get_ip(pkt['IP'].src)
pkt['IP'].dst = ip4_gen.get_ip(pkt['IP'].dst)
except IndexError:
pkt['IPv6'].src = ip6_gen.get_ip(pkt['IPv6'].src)
pkt['IPv6'].dst = ip6_gen.get_ip(pkt['IPv6'].dst)
pktwriter.write(pkt)
finally:
pktwriter.close()
return filepath_out.split('/')[-1]
def getFile(filePath):
try:
testcap = open(filePath, "rb")
capfile = savefile.load_savefile(testcap, layers=2, verbose=True)
testcap.close()
return capfile
except:
print("Invalid file path")
exit()
def main():
testcap = open('./sample_pcap.pcap', 'rb')
capfile = savefile.load_savefile(testcap, verbose=True)
sender_src = re.compile(f"192.168.2..")
sender_dst = re.compile(f"192.168.1..")
goodput_per_packet(capfile.packets, sender_src, sender_dst)
def learning_phase(target_ip:str, mix_ip:str, m:int, filename:str) -> list:
cap = savefile.load_savefile(open(filename, 'rb'), layers=2, verbose=True)
send_indices = [
i
for i, p in enumerate(cap.packets)
if p.packet.payload.src.decode('UTF8') == target_ip
]
batches = [next_batch(i, mix_ip, list(cap.packets)) for i in send_indices]
return [ set(map(lambda x: x.packet.payload.dst.decode('UTF8'), batch)) for batch in batches ]
def parsepcap(filename):
testcap = open(filename, 'rb')
capfile = savefile.load_savefile(testcap, verbose=True)
print "filename:", filename, "len(capfile.packets):", len(capfile.packets)
ts = np.array([])
for pkt in capfile.packets[1:]:
timestamp = pkt.timestamp * 1000 + pkt.timestamp_ms
#print timestamp
ts = np.append(ts, timestamp)
return ts
def __init__(self, path, transform, layers=0, verbose=False, lazy=False):
from pcapfile.savefile import load_savefile
self.file_raw = open(path, 'rb')
self.file_parsed = load_savefile(self.file_raw,
layers=layers,
verbose=verbose,
lazy=lazy)
super().__init__(self.file_parsed.packets, transform)
def read(filename, verbose=False):
"""
Read metadata from a *.pcap file and return a pandas dataframe
"""
metadata = []
num_tcp, num_udp, num_other = 0, 0, 0
with open(filename, 'rb') as handle:
cap = savefile.load_savefile(handle, layers=3, verbose=verbose)
for frame in cap.packets:
# link layer (ethernet)
timestamp = frame.timestamp
# network layer (ip)
packet = frame.packet.payload
src_team = ip2team(packet.src)
dst_team = ip2team(packet.dst)
protocol = packet.p
# transport layer (udp, tcp)
if isinstance(packet.payload, UDP):
num_udp += 1
segment = packet.payload
len_payload = len(segment.payload)
src_port = segment.src_port
dst_port = segment.dst_port
elif isinstance(packet.payload, TCP):
num_tcp += 1
datagram = packet.payload
len_payload = len(datagram.payload)
src_port = datagram.src_port
dst_port = datagram.dst_port
else:
num_other += 1
# use complete ip packet payload for other protocols
len_payload = len(packet.payload)
src_port, dst_port = None, None
metadata.append((timestamp, protocol,
src_team, src_port, dst_team, dst_port, len_payload))
# convert to pandas data frame
metadata = pd.DataFrame(metadata, columns=COLUMNS).set_index(INDEX)
print("Read metadata of {:,} packets ({:,} TCP, {:,} UDP, {:,} Other)"
.format(metadata.shape[0], num_tcp, num_udp, num_other))
return metadata
def zipped_read_pcap():
testcap = gzip.open(
r'cia.log.5.pcap.gz', 'rb')
capfile = savefile.load_savefile(testcap, layers=2, verbose=True)
# print the packets
print('timestamp\teth src\t\t\teth dst\t\t\tIP src\t\tIP dst')
packet_list = []
for pkt in capfile.packets:
packet_list.append({'ip_src': pkt.packet.payload.src.decode('UTF8'),
'ip_dst': pkt.packet.payload.dst.decode('UTF8')})
return(packet_list)
def sanitize(
filepath_in,
filepath_out=None,
sequential=True,
ipv4_mask=0,
ipv6_mask=0,
mac_mask=0,
start_ipv4="10.0.0.1",
start_ipv6="2001:aa::1",
start_mac="00:aa:00:00:00:00",
):
if not filepath_out:
timestamp = datetime.datetime.now().strftime("%y%m%d-%H%m%S")
filepath_out = os.path.splitext(filepath_in)[0] + "_sanitized_" + timestamp + os.path.splitext(filepath_in)[1]
mac_gen = MACGenerator(sequential=sequential, mask=mac_mask, start_mac=start_mac)
ip4_gen = IPv4Generator(sequential=sequential, mask=ipv4_mask, start_ip=start_ipv4)
ip6_gen = IPv6Generator(sequential=sequential, mask=ipv6_mask, start_ip=start_ipv6)
with open(filepath_in) as capfile:
# open cap file with pcapfile
cap = savefile.load_savefile(capfile, verbose=False)
# use scapy's pcapwriter
pktwriter = PcapWriter(filepath_out, append=True)
try:
for pkt in cap.packets:
# create scapy packet from pcapfile packet raw output
pkt = Ether(pkt.raw())
# MAC addresses
pkt.src = mac_gen.get_mac(pkt.src)
pkt.dst = mac_gen.get_mac(pkt.dst)
# IP Address
try:
pkt["IP"].src = ip4_gen.get_ip(pkt["IP"].src)
pkt["IP"].dst = ip4_gen.get_ip(pkt["IP"].dst)
except IndexError:
pkt["IPv6"].src = ip6_gen.get_ip(pkt["IPv6"].src)
pkt["IPv6"].dst = ip6_gen.get_ip(pkt["IPv6"].dst)
pktwriter.write(pkt)
finally:
pktwriter.close()
return filepath_out.split("/")[-1]
def parsePcapFile(pcapFileName, pcapIndex): # open the pcap file for reading pcap_file_f = open(path + "/" + pcapFileName) capfile = savefile.load_savefile(pcap_file_f, verbose=True) for pkt in capfile.packets: eth_frame = ethernet.Ethernet(pkt.raw()) eth_type = eth_frame.type if(eth_type == 2048): ip_packet = ip.IP(binascii.unhexlify(eth_frame.payload)) # foundIPs[pcapFileName][ip_packet.dst] = ip_packet.dst # push ip into table foundIPs[pcapIndex][ip_packet.dst] = 1 # push ip into table pcap_file_f.close() # close file descriptor
def parsePcapFile(pcapFileName, pcapIndex):
# open the pcap file for reading
pcap_file_f = open(path + "/" + pcapFileName)
capfile = savefile.load_savefile(pcap_file_f, verbose=True)
for pkt in capfile.packets:
eth_frame = ethernet.Ethernet(pkt.raw())
eth_type = eth_frame.type
if (eth_type == 2048):
ip_packet = ip.IP(binascii.unhexlify(eth_frame.payload))
# foundIPs[pcapFileName][ip_packet.dst] = ip_packet.dst # push ip into table
foundIPs[pcapIndex][ip_packet.dst] = 1 # push ip into table
pcap_file_f.close() # close file descriptor
def main(argv):
if len(argv) < 1:
print "Error: please pass in pcap file."
sys.exit(1)
testcap = open(argv[0], 'rb')
capfile = savefile.load_savefile(testcap, verbose=True)
print capfile
#cap = pyshark.FileCapture(argv[0])
#print cap
a=scapy.rdpcap(argv[0])
scapy.sniff(offline=argv[0], prn=history_check)
print packets[0][1].summary()
print packets[0].show()
print packets[0]["TCP"].seq
def main(nazir_ip, mix_ip, nbr_partners, data):
testcap = open(data, 'rb')
capfile = savefile.load_savefile(testcap, layers=2, verbose=True)
all_sets, distinct_sets = learn(nazir_ip, mix_ip, capfile, nbr_partners)
ips = exclude(distinct_sets, all_sets)
print("Found the following partners of Nazir:")
sum = 0
for ip_set in ips:
ip = ip_set.pop()
print("IP: {}".format(ip))
sum += fc.hex_to_int(fc.ip_to_hex(ip))
print("Sum of IPs: {}".format(sum))
def __init__(self,
path: str,
transform: _T.Callable,
layers: int = 0,
verbose: bool = False,
lazy: bool = False):
from pcapfile.savefile import load_savefile
self.file_raw = open(path, 'rb')
self.file_parsed = load_savefile(self.file_raw,
layers=layers,
verbose=verbose,
lazy=lazy)
super().__init__(self.file_parsed.packets, transform)
def extract_pcap(pcapfile):
try:
open_pcap = open(pcapfile, 'rb')
except IOError:
print("Le fichier n'existe pas !")
pcap_file = savefile.load_savefile(open_pcap, layers=2, verbose=True)
packets_ip = pcap_file.packets
compteur = 0
pair_matches = []
matches = []
clean_matches = []
clean_pairs = re.compile('ipv4 packet from ([^<]* to [^<]*) carrying')
for i in range(len(packets_ip)):
pair_matches.append(str(pcap_file.packets[i].packet.payload))
for i in pair_matches:
clean_pair = re.findall(clean_pairs, i)
if len(clean_pair) > 0:
matches.append(clean_pair[0].replace('b', '').replace("'", ""))
tmp = clean_pair[0].replace('to', '').replace('b',
'').replace("'", "")
clean_matches.append(tmp)
results = [[x, matches.count(x)] for x in set(matches)]
clean_results = [[x, clean_matches.count(x)] for x in set(clean_matches)]
for i in results:
print(str(i[0]) + ' -> ' + str(i[1]) + ' fois')
toGraphics = str(input("Voulez-vous générer des graphiques ? (o/N) "))
if toGraphics.lower() == 'o':
generate_graph(clean_results)
toExport = str(input("Voulez-vous exporter en CSV ? (o/N) "))
if toExport.lower() == 'o':
export_as_csv(clean_results)
else:
print("Merci d'avoir utilisé notre PcapParser !")
sys.exit(0)
else:
toExport = str(input("Voulez-vous exporter en CSV ? (o/N) "))
if toExport.lower() == 'o':
export_as_csv(clean_results)
else:
print("Merci d'avoir utilisé notre PcapParser !")
sys.exit(0)
def test_pcap(pcap_filename, bpf_filename): with open(pcap_filename, 'r') as testcap: capfile = savefile.load_savefile(testcap, layers=0, verbose=False) raw_packets = [pkt.raw() for pkt in capfile.packets] r = Context(bpf_filename) i = 1 for rp in raw_packets: res = emulate_packet( r, binascii.hexlify(rp) ) if res == Context.Accepted: print "packet %d : accepted" % i elif res == Context.Rejected: print "packet %d : rejected" % i i+=1
def openPcapFile(fname):
global sizePcap
print("PCAP file is ", fname)
fp = open(fname, 'rb')
# The following call to the pycapfile library parses packets in the given PCAP
# file down to the third layer in the TCP/IP model: layer1 = data link (ethernet),
# layer2 = network (IP), layer3 = transport(TCP, UDP). It saves the parsed packets
# in the list pcap.packets.
pcap = savefile.load_savefile(fp, layers=3)
sizePcap = len(pcap.packets)
print(pcap)
return pcap
def my_pcap_reader(filename):
testcap = open('../Samples/' + filename + ".pcap", 'rb')
capfile = savefile.load_savefile(testcap, verbose=True)
f = open('Results/Traces/' + filename + ".txt", 'w')
# eth_frame = ethernet.Ethernet(capfile.packets[0].raw())
# print eth_frame
# ip_packet = ip.IP(binascii.unhexlify(eth_frame.payload))
# print ip_packet
for i in range(len(capfile.packets)):
eth_frame = ethernet.Ethernet(capfile.packets[i].raw())
try:
ip_packet = ip.IP(binascii.unhexlify(eth_frame.payload))
except Exception as e:
print e.message
continue
packet = capfile.packets[i]
packet_type = ""
if ip_packet.p == 6:
packet_type = "TCP"
elif ip_packet.p == 17:
packet_type = "UDP"
else:
packet_type = "Unknown_type"
milisecond = str(packet.timestamp_ms)
while len(milisecond) < 6:
milisecond = "0" + milisecond
t1 = float(str(packet.timestamp % 100000) + "." + milisecond)
t2 = float(
str(capfile.packets[0].timestamp % 100000) + "." +
str(capfile.packets[0].timestamp_ms))
t3 = t1 - t2
t3 = "{0:.6f}".format(t3)
row = str(i + 1) + " " + str(
t3
) + " " + ip_packet.src + " " + ip_packet.dst + " " + packet_type + " " + str(
packet.packet_len)
print(row)
f.write(row + "\n")
print("------------------------------------------------")
f.close()
def generate_graph(self, filename):
# Open the .pcap file
capture = open(filename, "rb")
self.packets = savefile.load_savefile(capture, verbose=True).packets
# Process the packets and generate the adjacency list based on the graph
for p in self.packets:
try:
eth_frame = ethernet.Ethernet(p.raw())
ip_packet = ip.IP(binascii.unhexlify(eth_frame.payload))
source = ip_packet.src
destination = ip_packet.dst
packet_length = ip_packet.len
protocol = constants.PROTOCOLS[ip_packet.p]
#if source not in _infected_ips and source not in _normal_ips:
# u = ("WAN", protocol)
#else:
infected = True if source in _infected_ips else False
u = (source, protocol, infected)
#if destination not in _infected_ips and destination not in _normal_ips:
# v = ("WAN", protocol)
#else:
infected = True if destination in _infected_ips else False
v = (destination, protocol, infected)
if self.graph.has_edge(u, v):
self.graph[u][v]['weight'] += packet_length
else:
self.graph.add_edge(u, v, weight=packet_length)
self.statistics["total_packets"] += 1
self.statistics["largest_packet"] = max(
packet_length, self.statistics["largest_packet"])
if settings.VERBOSE:
if self.statistics["total_packets"] % 50000 == 0:
print("Processed " +
str(self.statistics["total_packets"]) +
" packets")
except Exception, e:
self.statistics["non_ip_packets"] += 1
def test_pcap(pcap_filename, bpf_filename):
with open(pcap_filename, 'r') as testcap:
capfile = savefile.load_savefile(testcap, layers=0, verbose=False)
raw_packets = [pkt.raw() for pkt in capfile.packets]
r = Context(bpf_filename)
i = 1
for rp in raw_packets:
res = emulate_packet(r, binascii.hexlify(rp))
if res[1] == Context.Accepted:
print "packet %d : accepted" % i
elif res[1] == Context.Rejected:
print "packet %d : rejected" % i
else:
print "packet %d : unknown" % i
i += 1
def get_all_flows_2(cap, attackers, write_to_file):
#input file object and a file to write the flows in formation
flow_file = open(write_to_file, 'a')
flows = []
timestamps = []
for pkt in savefile.load_savefile(cap, lazy=True).packets:
eth_frame = ethernet.Ethernet(pkt.raw())
try:
ip_packet = ip.IP(binascii.unhexlify(eth_frame.payload))
tcp_packet = tcp.TCP(binascii.unhexlify(eth_frame.payload))
except:
continue
if ip_packet.src.decode("utf-8") in attackers:
flow_file.write('{},{},{},{},{},{}\n'.format(
ip_packet.src.decode("utf-8"), ip_packet.dst.decode("utf-8"),
str(tcp_packet.src_port), str(tcp_packet.dst_port),
str(ip_packet.p), normalized_timestamp(pkt.timestamp)))
else:
continue
flow_file.close()
def run(self, primary_function):
"""
Go through each file in the given directory
that starts with pcap and for each packet
pass it to the function primary function.
"""
try:
from pcapfile import savefile
except ImportError:
print "[-] Error: Make sure you have pcapfile installed!"
print "[-] pip install pypcapfile"
exit(0)
for filename in self.files:
print "Opening with", filename
capfile = open(filename, 'rb')
cap = savefile.load_savefile(capfile, verbose=True)
for packet in cap.packets:
primary_function(Packet(packet))
capfile.close()
def init_capfile(self, layers=0):
"""
Initialise capture file.
"""
self.capfile = savefile.load_savefile(open('test_data/test.pcap', 'r'),
layers=layers)
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from twisted.web import server, resource
from twisted.internet import reactor, protocol
from twisted.protocols import sip
import json
import time
from datetime import datetime
from pcapfile import savefile
IP = '127.0.0.1'
audio_testcap = open('audio_in.pcap', "rb")
audio_capfile = savefile.load_savefile(audio_testcap, verbose=True)
video_testcap = open('video_in.pcap', "rb")
video_capfile = savefile.load_savefile(video_testcap, verbose=True)
class Simple(resource.Resource):
isLeaf = True
def render_GET(self, request):
print str(datetime.now()), request
if request.uri.startswith("/doorbots/history"):
request.responseHeaders.addRawHeader(b"content-type", b"application/json")
return json.dumps([])
elif request.uri.startswith("/ring_devices"):
request.responseHeaders.addRawHeader(b"content-type", b"application/json")
return json.dumps({"doorbots":[],"authorized_doorbots":[],"stickup_cams":[],"chimes":[]})
def convert_image(arguments):
while True:
filename_in = arguments["--filein"]
filename_out = arguments["--fileout"]
offset_str = arguments["--offset"]
(result, filecap) = open_file(filename_in, 'rb')
if not result:
logger.error("Failed to open file '{0}' for reading".format(filename_in))
break
(result, fileout) = open_file(filename_out, 'wb')
if not result:
logger.error("Failed to open file '{0}' for writing".format(filename_out))
break
(result, width, height) = parse_arguments_resolution(arguments["--resolution"])
if not result:
break
filename_image = filename_out+".png"
# Read the PCAP file , save the payload (RGB565) in a separate file
offset = int(offset_str, 16)
packets = savefile.load_savefile(filecap, verbose=True).packets
logger.info("Processing '{0}' packets, data offset {1}, resolution {2}x{3}".format(
len(packets), hex(offset), width, height))
for packet in packets:
packet_raw = packet.raw()
#frame_index = struct.unpack('<I', data[FRAME_INDEX_OFFSET:FRAME_INDEX_OFFSET+FRAME_INDEX_SIZE])
#fragment_index = struct.unpack('<I', data[FRAGMENT_INDEX_OFFSET:FRAGMENT_INDEX_OFFSET+FRAGMENT_INDEX_SIZE])
fileout.write(packet_raw[offset:])
fileout.close()
logger.info("Generated file {0}".format(filename_out))
# Generate am image file
img = Image.new('RGB', (width, height), "black")
data = open(filename_out, 'rb').read() # read the RGB565 data from the filename_out
pixels = []
count = len(data)
expected_count = width * height
index = 0
# I assume R5 G6 B5
while index <= (count-2):
pixel = get_pixel_rgb565_1(data, index)
pixels.append(pixel)
index = index + 2
if len(pixels) >= expected_count:
if index < (count-2):
logger.warning("Too much data for the image {0}x{1}. Expected {2} pixels, got {3} pixels".format(
width, height, expected_count, count/2))
break
if len(pixels) < expected_count:
logger.warning("Not enough data for the image {0}x{1}. Expected {2} pixels, got {3} pixels".format(
width, height, expected_count, len(pixels)))
img.putdata(pixels)
img.save(filename_image)
logger.info("Generated file {0}".format(filename_image))
break
from pcapfile import savefile
f=open('/Users/nickgregory/Downloads/shattered.pcap','rb')
cap=savefile.load_savefile(f)
match = "\xff\xd8\xff\xe0\x00\x10JFIF"
assembled = match
best = None
used = []
while True:
for i, pkt in enumerate(cap.packets):
data = pkt.raw()[54:]
if match in data:
offset = data.index(match)
if len(data) - offset > best and i not in used:
best = i
if best is None:
break
data = cap.packets[best].raw()[54:]
offset = data.index(match)
print "Best match of ", match.encode('hex'), "is at pkt idx", best, "offset", offset
assembled += data[offset+len(match):]
match = data[-10:]
used.append(best)
best = None
f = open('out.jpg', 'wb')
f.write(assembled)
f.close()
def setUp(self):
with open('pcapfile/test/test_data/http_conversation.pcap', 'rb') as f:
self.packets = savefile.load_savefile(f, layers=3).packets
__email__ = "*****@*****.**"
parser = argparse.ArgumentParser(description='Multicast Pcap Parser')
#parser.add_argument('-f', '--file', help='Pcap file to open', required=True)
parser.add_argument('-f', '--file', help='Pcap file to open')
args = parser.parse_args()
sequence_dict = {} # format = key = seq, value = timestamp
if not args.file:
testcap = open('/Users/shea/Desktop/CMT/Project2-XPM3/pcaps/mux/20161130.153835.001665773.pcap', 'rb')
else:
testcap = open(args.file, 'rb')
capfile = savefile.load_savefile(testcap)
file_length = capfile.__length__()
for packet in range(0, file_length):
pkt = capfile.packets[packet]
data = binascii.b2a_qp(pkt.raw())
strings = data.split()
sequence = strings[-2].decode()
if sequence not in sequence_dict:
sequence_dict[sequence] = [pkt.timestamp, pkt.timestamp_us]
else:
# The sequence already exists, so it can just be subtracted. In 2016/11, datetime does not support nanoseconds.
if pkt.timestamp_us > sequence_dict[sequence][1]:
# the nano of T1 is greater than T0, simply subtract
print('{0}, {1}'.format(pkt.timestamp_us - sequence_dict[sequence][1], sequence))
else: # the significant portions don't match, clock rolled over 1 sec or > 1 sec diff!
print('WARN: T0:', sequence_dict[sequence][0], sequence_dict[sequence][1], 'T1', pkt.timestamp,
# we only capture 1000 bytes per packet --
# header is 42+88 bytes => 870 bytes data
# => 108 complex values
# => 27 dual-pol baselines (+ some leftover)
n_bls = 27
#n_bls = 16*17/2 * 4
n_windows = 100
packet_cnts = np.zeros(n_windows)
time_slots = np.ones(n_windows) * -1
spectra = np.ones([n_windows, 4096, n_bls*4], dtype=complex)*2**31
for fn in args:
with open(fn, 'r') as fh:
print 'loading %s'%fn
capfile = savefile.load_savefile(fh)
for pn, p in enumerate(capfile.packets[::1]):
if pn % 10000 == 0:
print 'Read %d packets'%pn
# check this is an X packet
if p.packet_len == 4482:
mcnt, chan, xeng, acc_num = decode_x_header(p.raw()[42:])
t = mcnt >> 12 #the lower bits of mcnt are a channel ID (and should be fixed per roach)
t = acc_num
window = t%n_windows
data = struct.unpack('>%dl'%(n_bls*2*4), p.raw()[hdr_len:hdr_len + (4*n_bls*8)])
data_c = np.array(data[::2]) + 1j*np.array(data[1::2])
data_c /= 1792.
#print pn, acc_num, mcnt, xeng, mcnt>>12, '%4d'%(mcnt&(2**12-1)), 'chan: %4d'%chan, data_c[0]
time_slots[window] = t
packet_cnts[window] += 1
parser = OptionParser()
parser.add_option("-f", "--file", dest="filename",
help="pcap file to parse", metavar="FILE")
parser.add_option("-p", "--protocol", dest="protocol",
help="protocol to add", metavar="PROTOCOL", default="INSERT_PROTOCOL")
(options, args) = parser.parse_args()
if options.filename is None or options.filename == "":
print "ERROR: Filename cannot be empty\n\n"
parser.print_help();
sys.exit(1)
testcap = open(options.filename)
capfile = savefile.load_savefile(testcap, layers=2)
flows = {}
flowsList = []
for packet in capfile.packets :
ip_packet = packet.packet.payload
# UDP or TCP
if ip_packet.p != 17 and ip_packet.p != 6:
print "Not TCP or UDP"
continue
ip_tuple = IPv4Tuple(ip_packet.src, ip_packet.dst, ip_packet.p, ip_packet.payload, options.protocol)
if ip_tuple.dict_repr() in flows:
#!/usr/bin/env python
import sys
import zlib
import lz4
import brotli
from pcapfile import savefile
for arg in sys.argv[1:]:
pcap = savefile.load_savefile(open(arg, 'r'))
for i in range(0, len(pcap.packets)):
# strip IP/UDP
pkt = pcap.packets[i].raw()[42:]
# do not compress header
zlib_len = len(zlib.compress(pkt[12:])) + 12
lz4_len = len(lz4.compress(pkt[12:])) + 12
bro_len = len(brotli.compress(pkt[12:])) + 12
print('[%d] base: %4dB, zlib: %4dB, lz4: %4dB, brotli: %4dB' % \
(i, len(pkt), zlib_len, lz4_len, bro_len))
def main(workspace='', args=None, parser=None):
parser.add_argument('-s', '--source', nargs='*', help='Filter packets by source'),
parser.add_argument('-d', '--dest', nargs='*', help='Filter packets by destination'),
parser.add_argument('--dry-run', action='store_true', help='Do not touch the database. Only print the object ID')
parser.add_argument('-v', '--verbose', action='store_true', help='Verbose output from the pcapfile library.')
parser.add_argument('pcap', help='Path to the PCAP file'),
parsed_args = parser.parse_args(args)
try:
from pcapfile import savefile
import pcapfile
except ImportError:
print 'capfile not found, please install it to use this plugin.' \
' You can do it executing pip2 install pcapfile in a shell.'
return 1, None
if not os.path.isfile(parsed_args.pcap):
print "pcap file not found: " % parsed_args.pcap
return 2, None
testcap = open(parsed_args.pcap, 'rb')
try:
capfile = savefile.load_savefile(testcap, layers=2, verbose=parsed_args.verbose)
except pcapfile.Error:
print "Invalid pcap file"
return 3, None
print 'pcap file loaded. Parsing packets...'
# Set() to store already added hosts. This will save an enormous amount of time by not querying the database
# for hosts we already know are in Faraday
added = set()
for packet in capfile.packets:
if packet.packet.type != 2048:
continue
src = packet.packet.payload.src
dst = packet.packet.payload.dst
if parsed_args.source and not src in parsed_args.source:
continue
if parsed_args.dest and not dst in parsed_args.dest:
continue
if src not in added:
# Lets save additional queries for this IP, it will already be on the database anyway!
added.add(packet.packet.payload.src)
# Parsing of source field
obj = factory.createModelObject(models.Host.class_signature, src,
workspace, os=None, parent_id=None)
old = models.get_host(workspace, obj.getID())
if old is None:
if not parsed_args.dry_run:
models.create_host(workspace, obj)
print '%s\t%s' % (src, obj.getID())
if dst not in added:
# Lets save additional queries for this IP, it will already be on the database anyway!
added.add(packet.packet.payload.dst)
# Parsing of destination field
obj = factory.createModelObject(models.Host.class_signature, dst,
workspace, os=None, parent_id=None)
old = models.get_host(workspace, obj.getID())
if old is None:
if not parsed_args.dry_run:
models.create_host(workspace, obj)
print '%s\t%s' % (dst, obj.getID())
return 0, None
from pcapfile import savefile
from pcapfile.protocols.linklayer import ethernet
from pcapfile.protocols.network import ip
from pcapfile.protocols.transport import udp
import binascii
import rtp
import sys
# Tested with Python 2.7 and pypcapfile 0.11.1
if len(sys.argv) < 2:
print "Usage: python rtp_gap.py <pcap>\n"
capfile = savefile.load_savefile(open(sys.argv[1], 'rb'), verbose=False)
last_seq = 0
in_gap = False
for packet in capfile.packets:
eth_frame = ethernet.Ethernet(packet.raw())
# Is it IP?
if eth_frame.type == 0x0800:
ip_packet = ip.IP(binascii.unhexlify(eth_frame.payload))
# Is it UDP?
if ip_packet.p == 17:
udp_packet = udp.UDP(binascii.unhexlify(ip_packet.payload))
# Simple RTP identification heuristic
def main(inputs):
for input_file in inputs:
with open(input_file) as f:
pcap = savefile.load_savefile(f, verbose=True)
print(pcap)
from pcapfile import savefile
testcap = open('my_file.pcap', 'rb')
capfile = savefile.load_savefile(testcap, verbose=True)
data=[];
temp=[];
row = 0;
column = 0;
for count, elem in enumerate(capfile.packets):
#print "Packet number "+ str(count)+" capture_len is "+str(elem.capture_len)+"\r\n";
temp_str = bytearray.fromhex(elem.packet)
temp_str = temp_str[64:];
for elem1 in temp_str:
temp.append(elem1);
temp_str = ":".join(map(str, temp_str));
#temp_str= temp_str[:-1];
data.append(temp_str);
temp_length = elem.capture_len;
#print "Data is " + temp_str[64:]
target = open('/home/itsy/Downloads/packet_data.txt', 'w');
target.truncate();
for packet in data:
#dat=packet.split(':');
#print [map(hex, l) for l in a]
#dat = [int(x, 10) for x in dat];
#print [map(hex, dat)]
target.write(packet);
target.write("\r\n");
target.close();
def read_file(filename):
capfile = savefile.load_savefile(open(filename, 'r'))
return capfile
