def map_packet_to_event(self, packet):
"""
return None if this packet is NOT interesting at all.
"""
try:
raw_packet = scapy.all.Raw(str(packet))
# NOTE: zktraffic expects this raw_packet rather than packet
zt_msg = self.sniffer.message_from_packet(raw_packet)
zt_msg.src = '%s:%d' % (packet[scapy.all.IP].src, packet[scapy.all.TCP].sport)
zt_msg.dst = '%s:%d' % (packet[scapy.all.IP].dst, packet[scapy.all.TCP].dport)
if self.ignore_pings:
is_zab_ping = isinstance(zt_msg, ZAB.Ping)
is_client_ping = isinstance(zt_msg, ClientMessage) and zt_msg.is_ping
is_server_ping = isinstance(zt_msg, ServerMessage) and zt_msg.is_ping
if is_zab_ping or is_client_ping or is_server_ping:
return None
event = self.map_zktraffic_message_to_event(zt_msg)
return event
except (BadPacket, struct.error) as ex:
# NOTE: ex happens on TCP SYN, RST and so on
if len(ex.args) > 0:
if 'Four letter request' in ex.args[0]:
return PacketEvent.from_message('_unknown', '_unknown', {'class_group': 'FourLetter', 'class': 'FourLetterRequest', 'data': packet.load})
elif 'Four letter response' in ex.args[0]:
return PacketEvent.from_message('_unknown', '_unknown', {'class_group': 'FourLetter', 'class': 'FourLetterResponse', 'data': packet.load})
if self.dump_bad_packet:
raise ex # the upper caller should print this
return None
def post_dissect(self, s):
try:
msg = {'asdf': 'hjkl'}
src_entity = 'server'
dst_entity = 'client'
self.event = PacketEvent.from_message(src_entity, dst_entity, msg)
except Exception as e:
LOG.exception(e)
def post_dissect(self, s):
try:
msg = {'asdf': 'hjkl'}
src_entity = 'server'
dst_entity = 'client'
self.event = PacketEvent.from_message(src_entity, dst_entity, msg)
except Exception as e:
LOG.exception(e)
def map_zktraffic_message_to_event(self, zt_msg):
src_entity, dst_entity = self.map_zktraffic_message_to_entity_ids(zt_msg)
d = self.map_zktraffic_message_to_dict(zt_msg)
event = PacketEvent.from_message(src_entity, dst_entity, d)
if isinstance(zt_msg, FLE.Message):
LOG.debug(colorama.Back.CYAN + colorama.Fore.BLACK + 'FLE: %s' + colorama.Style.RESET_ALL, event)
elif isinstance(zt_msg, ZAB.QuorumPacket):
LOG.debug(colorama.Back.WHITE + colorama.Fore.BLACK + 'ZAB: %s' + colorama.Style.RESET_ALL, event)
elif isinstance(zt_msg, ClientMessage):
LOG.debug(colorama.Back.BLUE + colorama.Fore.WHITE + 'CM: %s' + colorama.Style.RESET_ALL, event)
elif isinstance(zt_msg, ServerMessage):
LOG.debug(colorama.Back.RED + colorama.Fore.WHITE + 'SM: %s' + colorama.Style.RESET_ALL, event)
else:
LOG.debug('Unknown event %s', event)
return event
def map_packet_to_event(self, packet):
src, dst = packet['IP'].src, packet['IP'].dst
sport, dport = packet['TCP'].sport, packet['TCP'].dport
payload = packet['TCP'].payload
## heuristic: FLE ports tend to be these ones. (PortAssignment.java)
fle_ports = (11223, 11226, 11229, 11232)
if (sport in fle_ports or dport in fle_ports) and payload:
src_entity = 'entity-%s:%d' % (src, sport)
dst_entity = 'entity-%s:%d' % (dst, dport)
## TODO: use zktraffic to parse the payload
## Currently zktraffic does not work well, because some packets get corked when the delay is injected.
d = {'payload': hexdump(str(payload), result='return')}
deferred_event = PacketEvent.from_message(src_entity, dst_entity, d)
LOG.info('defer FLE packet: %s', deferred_event)
return deferred_event
else:
return None
def map_packet_to_event(self, packet):
src, dst = packet['IP'].src, packet['IP'].dst
sport, dport = packet['TCP'].sport, packet['TCP'].dport
payload = packet['TCP'].payload
## heuristic: FLE ports tend to be these ones. (PortAssignment.java)
fle_ports = (11223, 11226, 11229, 11232)
if (sport in fle_ports or dport in fle_ports) and payload:
src_entity = 'entity-%s:%d' % (src, sport)
dst_entity = 'entity-%s:%d' % (dst, dport)
## TODO: use zktraffic to parse the payload
## Currently zktraffic does not work well, because some packets get corked when the delay is injected.
d = {'payload': hexdump(str(payload), result='return')}
deferred_event = PacketEvent.from_message(src_entity, dst_entity,
d)
LOG.info('defer FLE packet: %s', deferred_event)
return deferred_event
else:
return None
def map_packet_to_event(self, pkt):
return PacketEvent.from_message(src_entity="dummy", dst_entity="dummy", message=base64.b64encode(str((pkt))))