def isIP(p):
ether_packet = ImpactDecoder.EthDecoder().decode(p)
eth_type = hex(ether_packet.get_ether_type())
if getNameProtocolEthernet(eth_type) == "IPv4":
return True
else:
return False
def decodeLayer2(self, header, payload):
def formatMacAddress(arrayMac):
return ":".join("{0:0>2}".format(hex(b)[2:])
for b in arrayMac.tolist())
if self.datalink == pcapy.DLT_EN10MB:
l2Decoder = Decoders.EthDecoder()
l2Proto = "Ethernet"
layer2 = l2Decoder.decode(payload)
l2SrcAddr = formatMacAddress(layer2.get_ether_shost())
l2DstAddr = formatMacAddress(layer2.get_ether_dhost())
l2Payload = payload[layer2.get_header_size():]
etherType = layer2.get_ether_type()
elif self.datalink == pcapy.DLT_LINUX_SLL:
l2Decoder = Decoders.LinuxSLLDecoder()
l2Proto = "Linux SLL"
layer2 = l2Decoder.decode(payload)
l2SrcAddr = layer2.get_addr()
l2DstAddr = None
l2Payload = payload[layer2.get_header_size():]
etherType = layer2.get_ether_type()
elif self.datalink == PCAPImporter.PROTOCOL201:
l2Proto = "Protocol 201"
hdr = payload.encode('hex')[0:8]
if hdr[6:] == "01":
l2SrcAddr = "Received"
else:
l2SrcAddr = "Sent"
l2DstAddr = None
l2Payload = payload[8:]
etherType = payload[4:6]
return (l2Proto, l2SrcAddr, l2DstAddr, l2Payload, etherType)
def collector(self, buffer):
""" The collector method for OFTGPacket plugin is responsible for analyzing collected packet data for OFTG-Ninja
payloads. The collector method MUST use the decoder() method to analyze extracted data.
:return: Dict, as returned by decoder()
"""
try:
decoder = ImpactDecoder.EthDecoder()
packet = decoder.decode(buffer)
if packet.get_ether_type() == ImpactPacket.IP.ethertype:
ip = packet.child()
if ip and ip.get_ip_p() == ImpactPacket.ICMP.protocol:
icmppacket = ip.child()
data = icmppacket.get_data_as_string()
result = self.decoder(data)
if result:
# self.logger.debug('%s got a payload from %s' % (self.__class__.__name__, ip.get_ip_src()))
result['Source Host'] = ip.get_ip_src()
result['Protocol Subtype'] = 'ICMP Type'
result['Subtype'] = str(icmppacket.get_icmp_type())
return result
else:
return
else:
return
except Exception as e:
raise
return
def parse_packet(self, header, frame):
decoder = ImpactDecoder.EthDecoder()
ether = decoder.decode(frame)
ready_indices = []
if ether.get_ether_type() == ImpactPacket.IP.ethertype:
self.lock.acquire()
for i in range(0, len(self.connection_list)):
buffered_packets = self.connection_list[i]
if buffered_packets.add_frame(
ether): #if there's an existing flow
self.lock.release()
if len(ready_indices) > 0:
self.move_ready_packets(ready_indices)
return
if buffered_packets.ready:
ready_indices.append(i)
buffered_packets = BufferedPackets(header, ether)
self.connection_list.append(buffered_packets)
self.lock.release()
if len(ready_indices) > 0:
self.move_ready_packets(ready_indices)
def parse(models, header, packet):
length_groups = [500, 1500]
decoder = ImpactDecoder.EthDecoder()
ether = decoder.decode(packet)
#print str(ether.get_ether_type()) + " " + str(ImpactPacket.IP.ethertype)
if ether.get_ether_type() == ImpactPacket.IP.ethertype:
iphdr = ether.child()
transporthdr = iphdr.child()
if transporthdr.get_data_as_string() != '' and isinstance(transporthdr, ImpactPacket.TCP):
s_addr = iphdr.get_ip_src()
d_addr = iphdr.get_ip_dst()
s_port = transporthdr.get_th_sport()
d_port = transporthdr.get_th_dport()
d_length = transporthdr.get_size()
payload = transporthdr.get_data_as_string()
grams = get_byte_freq(payload, d_length)
group_length = length_groups[len(length_groups)-1]
for i in range(0, len(length_groups) - 1):
if d_length <= length_groups[i]:
group_length = length_groups[i]
group = str(d_port) + "-" + str(group_length)
if group in models:
models[group].add_grams(grams)
else:
models[group] = PaylModel(d_port, group_length)
models[group].add_grams(grams)
def pcap_to_object(pcap_file, obj_file):
"""Create a Python serialized graph object.
Read the pcap file given in parameter, extracts source and destination IP
and write a serialized graph object.
"""
reader = pcapy.open_offline(pcap_file)
print reader.datalink()
print pcapy.DLT_LINUX_SLL
eth_decoder = Decoders.EthDecoder()
sll_decoder = Decoders.LinuxSLLDecoder()
ip_decoder = Decoders.IPDecoder()
dic_ip = ip_dict()
tts_min = 1000
tts_max = 2000
if options.verbose:
print "Reading pcap file..."
while True:
try:
(header, payload) = reader.next()
if True: #tts_min <= header.getts()[0] <= tts_max:
#ethernet = eth_decoder.decode(payload)
sll = sll_decoder.decode(payload)
if sll.get_ether_type() == Packets.IP.ethertype:
#ip = ip_decoder.decode(payload[ethernet.get_header_size():])
ip_src = sll.child().get_ip_src()
ip_dst = sll.child().get_ip_dst()
dic_ip[ip_src][ip_dst] += 1
except Packets.ImpactPacketException, e:
print e
except:
def collector(self, buffer):
try:
decoder = ImpactDecoder.EthDecoder()
packet = decoder.decode(buffer)
if packet.get_ether_type() == ImpactPacket.IP.ethertype:
ip = packet.child()
if ip and ip.get_ip_p() == ImpactPacket.UDP.protocol:
udppacket = ip.child()
data = udppacket.get_data_as_string()
payload = self.decoder(data)
if payload:
self.logger.debug(
'%s got a payload from %s' %
(self.__class__.__name__, ip.get_ip_src()))
# print '%s got a payload from %s' % (self.__class__.__name__, ip.get_ip_src())
result = payload
result['Source Host'] = ip.get_ip_src()
result['Protocol Subtype'] = 'Port'
result['Subtype'] = str(udppacket.get_uh_dport())
return result
else:
return
except Exception as e:
# If the decoding fails, it just wasn't meant to be.
pass
return
def create_test_sock(pcap_filename):
rospy.sleep(0.1)
import pcapy
from StringIO import StringIO
from impacket import ImpactDecoder
body_list = []
cap = pcapy.open_offline(pcap_filename)
decoder = ImpactDecoder.EthDecoder()
while True:
header, payload = cap.next()
if not header: break
udp = decoder.decode(payload).child().child()
body_list.append(udp.child().get_packet())
data_io = StringIO(''.join(body_list))
class MockSocket(object):
def recv(self, byte_count):
rospy.sleep(0.0001)
data = data_io.read(byte_count)
if data == "":
rospy.signal_shutdown("Test completed.")
return data
def settimeout(self, timeout):
pass
return MockSocket()
def getMessageDetails(self, messageID):
if not messageID in self._payloadDict:
errorMessage = "Message ID: {0} not found in importer message list".format(messageID)
logging.error(errorMessage)
raise NetzobImportException("PCAP", errorMessage, ERROR)
decoder = Decoders.EthDecoder()
payload = self._payloadDict[messageID]
return decoder.decode(payload)
def parse_packet(flabels, labels, header, packet):
decoder = ImpactDecoder.EthDecoder()
ether = decoder.decode(packet)
#print str(ether.get_ether_type()) + " " + str(ImpactPacket.IP.ethertype)
if ether.get_ether_type() == ImpactPacket.IP.ethertype:
iphdr = ether.child()
transporthdr = iphdr.child()
s_addr = iphdr.get_ip_src()
d_addr = iphdr.get_ip_dst()
if isinstance(transporthdr, ImpactPacket.TCP):
s_port = transporthdr.get_th_sport()
d_port = transporthdr.get_th_dport()
seq_num = transporthdr.get_th_seq()
d_length = len(transporthdr.get_data_as_string())
protocol = "tcp_ip"
elif isinstance(transporthdr, ImpactPacket.UDP):
s_port = transporthdr.get_uh_sport()
d_port = transporthdr.get_uh_dport()
seq_num = 0
d_length = transporthdr.get_uh_ulen()
protocol = "udp_ip"
elif isinstance(transporthdr, ImpactPacket.ICMP):
s_port = 0
d_port = 0
seq_num = 0
d_length = 0
protocol = "icmp"
elif isinstance(transporthdr, ImpactPacket.IGMP):
s_port = 0
d_port = 0
seq_num = 0
d_length = 0
protocol = "igmp"
else:
s_port = 0
d_port = 0
seq_num = 0
d_length = -1
protocol = transporthdr.__class__
if d_length == 0 and (protocol == "tcp_ip" or protocol == "udp_ip"):
return
id = "{}-{}-{}-{}-{}".format(s_addr, s_port, d_addr, d_port, protocol)
if labels.has_key(id):
flabels.write("{},{},{},{},{},{},{},{}\n".format(
s_addr, s_port, d_addr, d_port, protocol, seq_num, d_length,
labels[id]))
else:
flabels.write("{},{},{},{},{},{},{},{}\n".format(
s_addr, s_port, d_addr, d_port, protocol, seq_num, d_length,
"Normal-0"))
def parse(fdataset, header, packet):
decoder = ImpactDecoder.EthDecoder()
ether = decoder.decode(packet)
#print str(ether.get_ether_type()) + " " + str(ImpactPacket.IP.ethertype)
if ether.get_ether_type() == ImpactPacket.IP.ethertype:
iphdr = ether.child()
transporthdr = iphdr.child()
if transporthdr.get_data_as_string() != '' and isinstance(
transporthdr, ImpactPacket.TCP):
s_addr = iphdr.get_ip_src()
d_addr = iphdr.get_ip_dst()
if isinstance(transporthdr, ImpactPacket.TCP):
s_port = transporthdr.get_th_sport()
d_port = transporthdr.get_th_dport()
seq_num = transporthdr.get_th_seq()
d_length = len(transporthdr.get_data_as_string())
protocol = "tcp_ip"
elif isinstance(transporthdr, ImpactPacket.UDP):
s_port = transporthdr.get_uh_sport()
d_port = transporthdr.get_uh_dport()
seq_num = 0
d_length = transporthdr.get_uh_ulen()
protocol = "udp_ip"
elif isinstance(transporthdr, ImpactPacket.ICMP):
s_port = 0
d_port = 0
seq_num = 0
d_length = 0
protocol = "icmp"
elif isinstance(transporthdr, ImpactPacket.IGMP):
s_port = 0
d_port = 0
seq_num = 0
d_length = 0
protocol = "igmp"
else:
s_port = 0
d_port = 0
seq_num = 0
d_length = -1
protocol = transporthdr.__class__
payload = transporthdr.get_data_as_string()
grams = payl.get_byte_freq(payload, d_length)
line = "{},{},{},{},{},{},{}".format(s_addr, s_port, d_addr,
d_port, protocol, seq_num,
d_length)
for value in grams.itervalues():
line += ",{}".format(round(value, 3))
fdataset.write(line + "\n")
def callback(header, data):
src_ip = None
dst_ip = None
src_port = None
dst_port = None
layer4Type = ""
output = ""
payloadSize = 0
extract = ExtractData()
#Parse packet
decoder = ImpactDecoder.EthDecoder()
packet = decoder.decode(data)
#Parse IP packet inside ethernet one
iphdr = packet.child()
if isinstance(iphdr, IP):
#Parse TCP packet inside IP one
hdr = iphdr.child()
if isinstance(hdr, TCP) or isinstance(hdr, UDP):
if isinstance(hdr, TCP):
layer4Type = "TCP"
#Only look at SYN packets, not ACK ones
if hdr.get_SYN() and not hdr.get_ACK():
#Get src and dest IPs
src_ip = iphdr.get_ip_src()
dst_ip = iphdr.get_ip_dst()
src_port = hdr.get_th_dport()
dst_port = hdr.get_th_sport()
payloadSize = hdr.get_size() - hdr.get_header_size()
elif isinstance(hdr, UDP):
layer4Type = "UDP"
#Get src and dest IPs
src_ip = iphdr.get_ip_src()
dst_ip = iphdr.get_ip_dst()
src_port = hdr.get_th_dport()
dst_port = hdr.get_th_sport()
payloadSize = hdr.get_size() - hdr.get_header_size()
#Results are printed
output = "(%s) Connection attempted from: %s:%s to: %s:%s\n" % (
layer4Type, src_ip, src_port, dst_ip, dst_port)
if (payloadSize != 0):
output += "\nPayload size: %d\n----%s----\n----\n" % (
payloadSize, hdr.get_data_as_string())
print output
if (src_ip and dst_ip):
extract.writeToFile("packetOutput.txt", output, "a")
else:
print "\nIP header doesn't exist.\n"
iphdr = None
def tcpipfilter_in(packet):
"""Function filtering incoming traffic (FD: 3 -> 1) with immidiate IP-src
manipulation."""
# Store the original packet, for the case where no match occurs
orgpacket = packet
# Cut the VDE internal length information
packet = packet[2:]
# Decode the packet for easy header inspection.
decpacket = ImpactDecoder.EthDecoder().decode(packet)
content = decpacket.child()
# Identify IP packets:
if content.ethertype == ImpactPacket.IP.ethertype:
child = content.child()
dstip = content.get_ip_dst()
# Test for IP-dest hits.
if not content.get_ip_src() == s.newTargetIp:
return orgpacket, 1
else:
if isinstance(child, ImpactPacket.TCP):
content.set_ip_src(s.l34srcdstmap[child.get_th_dport()])
child.set_th_sport(int(s.portfilter[s.ipfilter[0]][0]))
child.set_th_sum(0)
child.auto_checksum = 1
elif isinstance(child, ImpactPacket.UDP):
content.set_ip_src(s.l34srcdstmap[child.get_uh_dport()])
child.set_uh_sport(int(s.portfilter[s.ipfilter[0]][0]))
child.set_uh_sum(0)
child.auto_checksum = 1
content.auto_checksum = 1
packet = decpacket.get_packet()
packet = vdepad(packet)
return packet, 1
# Identify ARP packets:
elif content.ethertype == ImpactPacket.ARP.ethertype:
sourceip = str(content.as_pro(content.get_ar_spa()))
# Test for IP-dest hits.
if not sourceip == s.newTargetIp or content.get_ar_op() != 2:
return orgpacket, 1
else:
if s.verbosity:
s.logfile.write("ARP packet from targetip fetched." +
" ARP poisoning..\n")
for filterip in s.ipfilter:
content.set_ar_spa(map(int, filterip.split(".")))
packet = decpacket.get_packet()
packet = vdepad(packet)
TCPConnection.stdout.write(packet)
TCPConnection.stdout.flush()
return orgpacket, 1
# This case should not happen to often, there are not many packets
# which are neither ARP nor IP.
else:
return orgpacket, 1
def create_test_sock(pcap_filename):
rospy.sleep(0.1)
try:
import pcapy
except ImportError:
import pure_pcapy as pcapy
from StringIO import StringIO
from impacket import ImpactDecoder
body_list = []
if pcap_filename.endswith("gz"):
# From: http://projects.honeynet.org/honeysnap/changeset/35/trunk/honeysnap/__init__.py
import tempfile
import gzip
tmph, tmpf = tempfile.mkstemp()
tmph = open(tmpf, 'wb')
gfile = gzip.open(pcap_filename)
tmph.write(gfile.read())
gfile.close()
tmph.close()
pcap_filename = tmpf
cap = pcapy.open_offline(pcap_filename)
decoder = ImpactDecoder.EthDecoder()
while True:
header, payload = cap.next()
if not header:
break
try:
tcp = decoder.decode(payload).child().child()
body_list.append(tcp.child().get_packet())
except AttributeError:
print(decoder.decode(payload))
raise
data_io = StringIO(''.join(body_list))
class MockSocket(object):
def recv(self, byte_count):
# rospy.sleep(0.002)
data = data_io.read(byte_count)
if data == "":
rospy.signal_shutdown("Test completed.")
exit(0)
return data
def settimeout(self, timeout):
pass
return MockSocket()
def __init__(self, emmulating, interface, ipAddress, macAddress, openTCPPorts = [], openUDPPorts = [], nmapOSDB = 'nmap-os-db'):
self.interface = interface
self.ipAddress = ipAddress
self.macAddress = macAddress
self.responders = []
self.decoder = ImpactDecoder.EthDecoder()
self.initPcap()
self.initFingerprint(emmulating, nmapOSDB)
self.initSequenceGenerators()
self.openTCPPorts = openTCPPorts
self.openUDPPorts = openUDPPorts
print(self)
def main():
import sys
f_in = pcapy.open_offline(sys.argv[1])
try:
f_out = f_in.dump_open(sys.argv[2])
f_out.write(str(PCapFileHeader()))
except:
f_out = None
hdr = PCapFileHeader()
hdr.fromString(f_in.read(len(hdr)))
hdr.dump()
decoder = ImpactDecoder.EthDecoder()
while 1:
pkt = PCapFilePacket()
try:
pkt.fromString(f_in.read(len(pkt)))
except:
break
pkt['data'] = f_in.read(pkt['savedLength'])
hdr['packets'].append(pkt)
p = self.pcap.next()
try:
in_onion = [self.decoder.decode(p[1])]
except:
in_onion = [self.decoder.decode(p[0])]
try:
while 1:
in_onion.append(in_onion[-1].child())
except:
pass
process(in_onion)
#pkt.dump()
#print "%r" % str(pkt)
if f_out:
#print eth
pkt_out = PCapFilePacket()
pkt_out['data'] = str(eth.get_packet())
#pkt_out.dump()
f_out.write(str(pkt_out))
def parse_packet(self, header, frame): # pcap语法分析
datalink = self.pcap.datalink()
if datalink == pcapy.DLT_EN10MB:
decoder = ImpactDecoder.EthDecoder()
elif datalink == pcapy.DLT_LINUX_SLL:
decoder = ImpactDecoder.LinuxSLLDecoder()
else:
raise Exception("Datalink not supported")
ether = decoder.decode(frame) # 每个数据包的数据
ts = float(str(header.getts()[0]) + "." +
str(header.getts()[1])) # packet的时间戳
self.last_timestamp = ts
if ether.get_ether_type() == ImpactPacket.IP.ethertype:
(id, tcp_tuple) = generate_id(ether)
if id == False:
return
(rev_id, tcp_tuple) = generate_reverse_id(ether)
# print("Buffer", self.tcp_buffer)
# print(threading.current_thread().name + "in",)
self.acquire_lock("parse")
# print(threading.current_thread().name + "out")
if id in self.tcp_buffer:
tcp_stream = self.tcp_buffer[id]
to_server = True
# print("[fwd] ID: " + id + ";" + str(ts))
elif rev_id in self.tcp_buffer:
tcp_stream = self.tcp_buffer[rev_id]
to_server = False
# print("[rev] ID: " + id + ";" + str(ts))
else: # 读到的数据包属于新的一个流
# a new stream has appeared
tcp_stream = TcpStream(id, ts, self)
self.tcp_buffer[id] = tcp_stream
to_server = True
packet = ether.child()
segment = packet.child()
tcp_stream.start()
# print("[new] ID: " + id + ";" + str(ts))
tcp_stream.add_packet(ts, to_server, ether) # 数据包加到tcp流中
# if tcp_stream.state in end_states:
# tcp_stream.finish()
# self.move_stream(tcp_stream.id)
self.packet_counter += 1
self.release_lock("parse")
def getMessageDetails(message):
"""Decode a raw network message and print the content of each
encapsulated layer.
:param filePathList: the messages to cluster.
:type filePathList: a list of :class:`str`
:param bpfFilter: a string representing a BPF filter.
:type bpfFilter: :class:`str`
:param importLayer: an integer representing the protocol layer to start importing.
:type importLayer: :class:`int`
"""
decoder = Decoders.EthDecoder()
return decoder.decode(
TypeConverter.convert(message.data, HexaString, Raw))
def __init__(self, interface, network, default, elements, loggers,
tunnels):
"""Function initialized the dipatcher
Args:
interface : name of the network interface to listen
network : networkx graph representation of the network
default : default template
elements : elements of the network
loggers : instances of the logger modules
tunnels : tunnel configuration
"""
self.interface = interface
self.mac = netifaces.ifaddresses(
self.interface)[netifaces.AF_LINK][0]['addr']
self.network = network
try:
post('http://localhost:8080/network',
json=dumps(json_graph.node_link_data(self.network)))
except:
logger.exception('Exception: Cannot connect to local server.')
self.default = default
self.devices, self.routes, self.externals = elements
self.hpfeeds, self.dblogger = loggers
self.tunnels = tunnels
self.packet_queue = dict()
self.entry_points = list()
self.unreach_list = list()
self.pcapy_object = pcapy.open_live(self.interface, 65535, 1, 10)
self.decoder = ImpactDecoder.EthDecoder()
self.ip_decoder = ImpactDecoder.IPDecoder()
self.ip_icmp_decoder = ImpactDecoder.IPDecoderForICMP()
self.mac_set = set([self.mac])
for d in self.devices:
if len(d.mac):
self.mac_set.add(d.mac)
for r in self.routes:
if r.entry:
self.entry_points.append(r)
self.unreach_list.extend(r.unreach_list)
logger.info('Started dispatcher listening on interface %s',
self.interface)
while True:
try:
(hdr, pkt) = self.pcapy_object.next()
self.callback(hdr, pkt)
except KeyboardInterrupt:
return
def decodePayload(self, payload):
"""Decode a payload from the parser and returns an array of lines
"""
decoder = Decoders.EthDecoder()
eth = decoder.decode(payload)
ip = eth.child()
tcp = ip.child()
try:
if tcp.get_RST()!=1:
data = tcp.get_data_as_string() # raw data
data = data.replace('\r\n', '\r\n###~~~###')
arrline = data.split('\r\n')
return arrline
else:
return None
except:
return None
def callback(header, data):
global current
decoder = ImpactDecoder.EthDecoder()
ethernet_pck = decoder.decode(data)
ip_hdr = ethernet_pck.child()
tcp_hdr = ip_hdr.child()
source_ip = ip_hdr.get_ip_src()
dest_ip = ip_hdr.get_ip_dst()
if tcp_hdr.get_RST():
print "TCP Reset Received: Around IP: [ttl: %s] (Scanning: %s)" % (
source_ip, ip_hdr.get_ip_ttl(), current.address)
print tcp_hdr
return
'''
def __init__(self, packet, use_datalink_layer=None):
# If arp packet arrives, and we are using ARPDecoder, there is a bug in impacket and the packet won't be parsed
# well, so we'll always parse the packet's child. This solution works for this project beause we always need
# just the layer above the ethernet layer. If you want to use Ethernet properties, please
# use_datalink_layer=True
# TODO: Get parameter that mention the wanted layer number instead of this patch or push bugfix to impacket.
ethernet_decoder = ImpactDecoder.EthDecoder()
decoded_packet = ethernet_decoder.decode(packet)
if not use_datalink_layer:
self.packet = decoded_packet.child()
else:
self.packet = decoded_packet
if type(self.packet) not in self.packet_type_to_handler_class:
# TODO: Write to log file.
pass
else:
self.packet_type_handler = self.packet_type_to_handler_class[type(self.packet)](self.packet)
assert (isinstance(self.packet_type_handler, ImpactPacketRepresentation))
def detect(models, header, packet, fresult):
global anomalies
global packet_counter
length_groups = [500, 1500]
threshold = 256
decoder = ImpactDecoder.EthDecoder()
try:
ether = decoder.decode(packet)
except ImpactPacket.ImpactPacketException as e:
print "truncated packet"
return
# print str(ether.get_ether_type()) + " " + str(ImpactPacket.IP.ethertype)
if ether.get_ether_type() == ImpactPacket.IP.ethertype:
iphdr = ether.child()
transporthdr = iphdr.child()
if transporthdr.get_data_as_string() != '' and isinstance(transporthdr, ImpactPacket.TCP):
s_addr = iphdr.get_ip_src()
d_addr = iphdr.get_ip_dst()
s_port = transporthdr.get_th_sport()
d_port = transporthdr.get_th_dport()
d_length = transporthdr.get_size()
seq_num = transporthdr.get_th_seq()
payload = transporthdr.get_data_as_string()
grams = get_byte_freq(payload, d_length)
group_length = length_groups[len(length_groups)-1]
for i in range(0, len(length_groups) - 1):
if d_length <= length_groups[i]:
group_length = length_groups[i]
group = str(d_port) + "-" + str(group_length)
packet_counter += 1
if group in models:
dist = models[group].distance(grams)
fresult.write("{},{},{},{},{},{},{}\n".format(s_addr, s_port, d_addr, d_port, seq_num, d_length, dist))
if dist > threshold:
anomalies += 1
else:
fresult.write("{},{},{},{},{},{},{}\n".format(s_addr, s_port, d_addr, d_port, seq_num, d_length, 1000))
print "No matching model : port {}, length {}".format(d_port, d_length)
def Process(header, data):
decoder = ImpactDecoder.EthDecoder()
ether = decoder.decode(data)
ipHeader = ether.child()
packetType = ipHeader.child().protocol
tcpHeader = ''
if packetType == 6:
tcpHeader = ipHeader.child()
print "{:15}[{:5}] ----> {:15}[{:5}] [-{}-{}-{}-{}-{}-]".format(
ipHeader.get_ip_src(), tcpHeader.get_th_sport(), ipHeader.get_ip_dst(),
tcpHeader.get_th_dport(), ("S" if tcpHeader.get_SYN() else " "),
("A" if tcpHeader.get_ACK() else " "),
("U" if tcpHeader.get_URG() else " "),
("P" if tcpHeader.get_PSH() else " "),
("R" if tcpHeader.get_RST() else " "))
payload = getPayload(tcpHeader)
return
def parse_packet(header, packet, port, fresult):
decoder = ImpactDecoder.EthDecoder()
ether = decoder.decode(packet)
#print str(ether.get_ether_type()) + " " + str(ImpactPacket.IP.ethertype)
if ether.get_ether_type() == ImpactPacket.IP.ethertype:
iphdr = ether.child()
transporthdr = iphdr.child()
s_addr = iphdr.get_ip_src()
d_addr = iphdr.get_ip_dst()
if isinstance(transporthdr, ImpactPacket.TCP):
s_port = transporthdr.get_th_sport()
d_port = transporthdr.get_th_dport()
seq_num = transporthdr.get_th_seq()
d_length = len(transporthdr.get_data_as_string())
protocol = "tcp_ip"
v_protocol = "1,0"
elif isinstance(transporthdr, ImpactPacket.UDP):
s_port = transporthdr.get_uh_sport()
d_port = transporthdr.get_uh_dport()
seq_num = 0
d_length = transporthdr.get_uh_ulen()
protocol = "udp_ip"
v_protocol = "0,1"
else:
return None
if d_length <= seq_length:
return None
if (d_port != port) and (s_port != port):
return None
fresult.write("{}, {}, {}, {}, {}, {}, {},".format(
s_addr, s_port, d_addr, d_port, protocol, seq_num, d_length))
payload = str(transporthdr.get_data_as_string()).lower()
ascii_payload = [ord(c) for c in payload]
return ascii_payload
def decodeLayer2(self, header, payload):
def formatMacAddress(arrayMac):
return ":".join("{0:0>2}".format(
hex(b)[2:]) for b in arrayMac.tolist())
if self.datalink == pcapy.DLT_EN10MB:
l2Decoder = Decoders.EthDecoder()
l2Proto = "Ethernet"
layer2 = l2Decoder.decode(payload)
l2SrcAddr = formatMacAddress(layer2.get_ether_shost())
l2DstAddr = formatMacAddress(layer2.get_ether_dhost())
elif self.datalink == pcapy.DLT_LINUX_SLL:
l2Decoder = Decoders.LinuxSLLDecoder()
l2Proto = "Linux SLL"
layer2 = l2Decoder.decode(payload)
l2SrcAddr = layer2.get_addr()
l2DstAddr = None
l2Payload = payload[layer2.get_header_size():]
etherType = layer2.get_ether_type()
return (l2Proto, l2SrcAddr, l2DstAddr, l2Payload, etherType)
def parse_packet(flabels, att_id, header, packet):
decoder = ImpactDecoder.EthDecoder()
ether = decoder.decode(packet)
#print str(ether.get_ether_type()) + " " + str(ImpactPacket.IP.ethertype)
if ether.get_ether_type() == ImpactPacket.IP.ethertype:
iphdr = ether.child()
transporthdr = iphdr.child()
if transporthdr.get_data_as_string() != '' and isinstance(
transporthdr, ImpactPacket.TCP):
s_addr = iphdr.get_ip_src()
d_addr = iphdr.get_ip_dst()
s_port = transporthdr.get_th_sport()
d_port = transporthdr.get_th_dport()
d_length = transporthdr.get_size()
seq_num = transporthdr.get_th_seq()
flabels.write("{},{},{},{},{},{},{}\n".format(
s_addr, s_port, d_addr, d_port, seq_num, d_length, att_id))
def callback(hdr, data):
# Parse the Ethernet packet
decoder = ImpactDecoder.EthDecoder()
ether = decoder.decode(data)
# Parse the IP packet inside the Ethernet packet
iphdr = ether.child()
# Parse the TCP packet inside the IP packet
tcphdr = iphdr.child()
# Only process SYN packets
if tcphdr.get_SYN() and not tcphdr.get_ACK():
# Get the source and destination IP addresses
src_ip = iphdr.get_ip_src()
dst_ip = iphdr.get_ip_dst()
# Print the results
print "Connection attempt %s -> %s" % (src_ip, dst_ip)
def parse_packet(dumper, ports, header, packet):
decoder = ImpactDecoder.EthDecoder()
ether = decoder.decode(packet)
#print str(ether.get_ether_type()) + " " + str(ImpactPacket.IP.ethertype)
if ether.get_ether_type() == ImpactPacket.IP.ethertype:
iphdr = ether.child()
transporthdr = iphdr.child()
if isinstance(transporthdr, ImpactPacket.TCP):
d_port = transporthdr.get_th_dport()
elif isinstance(transporthdr, ImpactPacket.UDP):
d_port = transporthdr.get_uh_dport()
else:
return
if d_port not in ports:
return
dumper[d_port].dump(header, packet)
def __init__(self, interface):
self._cap = pcapy.open_live(interface, 0xFFFF, 0, 0)
os.setgid(1000)
os.setuid(1000)
self._cap.setfilter('ip proto \\tcp')
self._decoder = ImpactDecoder.EthDecoder()
self._jobs = []
self._next = False
self._sorter = Sorter()
self._sorter.start()
print "Listening."
try:
self._cap.loop(-1, self._got_packet)
except KeyboardInterrupt:
while len(self._sorter._files) > 0:
time.sleep(1)
print "Exit!"
self._sorter._exit = True
self._sorter.join()
sys.exit()
