def decodeLayer4(self, ipProtocolNum, l3Payload): if ipProtocolNum == Packets.UDP.protocol: l4Proto = "UDP" l4Decoder = Decoders.UDPDecoder() layer4 = l4Decoder.decode(l3Payload) l4SrcPort = layer4.get_uh_sport() l4DstPort = layer4.get_uh_dport() l4Payload = layer4.get_data_as_string() return (l4Proto, l4SrcPort, l4DstPort, l4Payload) elif ipProtocolNum == Packets.TCP.protocol: l4Proto = "TCP" l4Decoder = Decoders.TCPDecoder() layer4 = l4Decoder.decode(l3Payload) l4SrcPort = layer4.get_th_sport() l4DstPort = layer4.get_th_dport() l4Payload = layer4.get_data_as_string() return (l4Proto, l4SrcPort, l4DstPort, l4Payload) else: warnMessage = _( "Cannot import one of the provided packets since " + "its layer 4 is unsupported (Only UDP and TCP " + "are currently supported, packet IP protocol " + "number = {0})").format(ipProtocolNum) self.log.warn(warnMessage) raise NetzobImportException("PCAP", warnMessage, WARNING, self.INVALID_LAYER4)
def __decodeLayer4(self, ipProtocolNum, l3Payload): """Internal method that parses the specified header and extracts layer4 related proprieties.""" if ipProtocolNum == Packets.UDP.protocol: l4Proto = "UDP" l4Decoder = Decoders.UDPDecoder() layer4 = l4Decoder.decode(l3Payload) l4SrcPort = layer4.get_uh_sport() l4DstPort = layer4.get_uh_dport() l4Payload = layer4.get_data_as_string() return (l4Proto, l4SrcPort, l4DstPort, l4Payload) elif ipProtocolNum == Packets.TCP.protocol: l4Proto = "TCP" l4Decoder = Decoders.TCPDecoder() layer4 = l4Decoder.decode(l3Payload) l4SrcPort = layer4.get_th_sport() l4DstPort = layer4.get_th_dport() l4Payload = layer4.get_data_as_string() return (l4Proto, l4SrcPort, l4DstPort, l4Payload) else: warnMessage = _( "Cannot import one of the provided packets since " + "its layer 4 is unsupported (Only UDP and TCP " + "are currently supported, packet IP protocol " + "number = {0})").format(ipProtocolNum) self._logger.warn(warnMessage) raise NetzobImportException("PCAP", warnMessage, self.INVALID_LAYER4)
def decodeLayer4(self, ipProtocolNum, l3Payload): if ipProtocolNum == Packets.UDP.protocol: l4Proto = "UDP" l4Decoder = Decoders.UDPDecoder() layer4 = l4Decoder.decode(l3Payload) l4SrcPort = layer4.get_uh_sport() l4DstPort = layer4.get_uh_dport() l4Payload = layer4.get_data_as_string() return (l4Proto, l4SrcPort, l4DstPort, l4Payload) elif ipProtocolNum == Packets.TCP.protocol: l4Proto = "TCP" l4Decoder = Decoders.TCPDecoder() layer4 = l4Decoder.decode(l3Payload) l4SrcPort = layer4.get_th_sport() l4DstPort = layer4.get_th_dport() l4Payload = layer4.get_data_as_string() return (l4Proto, l4SrcPort, l4DstPort, l4Payload) else: warnMessage = "Cannot import one of the provided packets since its layer 4 is unsupported (Only UDP and TCP are currently supported, packet IP protocol number = {0})".format(ipProtocolNum) logging.warn(warnMessage)
def createFlows(self): """Create necessary flows based on pcap file """ print "running..." self.writeFile("report.html", '<html>' + '<head><style>td { font-size:8pt; }</style></head>' + '<body><table border="1" style="width:1000px"><tr>' + '<th style="width:100px">Num.</th>' + '<th style="width:200px">Flow</th>' + '<th style="width:600px;word-wrap:true">Request/Response</th>' + '<th style="width:100px">Attachment</th>' + '</tr>') reader = pcapy.open_offline(self.pcapfile) eth_decoder = Decoders.EthDecoder() ip_decoder = Decoders.IPDecoder() tcp_decoder = Decoders.TCPDecoder() countPacket = 0 lastAttach = '' ext = '' (header, payload) = reader.next() while payload!='': # no other way to stop pcapy loop? countPacket+=1 try: if countPacket%100==0: print "(%d packets already processed)" % countPacket arrline = self.decodePayload(payload) # If TCP flag RST, we skip the packet if arrline: ethernet = eth_decoder.decode(payload) smac = self.decodeMac(ethernet.get_ether_shost()) dmac = self.decodeMac(ethernet.get_ether_dhost()) if ethernet.get_ether_type() == Packets.IP.ethertype: # if IP packet ip = ip_decoder.decode(payload[ethernet.get_header_size():]) if ip.get_ip_p() == Packets.TCP.protocol: # if TCP packet tcp = tcp_decoder.decode( payload[ethernet.get_header_size()+ip.get_header_size():]) ipsrc = ip.get_ip_src() ipdst = ip.get_ip_dst() sport = tcp.get_th_sport() dport = tcp.get_th_dport() sessionFile = "session-"+ipsrc+"."+str(sport)+"-"+ipdst+"."+str(dport) flow = ipsrc + ':' + str(sport) + '<br />(' + smac + ')' + '<br />-><br />' + ipdst + ':' + str(dport) + '<br />(' + dmac + ')' for line in arrline: if line.strip() != "": if chardet.detect(line)['encoding'] == 'ascii': line = line.replace('###~~~###', '') if line.startswith("GET ") or line.startswith("HTTP/"): if line.startswith("HTTP/"): # new file packetnum = countPacket self.writeFile("report.html", '<td> </td>') self.writeFile("report.html", '<tr><td>'+str(countPacket)+'</td>') self.writeFile("report.html", '<td>'+flow+'</td><td>') if line.startswith("Content-Type"): style = ' style="background:#ffff00"' ext = '.'+line.split("/")[1].split(";")[0] if ext == '.gzip': ext = '.gz' else: style = '' self.writeFile("report.html", '<div'+style+'>'+line+'</div>') else: # raw data if sessionFile + "-" + str(packetnum) + ext != lastAttach: # New file line = line.replace('###~~~###', '') lastAttach = sessionFile + "-" + str(packetnum) + ext self.writeFile("report.html",'</td><td align="center"><a href="' + sessionFile + "-" + str(packetnum) + ext + '">') if ext==".jpeg" or ext==".gif": self.writeFile("report.html",'<img src="' + sessionFile + "-" + str(packetnum) + ext + '" border="2" style="width:100px;" />') else: self.writeFile("report.html",'<div style="background:#ff0000;color:#fff;font-weight:bold;width:50px;text-align:center">' + ext[1:] + '</div>') self.writeFile("report.html", '</a></td></tr>') else: line = line.replace('###~~~###', '\r\n') # Content of the file self.writeFile(sessionFile + "-" + str(packetnum) + ext, line) # raw data (header, payload) = reader.next() except: break print "\n%d have been detected in this pcap file" % countPacket self.writeFile("report.html", "</table>\n%d have been detected in this pcap file</body></html>" % countPacket)