def decodeipv4(ip):
pktinfos = dict()
pktinfos['src_addr'] = pcap.ntoa(struct.unpack('i',ip.src)[0])
pktinfos['dst_addr'] = pcap.ntoa(struct.unpack('i',ip.dst)[0])
pktinfos['proto'] = ip.p
if dpkt.ip.IP_PROTO_TCP == ip.p: #Check for TCP packets
tcp = ip.data
pktinfos['proto_name'] = 'TCP'
pktinfos['src_port'] = tcp.sport
pktinfos['dst_port'] = tcp.dport
payload = tcp.data
elif dpkt.ip.IP_PROTO_UDP == ip.p: #Check for UDP packets
udp = ip.data
pktinfos['proto_name'] = 'UDP'
pktinfos['src_port'] = udp.sport
pktinfos['dst_port'] = udp.dport
payload = udp.data
elif dpkt.ip.IP_PROTO_ICMP == ip.p: #Check for ICMP packets
icmp = ip.data
pktinfos['proto_name'] = 'ICMP'
pktinfos['src_port'] = 0
pktinfos['dst_port'] = 0
payload = str(icmp.data)
else:
return None, None
return pktinfos, payload
def analyse_mac(self, pkt):
macs = pkt.Ether.src
addrs = pkt.Ether.payload.src
macd = pkt.Ether.dst
addrd = pkt.Ether.payload.dst
bsrc = netutils.ip_is_reserved(addrs)
bdst = netutils.ip_is_reserved(addrd)
# if macs == 0 or macd == 0 or macs == 0xffffffffffff or macd == 0xffffffffffff:
# return
# if (addrs >> 24) == 255 or (addrd >> 24) == 255:
# return
if (not bsrc and not bdst) or addrs == addrd:
self.alert.add("outside %s [%s] to %s [%s]" % (pcap.ntoa(addrs), netutils.mac_to_string(macs), pcap.ntoa(addrd), netutils.mac_to_string(macd)))
else:
adds = self.add_mac(macs, addrs)
addd = self.add_mac(macd, addrd)
if not (adds and addd):
if not adds:
self.alert.add("on source %s [%s] (to %s [%s])" % (pcap.ntoa(addrs), netutils.mac_to_string(macs), pcap.ntoa(addrd), netutils.mac_to_string(self.lmac[addrd])))
else:
self.alert.add("on dest %s [%s] (from %s [%s])" % (pcap.ntoa(addrd), netutils.mac_to_string(macd), pcap.ntoa(addrs), netutils.mac_to_string(self.lmac[addrs])))
def decode_ip_packet(s):
d = {}
d['version']=(ord(s[0]) & 0xf0) >> 4
d['header_len']=ord(s[0]) & 0x0f
d['tos']=ord(s[1])
d['total_len']=socket.ntohs(struct.unpack('H',s[2:4])[0])
d['id']=socket.ntohs(struct.unpack('H',s[4:6])[0])
d['flags']=(ord(s[6]) & 0xe0) >> 5
d['fragment_offset']=socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)
d['ttl']=ord(s[8])
d['protocol']=ord(s[9])
d['checksum']=socket.ntohs(struct.unpack('H',s[10:12])[0])
d['source_address']=pcap.ntoa(struct.unpack('i',s[12:16])[0])
d['destination_address']=pcap.ntoa(struct.unpack('i',s[16:20])[0])
if d['header_len']>5:
d['options']=s[20:4*(d['header_len']-5)]
else:
d['options']=None
d['data']=s[4*d['header_len']:]
if d['protocol'] in (socket.IPPROTO_TCP, socket.IPPROTO_UDP):
d['src_port'] = socket.ntohs(struct.unpack('H',d['data'][:2])[0])
d['dst_port'] = socket.ntohs(struct.unpack('H',d['data'][2:4])[0])
if d['protocol'] == socket.IPPROTO_TCP:
d['seq'] = pcap.ntoa(struct.unpack('i',d['data'][4:8])[0])
d['ack'] = pcap.ntoa(struct.unpack('i',d['data'][8:12])[0])
d['data_offset'] = (ord(d['data'][12]) & 0xf0) >> 4
if len(d['data']) > d['data_offset'] * 4:
d['payload'] = d['data'][d['data_offset']*4:]
return d
def pkt_handler(self, pkt):
res = pkt.get_protocol("Ethernet", "IPv4", "TCP", "HTTP")
if res is not None and res.type != "":
if res.type == "POST":
header_end = res.data.find("\n\r")
if len(res.data) > header_end + 2:
info = res.data[header_end + 2:]
find = False
infoSearch = info.lower()
lres = list()
for word in l_wd:
pos = infoSearch.find(word)
if pos != -1:
find = True
lres.append(pos)
if find:
val = dict()
val["src"] = pcap.ntoa(pkt.Ether.payload.src)
val["dst"] = pcap.ntoa(pkt.Ether.payload.dst)
val["res"] = list()
for pos in lres:
val["res"].append(info[pos:pos + 50])
self.last.append(val)
if len(self.last) > 1000:
self.last.pop(0)
def decode_ip_packet(s):
d = {}
d['version'] = (ord(s[0]) & 0xf0) >> 4
d['header_len'] = ord(s[0]) & 0x0f
d['tos'] = ord(s[1])
d['total_len'] = socket.ntohs(struct.unpack('H', s[2:4])[0])
d['id'] = socket.ntohs(struct.unpack('H', s[4:6])[0])
d['flags'] = (ord(s[6]) & 0xe0) >> 5
d['fragment_offset'] = socket.ntohs(struct.unpack('H', s[6:8])[0] & 0x1f)
d['ttl'] = ord(s[8])
d['protocol'] = ord(s[9])
d['checksum'] = socket.ntohs(struct.unpack('H', s[10:12])[0])
d['source_address'] = pcap.ntoa(struct.unpack('i', s[12:16])[0])
d['destination_address'] = pcap.ntoa(struct.unpack('i', s[16:20])[0])
if d['header_len'] > 5:
d['options'] = s[20:4 * (d['header_len'] - 5)]
else:
d['options'] = None
d['data'] = s[4 * d['header_len']:]
d['source_port'] = socket.ntohs(struct.unpack('H', d['data'][0:2])[0])
d['destination_port'] = socket.ntohs(struct.unpack('H', d['data'][2:4])[0])
d['seq'] = socket.ntohl(struct.unpack('I', d['data'][4:8])[0])
d['ack'] = socket.ntohl(struct.unpack('I', d['data'][8:12])[0])
d['tcp_header_len'] = (ord(d['data'][12]) & 0xf0) >> 4
d['tcp_bit'] = (ord(d['data'][13]) & 0x3f)
d['tcp_data'] = d['data'][4 * d['tcp_header_len']:]
return d
def decode_ip_packet(s):
d = {}
d['version'] = (ord(s[0]) & 0xf0) >> 4
d['header_len'] = ord(s[0]) & 0x0f
d['tos'] = ord(s[1])
d['total_len'] = socket.ntohs(struct.unpack('H',s[2:4])[0])
d['id'] = socket.ntohs(struct.unpack('H',s[4:6])[0])
d['flags'] = (ord(s[6]) & 0xe0) >> 5
d['fragment_offset'] = socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)
d['ttl'] = ord(s[8])
d['protocol'] = ord(s[9])
d['checksum'] = socket.ntohs(struct.unpack('H',s[10:12])[0])
d['source_address'] = pcap.ntoa(struct.unpack('i',s[12:16])[0])
d['destination_address'] = pcap.ntoa(struct.unpack('i',s[16:20])[0])
if d['header_len'] > 5:
d['options'] = s[20:4*(d['header_len']-5)]
else:
d['options'] = None
d['data'] = s[4*d['header_len']:]
d['source_port'] = socket.ntohs(struct.unpack('H',d['data'][0:2])[0])
d['destination_port'] = socket.ntohs(struct.unpack('H',d['data'][2:4])[0])
d['seq'] = socket.ntohl(struct.unpack('I',d['data'][4:8])[0])
d['ack'] = socket.ntohl(struct.unpack('I',d['data'][8:12])[0])
d['tcp_header_len'] = (ord(d['data'][12]) & 0xf0) >> 4
d['tcp_bit'] = (ord(d['data'][13]) & 0x3f)
d['tcp_data'] = d['data'][4*d['tcp_header_len']:]
return d
def __decode_ip(s):
d={}
d['order'] = ['version','header_len','dsfield','total_len','id','flags','fragment_offset','time_to_live','protocol','checksum','src_address','dst_address','options','data']
d['version'] = ((ord(s[0]) & 0xf0) >> 4)
d['header_len'] = (ord(s[0]) & 0x0f) * 4;
d['dsfield']= ord(s[1])
d['total_len']= socket.ntohs(struct.unpack('H',s[2:4])[0])
d['id']= '0x%.4X' % socket.ntohs(struct.unpack('H',s[4:6])[0])
d['flags']= '0x%.2X' % ((ord(s[6]) & 0xe0) >> 5)
d['fragment_offset']= '%d' % socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)
d['time_to_live']= '%d' % ord(s[8])
try:
d['protocol']= ip_protocols[ord(s[9])]
except:
d['protocol']= 'Unknown'
d['checksum']= '0x%.4X' % socket.ntohs(struct.unpack('H',s[10:12])[0])
d['src_address']=pcap.ntoa(struct.unpack('i',s[12:16])[0])
d['dst_address']=pcap.ntoa(struct.unpack('i',s[16:20])[0])
if d['header_len']>20:
d['options']=s[20:d['header_len']]
else:
d['options']=None
d['data']=('%d bytes %s' % (len(s[d['header_len']:]),PROMPT),s[d['header_len']:])
return d
def decodeipv4(ip):
pktinfos = dict()
pktinfos['src_addr'] = pcap.ntoa(struct.unpack('i',ip.src)[0])
pktinfos['dst_addr'] = pcap.ntoa(struct.unpack('i',ip.dst)[0])
pktinfos['proto'] = ip.p
if dpkt.ip.IP_PROTO_TCP == ip.p: #Check for TCP packets
tcp = ip.data
pktinfos['proto_name'] = 'TCP'
pktinfos['src_port'] = tcp.sport
pktinfos['dst_port'] = tcp.dport
payload = tcp.data
elif dpkt.ip.IP_PROTO_UDP == ip.p: #Check for UDP packets
udp = ip.data
pktinfos['proto_name'] = 'UDP'
pktinfos['src_port'] = udp.sport
pktinfos['dst_port'] = udp.dport
payload = udp.data
elif dpkt.ip.IP_PROTO_ICMP == ip.p: #Check for ICMP packets
icmp = ip.data
pktinfos['proto_name'] = 'ICMP'
pktinfos['src_port'] = 0
pktinfos['dst_port'] = 0
payload = str(icmp.data)
else:
return None, None
return pktinfos, payload
def decode_ip_packet(s):
'''
Decoding ip packets. Accroding to the IP frame format,
we can decode every field of the packet.
NOTE: We also decode the source port and destination port
here for convenience, since they are layer 4 elements
'''
d = {}
d['version'] = (ord(s[0]) & 0xf0) >> 4
d['header_len'] = ord(s[0]) & 0x0f
d['tos'] = ord(s[1])
d['total_len'] = socket.ntohs(struct.unpack('H', s[2:4])[0])
d['id'] = socket.ntohs(struct.unpack('H', s[4:6])[0])
d['flags'] = (ord(s[6]) & 0xe0)>>5
d['fragment_offset'] = socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)
d['ttl'] = ord(s[8])
d['protocol'] = ord(s[9])
d['checksum'] = socket.ntohs(struct.unpack('H',s[10:12])[0])
d['source_address'] = pcap.ntoa(struct.unpack('L', s[12:16])[0])
d['destination_address'] = pcap.ntoa(struct.unpack('L', s[16:20])[0])
if d['header_len'] > 5: # headr length
d['options'] = s[20:4*(d['header_len'] - 5)]
else:
d['options']=None
d['data'] = s[4*d['header_len']:]
d['source_port'] = socket.ntohs(struct.unpack('H', d['data'][0:2])[0])
d['destination_port'] = socket.ntohs(struct.unpack('H', d['data'][2:4])[0])
return d
def decode_ip_packet(s):
d={}
#---IP Header---
#d['version']=(ord(s[0]) & 0xf0) >> 4
#d['header_len']=ord(s[0]) & 0x0f
#d['tos']=ord(s[1])
#d['total_len']=socket.ntohs(struct.unpack('H',s[2:4])[0])
#d['id']=socket.ntohs(struct.unpack('H',s[4:6])[0])
#d['flags']=(ord(s[6]) & 0xe0) >> 5
#d['fragment_offset']=socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)
#d['ttl']=ord(s[8])
d['protocol']=ord(s[9])
#d['checksum']=socket.ntohs(struct.unpack('H',s[10:12])[0])
d['source_address']=pcap.ntoa(struct.unpack('i',s[12:16])[0])
d['destination_address']=pcap.ntoa(struct.unpack('i',s[16:20])[0])
#if d['header_len']>5:
# d['options']=s[20:4*(d['header_len']-5)]
#else:
# d['options']=None
#d['data']=s[4*d['header_len']:]
#---TCP Header---
#The difference between ntohs and ntohl is the difference between 16bit and 32bit integers.
#d['source_port'] = socket.ntohs(struct.unpack('H',s[20:22])[0])
#d['destination_port'] = socket.ntohs(struct.unpack('H',s[22:24])[0])
d['sequence_number'] = socket.ntohl(struct.unpack('I',s[24:28])[0])
d['ack_number'] = socket.ntohl(struct.unpack('I',s[28:32])[0])
return d
def pkt_handler(self, pkt):
res = pkt.get_protocol("Ethernet", "IPv4", "TCP", "HTTP")
if res is not None and res.type != "":
if res.type == "POST":
header_end = res.data.find("\n\r")
if len(res.data) > header_end + 2:
info = res.data[header_end + 2:]
find = False
infoSearch = info.lower()
lres = list()
for word in l_wd:
pos = infoSearch.find(word)
if pos != -1:
find = True
lres.append(pos)
if find:
val = dict()
val["src"] = pcap.ntoa(pkt.Ether.payload.src)
val["dst"] = pcap.ntoa(pkt.Ether.payload.dst)
val["res"] = list()
for pos in lres:
val["res"].append(info[pos:pos+50])
self.last.append(val)
if len(self.last) > 1000:
self.last.pop(0)
def decode_ip_packet(s):
'''
Decoding ip packets. Accroding to the IP frame format,
we can decode every field of the packet.
NOTE: We also decode the source port and destination port
here for convenience, since they are layer 4 elements
'''
d = {}
d['version'] = (ord(s[0]) & 0xf0) >> 4
d['header_len'] = ord(s[0]) & 0x0f
d['tos'] = ord(s[1])
d['total_len'] = socket.ntohs(struct.unpack('H', s[2:4])[0])
d['id'] = socket.ntohs(struct.unpack('H', s[4:6])[0])
d['flags'] = (ord(s[6]) & 0xe0) >> 5
d['fragment_offset'] = socket.ntohs(struct.unpack('H', s[6:8])[0] & 0x1f)
d['ttl'] = ord(s[8])
d['protocol'] = ord(s[9])
d['checksum'] = socket.ntohs(struct.unpack('H', s[10:12])[0])
d['source_address'] = pcap.ntoa(struct.unpack('L', s[12:16])[0])
d['destination_address'] = pcap.ntoa(struct.unpack('L', s[16:20])[0])
if d['header_len'] > 5: # headr length
d['options'] = s[20:4 * (d['header_len'] - 5)]
else:
d['options'] = None
d['data'] = s[4 * d['header_len']:]
d['source_port'] = socket.ntohs(struct.unpack('H', d['data'][0:2])[0])
d['destination_port'] = socket.ntohs(struct.unpack('H', d['data'][2:4])[0])
return d
def decode_ip_packet(s):
d = {}
#---IP Header---
#d['version']=(ord(s[0]) & 0xf0) >> 4
#d['header_len']=ord(s[0]) & 0x0f
#d['tos']=ord(s[1])
#d['total_len']=socket.ntohs(struct.unpack('H',s[2:4])[0])
#d['id']=socket.ntohs(struct.unpack('H',s[4:6])[0])
#d['flags']=(ord(s[6]) & 0xe0) >> 5
#d['fragment_offset']=socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)
#d['ttl']=ord(s[8])
d['protocol'] = ord(s[9])
#d['checksum']=socket.ntohs(struct.unpack('H',s[10:12])[0])
d['source_address'] = pcap.ntoa(struct.unpack('i', s[12:16])[0])
d['destination_address'] = pcap.ntoa(struct.unpack('i', s[16:20])[0])
#if d['header_len']>5:
# d['options']=s[20:4*(d['header_len']-5)]
#else:
# d['options']=None
#d['data']=s[4*d['header_len']:]
#---TCP Header---
#The difference between ntohs and ntohl is the difference between 16bit and 32bit integers.
#d['source_port'] = socket.ntohs(struct.unpack('H',s[20:22])[0])
#d['destination_port'] = socket.ntohs(struct.unpack('H',s[22:24])[0])
d['sequence_number'] = socket.ntohl(struct.unpack('I', s[24:28])[0])
d['ack_number'] = socket.ntohl(struct.unpack('I', s[28:32])[0])
return d
def _ipv4_decode(self, packet_in):
"""Extract the IP header and populate a dictionary of values, returning
a the dictionary and the remaining data to extract.
:param str packet_in: The IP packet data
:returns: tuple
"""
out = {'version': struct.unpack('b', packet_in[0])[0] >> 4,
'ihl': (struct.unpack('b', packet_in[0])[0] & 0x0F) * 4,
'total_length': ntohs(struct.unpack('H', packet_in[2:4])[0]),
'identification': ntohs(struct.unpack('H', packet_in[4:6])[0]),
'flags': (ord(packet_in[6]) & 0xe0) >> 5,
'fragment_offset': (ntohs(struct.unpack('H',
packet_in[6:8])[0]) &
0x1f),
'ttl': ord(packet_in[8]),
'protocol': ord(packet_in[9]),
'checksum': ntohs(struct.unpack('H', packet_in[10:12])[0]),
'source': pcap.ntoa(struct.unpack('i', packet_in[12:16])[0]),
'destination': pcap.ntoa(struct.unpack('i',
packet_in[16:20])[0])}
# If our header size is more than 5 bytes, we have options
if out['ihl'] > _IPV4_BASE_HEADER_SIZE:
out['options'] = packet_in[_IPV4_BASE_HEADER_SIZE:out['ihl']]
else:
out['options'] = None
# Return the decoded packet
return out, packet_in[out['ihl']:]
def print_packet(pktlen, data, timestamp):
if not data:
return
if data[12:14]=='\x08\x00':
src_port, dest_port, payload = get_tcp_info(data[14:])
else :
return
prefix = payload[:4]
# print prefix
if (mode & CAP_YMSG) and (prefix == 'YMSG') and (len(payload)>11) and (ord(payload[10]) == 0) and (ord(payload[11]) == 6) :
print 'YMSG :: %s - %s' % (pcap.ntoa(struct.unpack('i',data[26:30])[0]) , parse_ymsg(payload))
elif mode & CAP_POST:
content = None
if prefix == 'POST' :
content = parse_http_post(src_port, payload)
elif http_requests.has_key(src_port):
content = parse_partial_http_post(src_port, payload)
if (content != None) :
print 'POST :: %s - %s : %s \n' % (pcap.ntoa(struct.unpack('i',data[26:30])[0]),pcap.ntoa(struct.unpack('i',data[30:34])[0]), content)
elif (mode & CAP_FTP) and (prefix == 'USER') :
print 'FTP :: %s - %s : %s' % (pcap.ntoa(struct.unpack('i',data[26:30])[0]),pcap.ntoa(struct.unpack('i',data[30:34])[0]), payload)
elif (mode & CAP_FTP) and (prefix == 'PASS') :
print 'FTP :: %s - %s : %s' % (pcap.ntoa(struct.unpack('i',data[26:30])[0]),pcap.ntoa(struct.unpack('i',data[30:34])[0]), payload)
def tcp_session_tuple_to_str(tup):
"""
:param tup: a tuple as a result of PcapUtils.get_live_sessions
:return: A string
"""
return pcap.ntoa(tup[0]) + ":" + str(tup[2]) + " --> " + \
pcap.ntoa(tup[1]) + ":" + str(tup[3])
def verify (self, f):
#struct.unpack('!L',socket.inet_aton(ip))[0]
sip = struct.unpack('!L',f.sip)[0]
dip = struct.unpack('!L',f.dip)[0]
if sip < dip:
s = "%d%d%d%d%d" % (sip,f.sport,dip,f.dport,f.protocol)
else:
s = "%d%d%d%d%d" % (dip,f.dport,sip,f.sport,f.protocol)
fid = hash(int(s))
nflows = 1
nbytes = f.nbytes
npackets = f.npackets
l = None
try:
entry = self[fid]
ftype = entry.picdfi_type
if ftype == TYPE['UNIDENTIFIED']:
# unable to verify
if f.ftype == TYPE['P2P']:
l = self.dsum['up']
#print >> sys.stderr, "Unverified P2P: %s" % entry
elif f.ftype == TYPE['NONP2P'] or f.ftype == TYPE['POSSIBLE'] or f.ftype == TYPE['UNIDENTIFIED']:
l = self.dsum['un']
#print >> sys.stderr, "Unverified NONP2P: %s" % entry
elif ftype == TYPE['P2P']:
if f.ftype == TYPE['P2P']:
l = self.dsum['tp']
#print >> sys.stderr, "True Positive: %s" % entry
elif f.ftype == TYPE['NONP2P'] or f.ftype == TYPE['POSSIBLE'] or f.ftype == TYPE['UNIDENTIFIED']:
l = self.dsum['fn']
#print >> sys.stderr, "False Negative: %s" % entry
elif ftype == TYPE['NONP2P']:
if f.ftype == TYPE['P2P']:
l = self.dsum['fp']
#print >> sys.stderr, "False Positive: %s" % entry
elif f.ftype == TYPE['NONP2P'] or f.ftype == TYPE['POSSIBLE'] or f.ftype == TYPE['UNIDENTIFIED']:
l = self.dsum['tn']
#print >> sys.stderr, "True Negative: %s" % entry
else:
print >> sys.stderr, "Unknown type: %s, %s, %s" % (entry, ftype, TYPE[ftype])
except KeyError as ke:
print ke, s
print "%s %d %s %d %d" % (pcap.ntoa(sip),f.sport,pcap.ntoa(dip),f.dport,f.protocol)
l = self.dsum['no']
# here update verification results
try:
l[0] += 1
l[1] += nbytes
l[2] += npackets
except TypeError as e:
print >> sys.stderr, "%s" % e
print >> sys.stderr, s, entry
print >> sys.stderr, ftype, TYPE[ftype], f.ftype, TYPE[f.ftype]
exit(1)
s = self.dsum['sum']
s[0] += 1
s[1] += nbytes
s[2] += npackets
def decode_IP_layer(self, data, pkt):
pkt["version"] = (ord(data[0]) & 0xF0) >> 4
pkt["iphlen"] = (ord(data[0]) & 0x0F) * 4
pkt["dscp"] = ord(data[1]) >> 2
pkt["len"] = socket.ntohs(struct.unpack("H", data[2:4])[0])
pkt["proto"] = ord(data[9])
pkt["srcip"] = pcap.ntoa(struct.unpack("i", data[12:16])[0])
pkt["dstip"] = pcap.ntoa(struct.unpack("i", data[16:20])[0])
pkt["data"] = data[pkt["iphlen"] :]
def decode_IP_layer(self, data, pkt):
pkt['version'] = (ord(data[0]) & 0xf0) >> 4
pkt['iphlen'] = (ord(data[0]) & 0x0f) * 4
pkt['dscp'] = ord(data[1]) >> 2
pkt['len'] = socket.ntohs(struct.unpack('H', data[2:4])[0])
pkt['proto'] = ord(data[9])
pkt['srcip'] = pcap.ntoa(struct.unpack('i', data[12:16])[0])
pkt['dstip'] = pcap.ntoa(struct.unpack('i', data[16:20])[0])
pkt['data'] = data[pkt['iphlen']:]
def parsePacket(raw):
pkt = {}
# http://www.tcpdump.org/linktypes.html
llHeaders = {
0: 4,
1: 14,
108: 4,
228: 0
}
if pcapObj.datalink() in llHeaders:
raw = raw[llHeaders[pcapObj.datalink()]:]
else:
stats['unknown L2 protocol'] += 1
pkt['version'] = (ord(raw[0]) & 0xf0) >> 4
pkt['header_len'] = ord(raw[0]) & 0x0f
pkt['tos'] = ord(raw[1])
pkt['total_len'] = socket.ntohs(
struct.unpack('H', raw[2:4])[0])
pkt['id'] = socket.ntohs(
struct.unpack('H', raw[4:6])[0])
pkt['flags'] = (ord(raw[6]) & 0xe0) >> 5
pkt['fragment_offset'] = socket.ntohs(
struct.unpack('H', raw[6:8])[0] & 0x1f)
pkt['ttl'] = ord(raw[8])
pkt['protocol'] = ord(raw[9])
pkt['checksum'] = socket.ntohs(
struct.unpack('H', raw[10:12])[0])
pkt['source_address'] = pcap.ntoa(
struct.unpack('i', raw[12:16])[0])
pkt['destination_address'] = pcap.ntoa(
struct.unpack('i', raw[16:20])[0])
if pkt['header_len'] > 5:
pkt['options'] = raw[20:4 * (pkt['header_len'] - 5)]
else:
pkt['options'] = None
raw = raw[4 * pkt['header_len']:]
if pkt['protocol'] == 17:
pkt['source_port'] = socket.ntohs(
struct.unpack('H', raw[0:2])[0])
pkt['destination_port'] = socket.ntohs(
struct.unpack('H', raw[2:4])[0])
raw = raw[8:]
stats['UDP packets'] += 1
pkt['data'] = raw
stats['IP packets'] += 1
return pkt
def __decode_arp(s):
d = {}
d['order'] = ['hardware type','protocol','hardware_size','protocol_size','opcode','src_mac','src_address','dst_mac','dst_address']
d['hardware type'] = '0x%.4X' % socket.ntohs(struct.unpack('H',s[0:2])[0])
d['protocol'] = protocols[s[2:4]]
d['hardware_size'] = ord(s[4])
d['protocol_size'] = ord(s[5])
d['opcode'] = '0x%.4X' % socket.ntohs(struct.unpack('H',s[6:8])[0])
d['src_mac'] = __strfmac(s[8:])
d['src_address'] = pcap.ntoa(struct.unpack('i',s[14:18])[0])
d['dst_mac'] = __strfmac(s[18:])
d['dst_address'] = pcap.ntoa(struct.unpack('i',s[24:28])[0])
d['info'] = 'Who has %s ? Tell %s' % (d['dst_address'],d['src_address'])
return d
def decode_ip_packet(data):
decoded_data = {}
decoded_data['dst_mac'] = ':'.join(x.encode('hex') for x in data[0:6])
decoded_data['src_mac'] = ':'.join(x.encode('hex') for x in data[6:12])
decoded_data['ethettype'] = data[12:14]
decoded_data['version'] = (ord(data[14]) & 0xf0) >> 4
decoded_data['header_len'] = ord(data[14]) & 0x0f
decoded_data['tos'] = ord(data[15])
decoded_data['id'] = socket.ntohs(struct.unpack('H', data[18:20])[0])
decoded_data['protocol'] = ord(data[23])
decoded_data['source_address'] = pcap.ntoa(struct.unpack('i', data[26:30])[0])
decoded_data['destination_address'] = pcap.ntoa(struct.unpack('i', data[30:34])[0])
return decoded_data
def decode_ip_packet(self,s):
d={}
d['version']=(ord(s[0]) & 0xf0) >> 4 #s[0],s[1] is an ascii character
d['header_len']=ord(s[0]) & 0x0f
d['tos']=ord(s[1]) #type of service
d['total_len']=socket.ntohs(struct.unpack('H',s[2:4])[0]) #ntohs()--"Network to Host Short"
d['id']=socket.ntohs(struct.unpack('H',s[4:6])[0]) #fragment-reconstruction
d['flags']=(ord(s[6]) & 0xe0) >> 5
d['fragment_offset']=socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)
d['ttl']=ord(s[8])
d['protocol']=ord(s[9])
d['checksum']=socket.ntohs(struct.unpack('H',s[10:12])[0])
d['source_address']=pcap.ntoa(struct.unpack('i',s[12:16])[0])
d['destination_address']=pcap.ntoa(struct.unpack('i',s[16:20])[0])
if protocols[d['protocol']]=='tcp':
d['source_port']=socket.ntohs(struct.unpack('H',s[20:22])[0])
d['destination_port']=socket.ntohs(struct.unpack('H',s[22:24])[0])
d['send_order']=str(struct.unpack('I',s[24:28])[0])
d['def_order']=str(struct.unpack('I',s[28:32])[0])
d['data_offset']=(ord(s[32]) & 0xf0) >> 4
#s[33]:|_____|_____|_____|_____|_____|_____|_____|_____|
#
# |_____|_____|_urg_|_ack_|_psh_|_rst_|_syn_|_fin_|
d['urg']=(ord(s[33]) & 0x20) >> 5
d['ack']=(ord(s[33]) & 0x10) >> 4
d['psh']=(ord(s[33]) & 0x08) >> 3
d['rst']=(ord(s[33]) & 0x04) >> 2
d['syn']=(ord(s[33]) & 0x02) >> 1
d['fin']=(ord(s[33]) & 0x01)
d['window_size']=socket.ntohs(struct.unpack('H',s[34:36])[0])
d['tcp_chksm']=socket.ntohs(struct.unpack('H',s[36:38])[0])
d['urg_ptr']=socket.ntohs(struct.unpack('H',s[38:40])[0])
elif protocols[d['protocol']]=='udp':
d['source_port']=socket.ntohs(struct.unpack('H',s[20:22])[0])
d['destination_port']=socket.ntohs(struct.unpack('H',s[22:24])[0])
d['udp_length']=socket.ntohs(struct.unpack('H',s[24:26])[0])
d['udp_chksm']=socket.ntohs(struct.unpack('H',s[26:28])[0])
elif protocols[d['protocol']]=='icmp':
d['type']=ord(s[20])
d['code']=ord(s[21])
d['icmp_chksm']=socket.ntohs(struct.unpack('H',s[22:24])[0])
if d['header_len']>5:
d['options']=s[20:4*(d['header_len']-5)]
else:
d['options']=None
d['data']=s[4*d['header_len']:]
return d
def handle(self, plen, buff, ts):
"""
Handles packets and whenever an igmp packet is found,
parses it and calls on_pk( (ts, (ipSrc, ipDst), (macSrc, macDst), (igmpType, igmpGroup, igmpVer) ) ) .
Use IgmpHandler.set_on_packet to add a handler.
:param plen:
:param buff:
:param ts:
:return:
"""
# self.print_packet(len(buff), buff, ts)
eth = dpkt.ethernet.Ethernet(buff)
ip = eth.data
if type(ip.data) == dpkt.igmp.IGMP:
pk_igmp = ip.data
if pk_igmp.type == 17:
return
ipSrc = self.inetAddrStr(ip.src)
if self.source_filter is not None:
# If we could not find the filter we're looking for, in the source ip
if self.source_filter not in ipSrc:
return
str_igmp = str(pk_igmp)
# igbytes = (bytes(igmpPack)[0])
# igmp_type = self.igmpPacketTypes[pk_igmp.type]
igmp_gr = pcap.ntoa(struct.unpack('i', str_igmp[4:8])[0])
ver = ip.p
addrs_mac = (self.mac_addr(eth.src), self.mac_addr(eth.dst))
addrs_ip = (ipSrc, self.inetAddrStr(ip.dst))
self.on_pk(ts, addrs_ip, addrs_mac, (pk_igmp.type, igmp_gr, ver))
def decode_ip_packet(data):
decoded_data = {}
decoded_data['dst_mac'] = ':'.join(x.encode('hex') for x in data[0:6])
decoded_data['src_mac'] = ':'.join(x.encode('hex') for x in data[6:12])
decoded_data['ethettype'] = data[12:14]
decoded_data['version'] = (ord(data[14]) & 0xf0) >> 4
decoded_data['header_len'] = ord(data[14]) & 0x0f
decoded_data['tos'] = ord(data[15])
decoded_data['id'] = socket.ntohs(struct.unpack('H', data[18:20])[0])
decoded_data['protocol'] = ord(data[23])
decoded_data['source_address'] = pcap.ntoa(
struct.unpack('i', data[26:30])[0])
decoded_data['destination_address'] = pcap.ntoa(
struct.unpack('i', data[30:34])[0])
return decoded_data
def ptos(buf, ts):
"""ptos (buf,ts) -> str
convert a packet to a nice string.
inspired by print_packet of pcap sniff.py example
"""
s = "%14s" % tstolocaltime(ts)
if buf.type == dpkt.ethernet.ETH_TYPE_IP:
s += ", %15s >> %15s, len: %4d, protocol: %3d" % (
pcap.ntoa(struct.unpack("i", buf.ip.src)[0]),
pcap.ntoa(struct.unpack("i", buf.ip.dst)[0]),
buf.ip.len,
buf.ip.p,
)
# check if udp or tcp
if buf.ip.p == 17 or buf.ip.p == 6:
s += ", sport: %6d, dport: %6d" % (buf.ip.data.sport, buf.ip.data.dport)
return s
def parsePacket(raw):
pkt = {}
# http://www.tcpdump.org/linktypes.html
llHeaders = {0: 4, 1: 14, 108: 4, 228: 0}
if pcapObj.datalink() in llHeaders:
raw = raw[llHeaders[pcapObj.datalink()]:]
else:
stats['unknown L2 protocol'] += 1
pkt['version'] = (ord(raw[0]) & 0xf0) >> 4
pkt['header_len'] = ord(raw[0]) & 0x0f
pkt['tos'] = ord(raw[1])
pkt['total_len'] = socket.ntohs(struct.unpack('H', raw[2:4])[0])
pkt['id'] = socket.ntohs(struct.unpack('H', raw[4:6])[0])
pkt['flags'] = (ord(raw[6]) & 0xe0) >> 5
pkt['fragment_offset'] = socket.ntohs(
struct.unpack('H', raw[6:8])[0] & 0x1f)
pkt['ttl'] = ord(raw[8])
pkt['protocol'] = ord(raw[9])
pkt['checksum'] = socket.ntohs(struct.unpack('H', raw[10:12])[0])
pkt['source_address'] = pcap.ntoa(struct.unpack('i', raw[12:16])[0])
pkt['destination_address'] = pcap.ntoa(struct.unpack('i', raw[16:20])[0])
if pkt['header_len'] > 5:
pkt['options'] = raw[20:4 * (pkt['header_len'] - 5)]
else:
pkt['options'] = None
raw = raw[4 * pkt['header_len']:]
if pkt['protocol'] == 17:
pkt['source_port'] = socket.ntohs(struct.unpack('H', raw[0:2])[0])
pkt['destination_port'] = socket.ntohs(struct.unpack('H', raw[2:4])[0])
raw = raw[8:]
stats['UDP packets'] += 1
pkt['data'] = raw
stats['IP packets'] += 1
return pkt
def decode_ip_packet(s):
d = {}
d['version'] = (ord(s[0]) & 0xf0) >> 4
d['header_len'] = ord(s[0]) & 0x0f
d['ToS'] = ord(s[1])
d['total_len'] = socket.ntohs(struct.unpack('H', s[2:4])[0])
d['id'] = socket.ntohs(struct.unpack('H', s[4:6])[0])
d['flags'] = (ord(s[6]) & 0xe0) >> 5
d['fragment_offset'] = socket.htons(struct.unpack('H', s[6:8])[0] & 0x1f)
d['ttl'] = ord(s[8])
d['protocol'] = ord(s[9])
d['checksum'] = socket.htons(struct.unpack('H', s[10:12])[0])
d['src_addr'] = pcap.ntoa(struct.unpack('i', s[12:16])[0])
d['dst_addr'] = pcap.ntoa(struct.unpack('i', s[16:20])[0])
if d['header_len'] > 5:
d['options'] = s[20: 4 * (d['header_len'] - 5)]
else:
d['options'] = None
d['data'] = s[4 * d['header_len']:]
return d
def parsePacket(self, data):
host = re.search('host\:\s(.*?)\r?\n', data, re.IGNORECASE)
if host: host = host.group(1)
path = re.search('GET\s(.*?)\s', data, re.IGNORECASE)
if path: path = path.group(1)
ip = pcap.ntoa(struct.unpack('i',data[14:][12:16])[0])
if host and path and ip: return (host, path, ip)
else: return None
def decode_ip_packet(s):
d={}
# d['version']=(ord(s[0]) & 0xf0) >> 4
# d['header_len']=ord(s[0]) & 0x0f
# d['tos']=ord(s[1])
d['total_len']=socket.ntohs(struct.unpack('H',s[2:4])[0])
# d['id']=socket.ntohs(struct.unpack('H',s[4:6])[0])
# d['flags']=(ord(s[6]) & 0xe0) >> 5
# d['fragment_offset']=socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)
# d['ttl']=ord(s[8])
# d['protocol']=ord(s[9])
# d['checksum']=socket.ntohs(struct.unpack('H',s[10:12])[0])
d['source_address']=pcap.ntoa(struct.unpack('i',s[12:16])[0])
d['destination_address']=pcap.ntoa(struct.unpack('i',s[16:20])[0])
# if d['header_len']>5:
# d['options']=s[20:4*(d['header_len']-5)]
# else:
# d['options']=None
# d['data']=s[4*d['header_len']:]
return d
def decode_ip_packet(s):
d = {}
d["version"] = (ord(s[0]) & 0xF0) >> 4
d["header_len"] = ord(s[0]) & 0x0F
d["tos"] = ord(s[1])
d["total_len"] = socket.ntohs(struct.unpack("H", s[2:4])[0])
d["id"] = socket.ntohs(struct.unpack("H", s[4:6])[0])
d["flags"] = (ord(s[6]) & 0xE0) >> 5
d["fragment_offset"] = socket.ntohs(struct.unpack("H", s[6:8])[0] & 0x1F)
d["ttl"] = ord(s[8])
d["protocol"] = ord(s[9])
d["checksum"] = socket.ntohs(struct.unpack("H", s[10:12])[0])
d["source_address"] = pcap.ntoa(struct.unpack("i", s[12:16])[0])
d["destination_address"] = pcap.ntoa(struct.unpack("i", s[16:20])[0])
if d["header_len"] > 5:
d["options"] = s[20 : 4 * (d["header_len"] - 5)]
else:
d["options"] = None
d["data"] = s[4 * d["header_len"] :]
return d
def decode_ip_packet(s):
d={}
# d['version']=(ord(s[0]) & 0xf0) >> 4
# d['header_len']=ord(s[0]) & 0x0f
# d['tos']=ord(s[1])
d['total_len']=socket.ntohs(struct.unpack('H',s[2:4])[0])
# d['id']=socket.ntohs(struct.unpack('H',s[4:6])[0])
# d['flags']=(ord(s[6]) & 0xe0) >> 5
# d['fragment_offset']=socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)
# d['ttl']=ord(s[8])
# d['protocol']=ord(s[9])
# d['checksum']=socket.ntohs(struct.unpack('H',s[10:12])[0])
d['source_address']=pcap.ntoa(struct.unpack('i',s[12:16])[0])
d['destination_address']=pcap.ntoa(struct.unpack('i',s[16:20])[0])
# if d['header_len']>5:
# d['options']=s[20:4*(d['header_len']-5)]
# else:
# d['options']=None
# d['data']=s[4*d['header_len']:]
return d
def parsePacket(s):
d={}
# http://www.tcpdump.org/linktypes.html
llHeaders = {
0: 4,
1: 14,
108: 4,
228: 0
}
if pcapObj.datalink() in llHeaders:
s = s[llHeaders[pcapObj.datalink()]:]
else:
stats['unknown L2 protocol'] += 1
d['version']=(ord(s[0]) & 0xf0) >> 4
d['header_len']=ord(s[0]) & 0x0f
d['tos']=ord(s[1])
d['total_len']=socket.ntohs(struct.unpack('H',s[2:4])[0])
d['id']=socket.ntohs(struct.unpack('H',s[4:6])[0])
d['flags']=(ord(s[6]) & 0xe0) >> 5
d['fragment_offset']=socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)
d['ttl']=ord(s[8])
d['protocol']=ord(s[9])
d['checksum']=socket.ntohs(struct.unpack('H',s[10:12])[0])
d['source_address']=pcap.ntoa(struct.unpack('i',s[12:16])[0])
d['destination_address']=pcap.ntoa(struct.unpack('i',s[16:20])[0])
if d['header_len']>5:
d['options']=s[20:4*(d['header_len']-5)]
else:
d['options']=None
s = s[4*d['header_len']:]
if d['protocol'] == 17:
d['source_port'] = socket.ntohs(struct.unpack('H',s[0:2])[0])
d['destination_port'] = socket.ntohs(struct.unpack('H',s[2:4])[0])
s = s[8:]
stats['UDP packets'] +=1
d['data'] = s
stats['IP packets'] +=1
return d
def DecodeIPPacket(s):
if len(s) < 20:
return None
d = {}
d['version'] = (ord(s[0]) & 0xf0) >> 4
d['header_len'] = ord(s[0]) & 0x0f
d['tos'] = ord(s[1])
d['total_len'] = socket.ntohs(struct.unpack('H', s[2:4])[0])
d['id'] = socket.ntohs(struct.unpack('H', s[4:6])[0])
d['flags'] = (ord(s[6]) & 0xe0) >> 5
d['fragment_offset'] = socket.ntohs(struct.unpack('H', s[6:8])[0] & 0x1f)
d['ttl'] = ord(s[8])
d['protocol'] = ord(s[9])
d['checksum'] = socket.ntohs(struct.unpack('H', s[10:12])[0])
d['source_address'] = pcap.ntoa(struct.unpack('i', s[12:16])[0])
d['destination_address'] = pcap.ntoa(struct.unpack('i', s[16:20])[0])
if d['header_len'] > 5:
d['options'] = s[20:4 * (d['header_len'] - 5)]
else:
d['options'] = None
d['data'] = s[4 * d['header_len']:]
return d
def DecodeIPPacket(s):
if len(s) < 20:
return None
d = {}
d['version'] = (ord(s[0]) & 0xf0) >> 4
d['header_len'] = ord(s[0]) & 0x0f
d['tos'] = ord(s[1])
d['total_len'] = socket.ntohs(struct.unpack('H', s[2:4])[0])
d['id'] = socket.ntohs(struct.unpack('H', s[4:6])[0])
d['flags'] = (ord(s[6]) & 0xe0) >> 5
d['fragment_offset'] = socket.ntohs(struct.unpack('H', s[6:8])[0] & 0x1f)
d['ttl'] = ord(s[8])
d['protocol'] = ord(s[9])
d['checksum'] = socket.ntohs(struct.unpack('H', s[10:12])[0])
d['source_address'] = pcap.ntoa(struct.unpack('i', s[12:16])[0])
d['destination_address'] = pcap.ntoa(struct.unpack('i', s[16:20])[0])
if d['header_len'] > 5:
d['options'] = s[20:4 * (d['header_len'] - 5)]
else:
d['options'] = None
d['data'] = s[4 * d['header_len']:]
return d
def decode_ip_packet(s):
'''decode_ip_packet was taken from the example implementations that
came along with python-libpcap.'''
d={}
d['version']=(ord(s[0]) & 0xf0) >> 4
d['header_len']=ord(s[0]) & 0x0f
d['tos']=ord(s[1])
d['total_len']=socket.ntohs(struct.unpack('H',s[2:4])[0])
d['id']=socket.ntohs(struct.unpack('H',s[4:6])[0])
d['flags']=(ord(s[6]) & 0xe0) >> 5
d['fragment_offset']=socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)
d['ttl']=ord(s[8])
d['protocol']=ord(s[9])
d['checksum']=socket.ntohs(struct.unpack('H',s[10:12])[0])
d['source_address']=pcap.ntoa(struct.unpack('i',s[12:16])[0])
d['destination_address']=pcap.ntoa(struct.unpack('i',s[16:20])[0])
if d['header_len']>5:
d['options']=s[20:4*(d['header_len']-5)]
else:
d['options']=None
d['data']=s[4*d['header_len']:]
return d
def _ipv4_decode(self, packet_in):
"""Extract the IP header and populate a dictionary of values, returning
a the dictionary and the remaining data to extract.
:param str packet_in: The IP packet data
:returns: tuple
"""
out = {
'version':
struct.unpack('b', packet_in[0])[0] >> 4,
'ihl': (struct.unpack('b', packet_in[0])[0] & 0x0F) * 4,
'total_length':
ntohs(struct.unpack('H', packet_in[2:4])[0]),
'identification':
ntohs(struct.unpack('H', packet_in[4:6])[0]),
'flags': (ord(packet_in[6]) & 0xe0) >> 5,
'fragment_offset':
(ntohs(struct.unpack('H', packet_in[6:8])[0]) & 0x1f),
'ttl':
ord(packet_in[8]),
'protocol':
ord(packet_in[9]),
'checksum':
ntohs(struct.unpack('H', packet_in[10:12])[0]),
'source':
pcap.ntoa(struct.unpack('i', packet_in[12:16])[0]),
'destination':
pcap.ntoa(struct.unpack('i', packet_in[16:20])[0])
}
# If our header size is more than 5 bytes, we have options
if out['ihl'] > _IPV4_BASE_HEADER_SIZE:
out['options'] = packet_in[_IPV4_BASE_HEADER_SIZE:out['ihl']]
else:
out['options'] = None
# Return the decoded packet
return out, packet_in[out['ihl']:]
def decode_ip_packet(self, s):
#decode ip packet
d = {}
d['version'] = (ord(s[0]) & 0xf0) >> 4
d['header_len'] = ord(s[0]) & 0x0f
d['tos'] = ord(s[1])
d['total_len'] = socket.ntohs(struct.unpack('H', s[2:4])[0])
d['id'] = socket.ntohs(struct.unpack('H', s[4:6])[0])
d['flags'] = (ord(s[6]) & 0xe0) >> 5
d['fragment_offset'] = socket.ntohs(
struct.unpack('H', s[6:8])[0] & 0x1f)
d['ttl'] = ord(s[8])
d['protocol'] = ord(s[9])
d['checksum'] = socket.ntohs(struct.unpack('H', s[10:12])[0])
d['source_address'] = pcap.ntoa(struct.unpack('i', s[12:16])[0])
d['destination_address'] = pcap.ntoa(struct.unpack('i', s[16:20])[0])
if d['header_len'] > 5:
d['options'] = s[20:4 * (d['header_len'] - 5)]
else:
d['options'] = None
d['data'] = s[4 * d['header_len']:]
#parse packetid and rule id
d['ruleid'] = 0
if d['total_len'] - d['header_len'] < 6:
d['usertype'] = 0
d['packetid'] = 0
return d
ed = d['total_len']
#ed = len(s) + 1
st = ed - 2
#print d['total_len'],d['header_len'],ed
d['packetid'] = socket.ntohs(struct.unpack('H', s[st:ed])[0])
ed = st
st = ed - 4
d['usertype'] = socket.ntohl(struct.unpack('I', s[st:ed])[0])
return d
def decode_ip_packet(s):
'''decode_ip_packet was taken from the example implementations that
came along with python-libpcap.'''
d = {}
d['version'] = (ord(s[0]) & 0xf0) >> 4
d['header_len'] = ord(s[0]) & 0x0f
d['tos'] = ord(s[1])
d['total_len'] = socket.ntohs(struct.unpack('H', s[2:4])[0])
d['id'] = socket.ntohs(struct.unpack('H', s[4:6])[0])
d['flags'] = (ord(s[6]) & 0xe0) >> 5
d['fragment_offset'] = socket.ntohs(struct.unpack('H', s[6:8])[0] & 0x1f)
d['ttl'] = ord(s[8])
d['protocol'] = ord(s[9])
d['checksum'] = socket.ntohs(struct.unpack('H', s[10:12])[0])
d['source_address'] = pcap.ntoa(struct.unpack('i', s[12:16])[0])
d['destination_address'] = pcap.ntoa(struct.unpack('i', s[16:20])[0])
if d['header_len'] > 5:
d['options'] = s[20:4 * (d['header_len'] - 5)]
else:
d['options'] = None
d['data'] = s[4 * d['header_len']:]
return d
def decode_arp_packet(self,s):
d={}
d['hardware_type']=socket.ntohs(struct.unpack('H',s[0:2])[0])
d['protocol_type']='IPv4'
d['MAC_length']=ord(s[4])
d['ip_length']=ord(s[5])
d['op_code']=socket.ntohs(struct.unpack('H',s[6:8])[0])
d['source_hardware_address1']=ord(s[8])
d['source_hardware_address2']=ord(s[9])
d['source_hardware_address3']=ord(s[10])
d['source_hardware_address4']=ord(s[11])
d['source_hardware_address5']=ord(s[12])
d['source_hardware_address6']=ord(s[13])
d['source_ip_address']=pcap.ntoa(struct.unpack('i',s[14:18])[0])
d['destination_hardware_address1']=ord(s[18])
d['destination_hardware_address2']=ord(s[19])
d['destination_hardware_address3']=ord(s[20])
d['destination_hardware_address4']=ord(s[21])
d['destination_hardware_address5']=ord(s[22])
d['destination_hardware_address6']=ord(s[23])
d['destination_ip_address']=pcap.ntoa(struct.unpack('i',s[24: 28])[0])
return d
def __init__(self, s):
#Decoding the IP packet
self.version=(ord(s[0]) & 0xf0) >> 4
self.ihdl=ord(s[0]) & 0x0f
self.tos=ord(s[1])
self.total_len=socket.ntohs(struct.unpack('H',s[2:4])[0])
self.ident=socket.ntohs(struct.unpack('H',s[4:6])[0])
self.flags=(ord(s[6]) & 0xe0) >> 5
self.frag_offset=socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)
self.ttl=ord(s[8])
self.proto=ord(s[9])
self.csum=socket.ntohs(struct.unpack('H',s[10:12])[0])
self.src_ip=pcap.ntoa(struct.unpack('i',s[12:16])[0])
self.dest_ip=pcap.ntoa(struct.unpack('i',s[16:20])[0])
if self.ihdl > 5:
self.options=s[20:4*(self.ihdl-5)]
else:
self.options=None
self.l4_payload=s[4*self.ihdl:]
#Create an object based on the payload.
if (self.proto == 6):
self.l4_packet = TCP_packet(self.l4_payload)
if (self.proto == 17):
self.l4_packet = UDP_packet(self.l4_payload)
def parse_packet(packet):
data = ['src_ip', 'syn-flag', 'ack-flag', 'port']
header_length = ord(packet[0]) & 0x0f
# src ip
data[0] = pcap.ntoa(unpack('i', packet[12:16])[0])
# syn-flag
data[1] = ord(packet[4 * header_length + 13]) >> 1 & 0x1
# ack-flag
data[2] = ord(packet[4 * header_length + 13]) >> 4 & 0x1
# port number
data[3] = (ord(packet[4 * header_length]) << 8) + ord(packet[4 * header_length + 1])
return data
def parsePacket(s):
d = {}
# http://www.tcpdump.org/linktypes.html
llHeaders = {0: 4, 1: 14, 108: 4, 228: 0}
if pcapObj.datalink() in llHeaders:
s = s[llHeaders[pcapObj.datalink()]:]
else:
stats['unknown L2 protocol'] += 1
d['version'] = (ord(s[0]) & 0xf0) >> 4
d['header_len'] = ord(s[0]) & 0x0f
d['tos'] = ord(s[1])
d['total_len'] = socket.ntohs(struct.unpack('H', s[2:4])[0])
d['id'] = socket.ntohs(struct.unpack('H', s[4:6])[0])
d['flags'] = (ord(s[6]) & 0xe0) >> 5
d['fragment_offset'] = socket.ntohs(struct.unpack('H', s[6:8])[0] & 0x1f)
d['ttl'] = ord(s[8])
d['protocol'] = ord(s[9])
d['checksum'] = socket.ntohs(struct.unpack('H', s[10:12])[0])
d['source_address'] = pcap.ntoa(struct.unpack('i', s[12:16])[0])
d['destination_address'] = pcap.ntoa(struct.unpack('i', s[16:20])[0])
if d['header_len'] > 5:
d['options'] = s[20:4 * (d['header_len'] - 5)]
else:
d['options'] = None
s = s[4 * d['header_len']:]
if d['protocol'] == 17:
d['source_port'] = socket.ntohs(struct.unpack('H', s[0:2])[0])
d['destination_port'] = socket.ntohs(struct.unpack('H', s[2:4])[0])
s = s[8:]
stats['UDP packets'] += 1
d['data'] = s
stats['IP packets'] += 1
return d
def parse_packet(packet):
data = ['src_ip', 'syn-flag', 'ack-flag', 'port']
header_length = ord(packet[0]) & 0x0f
# src ip
data[0] = pcap.ntoa(unpack('i', packet[12:16])[0])
# syn-flag
data[1] = ord(packet[4 * header_length + 13]) >> 1 & 0x1
# ack-flag
data[2] = ord(packet[4 * header_length + 13]) >> 4 & 0x1
# port number
data[3] = (ord(packet[4 * header_length]) << 8) + ord(
packet[4 * header_length + 1])
return data
def decode_arp_packet(s):
d={}
d['linktype']=socket.ntohs(struct.unpack('H',s[0:2])[0])
d['mac']=s[8:14]#struct.unpack("HHH",s[8:14]))
d['srcip']=pcap.ntoa(struct.unpack("i",s[14:18])[0])
#print '%x %x %x %x %x %x\n' %(d['mac'][0],d['mac'][1],d['mac'][2],d['mac'][3],d['mac'][4],d['mac'][5])
if d['srcip'] in ip_mac_dic.keys():
if ip_mac_dic[d['srcip']]!=d['mac']:
print 'new mac\n'
ip_mac_dic[d['srcip']]=d['mac']
print '%s\n' %(d['srcip'])
print '%02x:%02x:%02x:%02x:%02x:%02x\n' %(ord(d['mac'][0]),ord(d['mac'][1]),ord(d['mac'][2]),ord(d['mac'][3]),ord(d['mac'][4]),ord(d['mac'][5]))
else:
ip_mac_dic[d['srcip']]=d['mac']
print 'new srcip and mac'
print '%s\n' %(d['srcip'])
print '%02x:%02x:%02x:%02x:%02x:%02x\n' %(ord(d['mac'][0]),ord(d['mac'][1]),ord(d['mac'][2]),ord(d['mac'][3]),ord(d['mac'][4]),ord(d['mac'][5]))
def handle_query(query, ip_dict, port_dict, ip_to_ip_dict, ip_port_dict):
arr = query.split()
if arr[0] == "list":
list_all(ip_dict)
print
return
# IP-specific queries
try:
ip = pcap.aton(arr[1])
except:
print("Couldn't parse IP address " + arr[1])
return
# Display all IPs that this IP has communicated with
if arr[0] == "friends":
for other in ip_dict[ip]:
print(pcap.ntoa(other))
print
# List all live TCP sessions for IP
if arr[0] == "live":
list_live(ip, ip_dict, ip_to_ip_dict, ip_port_dict)
def handle_query(query, ip_dict, port_dict, ip_to_ip_dict, ip_port_dict):
arr = query.split()
if arr[0] == "list":
list_all(ip_dict)
print
return
# IP-specific queries
try:
ip = pcap.aton(arr[1])
except:
print("Couldn't parse IP address " + arr[1])
return
# Display all IPs that this IP has communicated with
if arr[0] == "friends":
for other in ip_dict[ip]:
print(pcap.ntoa(other))
print
# List all live TCP sessions for IP
if arr[0] == "live":
list_live(ip, ip_dict, ip_to_ip_dict, ip_port_dict)
def analyse_mac(self, pkt):
macs = pkt.Ether.src
addrs = pkt.Ether.payload.src
macd = pkt.Ether.dst
addrd = pkt.Ether.payload.dst
bsrc = netutils.ip_is_reserved(addrs)
bdst = netutils.ip_is_reserved(addrd)
# if macs == 0 or macd == 0 or macs == 0xffffffffffff or macd == 0xffffffffffff:
# return
# if (addrs >> 24) == 255 or (addrd >> 24) == 255:
# return
if (not bsrc and not bdst) or addrs == addrd:
self.alert.add("outside %s [%s] to %s [%s]" %
(pcap.ntoa(addrs), netutils.mac_to_string(macs),
pcap.ntoa(addrd), netutils.mac_to_string(macd)))
else:
adds = self.add_mac(macs, addrs)
addd = self.add_mac(macd, addrd)
if not (adds and addd):
if not adds:
self.alert.add(
"on source %s [%s] (to %s [%s])" %
(pcap.ntoa(addrs), netutils.mac_to_string(macs),
pcap.ntoa(addrd),
netutils.mac_to_string(self.lmac[addrd])))
else:
self.alert.add(
"on dest %s [%s] (from %s [%s])" %
(pcap.ntoa(addrd), netutils.mac_to_string(macd),
pcap.ntoa(addrs),
netutils.mac_to_string(self.lmac[addrs])))
def ip_bytes_to_str(ip):
"""
Converts a bytes representation of an ip to a string
"""
return pcap.ntoa(struct.unpack('I', ip)[0])
def decode_ip_packet(self, s):
d = {}
d['version'] = (ord(s[0]) & 0xf0) >> 4
d['header_len'] = ord(s[0]) & 0x0f #This is ip header length. 32bit
d['tos'] = ord(s[1])
d['total_len'] = socket.ntohs(struct.unpack('H', s[2:4])[0])
d['id'] = socket.ntohs(struct.unpack('H', s[4:6])[0])
d['flags'] = (ord(s[6]) & 0xe0) >> 5
d['fragment_offset'] = socket.ntohs(
struct.unpack('H', s[6:8])[0] & 0x1f)
d['ttl'] = ord(s[8])
d['protocol'] = ord(s[9])
d['checksum'] = socket.ntohs(struct.unpack('H', s[10:12])[0])
d['source_address'] = pcap.ntoa(struct.unpack('i', s[12:16])[0])
d['destination_address'] = pcap.ntoa(struct.unpack('i', s[16:20])[0])
if d['header_len'] > 5:
d['options'] = s[20:4 * (d['header_len'] - 5)]
else:
d['options'] = None
d['data'] = s[4 * d['header_len']:]
# UDP parser:
if d['protocol'] == socket.IPPROTO_UDP:
udp_data = d['data']
d['udp'] = {}
d['udp']['source_port'] = socket.ntohs(
struct.unpack('H', udp_data[0:2])[0])
d['udp']['dest_port'] = socket.ntohs(
struct.unpack('H', udp_data[2:4])[0])
d['udp']['length'] = socket.ntohs(
struct.unpack('H',
udp_data[4:6])[0]) #including header and data
d['udp']['headerlen'] = 2 # UDP header length. 32bit
d['udp']['checksum'] = socket.ntohs(
struct.unpack('H', udp_data[6:8])[0])
udp_payload = udp_data[8:] # UDP header contains 8 bytes header.
if d['udp']['source_port'] == 53 or d['udp']['dest_port'] == 53:
d['udp']['type'] = 'dns'
elif d['udp']['source_port'] == 137 or d['udp']['dest_port'] == 137:
d['udp']['type'] = 'nbns'
elif d['udp']['source_port'] == 123 or d['udp']['dest_port'] == 123:
d['udp']['type'] = 'ntp'
elif d['destination_address'] == '224.0.0.251':
d['udp']['type'] = 'mdns'
elif d['destination_address'] == '239.255.255.250':
d['udp']['type'] = 'ssdp'
else:
maybe_rtp = {}
maybertp_flag_0 = (((ord(udp_payload[0]) & 0xC0) >> 6) == 2)
# 32 is a normal rtp header length.
maybertp_flag_1 = (len(udp_payload) > 12)
maybertp_flag_2 = 0
maybertp_flag_3 = 0
if maybertp_flag_0 and maybertp_flag_1:
maybe_rtp['total_len'] = d['udp'][
'length'] - d['udp']['headerlen'] * 4
maybe_rtp['headerlen'] = 3
maybe_rtp['V'] = maybertp_flag_0
maybe_rtp['P'] = (ord(udp_payload[0]) & 0x20) >> 5
maybe_rtp['X'] = (ord(udp_payload[0]) & 0x10) >> 4
maybe_rtp['CC'] = (ord(udp_payload[0]) & 0xF)
maybe_rtp['PT'] = (ord(udp_payload[1]) & 0x7F)
maybe_rtp['SequenceNumber'] = socket.ntohs(
struct.unpack('H', udp_payload[2:4])[0])
maybe_rtp['TimeStamp'] = socket.ntohl(
struct.unpack('I', udp_payload[4:8])[0])
maybe_rtp['SSRC'] = socket.ntohl(
struct.unpack('I', udp_payload[8:12])[0])
maybe_rtp['CSRC'] = []
maybertp_flag_2 = (maybe_rtp['PT'] >=
97) and (maybe_rtp['PT'] <= 200)
#maybertp_flag_2 = True
if maybertp_flag_2:
for idx in range(maybe_rtp['CC']):
maybe_rtp['CSRC'].append(
socket.ntohl(
struct.unpack(
'I', udp_payload[12 + idx * 4:16 +
idx * 4])[0]))
maybe_rtp['headerlen'] += 1
start_pos = 12 + maybe_rtp['CC'] * 4
payload_start_pos = start_pos
if maybe_rtp['X'] == 1:
maybe_rtp['headerlen'] += 1
maybe_rtp['X_LEN'] = socket.ntohs(
struct.unpack(
'H',
udp_payload[start_pos + 2:start_pos + 4])[0])
maybe_rtp['headerlen'] += maybe_rtp['X_LEN']
maybe_rtp['EX'] = udp_payload[start_pos + 4:start_pos +
4 +
maybe_rtp['X_LEN'] * 4]
payload_start_pos += (maybe_rtp['X_LEN'] + 1) * 4
else:
maybe_rtp['X_LEN'] = 0
maybe_rtp['EX'] = []
if maybe_rtp['P'] == 1:
maybe_rtp['P_len'] = ord(s[d['total_len'] - 1])
else:
maybe_rtp['P_len'] = 0
# d['rtp']['payload_len'] = d['rtp']['total_len'] - d['udp']['headerlen'] * 4 - d['rtp']['P_len']
maybe_rtp['payload_len'] = maybe_rtp[
'total_len'] - maybe_rtp['headerlen'] * 4 - maybe_rtp[
'P_len']
maybe_rtp['payload'] = udp_payload[
payload_start_pos:payload_start_pos + 4 +
maybe_rtp['payload_len']]
if len(maybe_rtp['payload']) > 1:
h264_payloas_first_octet = ord(maybe_rtp['payload'][0])
# 0x67 SPS, 0x68 PPS 0x65 IDR, 0x61 non-IDR
maybertp_flag_3 = (
h264_payloas_first_octet
== 0x67) or (h264_payloas_first_octet == 0x68) or (
h264_payloas_first_octet
== 0x65) or (h264_payloas_first_octet == 0x61)
maybe_rtp['payload'] = 0
#print "flag_0 : ", maybertp_flag_0
#print "flag_1 : ", maybertp_flag_1
#print "flag_2 : ", maybertp_flag_2
#print "flag_3 : ", maybertp_flag_3
if maybertp_flag_0 and maybertp_flag_1 and maybertp_flag_2 and maybertp_flag_3:
d['udp']['type'] = 'rtp-h264'
d['udp']['rtp'] = maybe_rtp
pass
else:
d['udp']['type'] = 'other'
return d
def ipi_to_string(data):
return pcap.ntoa(data)
def verify(self, f):
#struct.unpack('!L',socket.inet_aton(ip))[0]
sip = struct.unpack('!L', f.sip)[0]
dip = struct.unpack('!L', f.dip)[0]
if sip < dip:
s = "%d%d%d%d%d" % (sip, f.sport, dip, f.dport, f.protocol)
else:
s = "%d%d%d%d%d" % (dip, f.dport, sip, f.sport, f.protocol)
fid = hash(int(s))
nflows = 1
nbytes = f.nbytes
npackets = f.npackets
l = None
try:
entry = self[fid]
ftype = entry.picdfi_type
if ftype == TYPE['UNIDENTIFIED']:
# unable to verify
if f.ftype == TYPE['P2P']:
l = self.dsum['up']
#print >> sys.stderr, "Unverified P2P: %s" % entry
elif f.ftype == TYPE['NONP2P'] or f.ftype == TYPE[
'POSSIBLE'] or f.ftype == TYPE['UNIDENTIFIED']:
l = self.dsum['un']
#print >> sys.stderr, "Unverified NONP2P: %s" % entry
elif ftype == TYPE['P2P']:
if f.ftype == TYPE['P2P']:
l = self.dsum['tp']
#print >> sys.stderr, "True Positive: %s" % entry
elif f.ftype == TYPE['NONP2P'] or f.ftype == TYPE[
'POSSIBLE'] or f.ftype == TYPE['UNIDENTIFIED']:
l = self.dsum['fn']
#print >> sys.stderr, "False Negative: %s" % entry
elif ftype == TYPE['NONP2P']:
if f.ftype == TYPE['P2P']:
l = self.dsum['fp']
#print >> sys.stderr, "False Positive: %s" % entry
elif f.ftype == TYPE['NONP2P'] or f.ftype == TYPE[
'POSSIBLE'] or f.ftype == TYPE['UNIDENTIFIED']:
l = self.dsum['tn']
#print >> sys.stderr, "True Negative: %s" % entry
else:
print >> sys.stderr, "Unknown type: %s, %s, %s" % (
entry, ftype, TYPE[ftype])
except KeyError as ke:
print ke, s
print "%s %d %s %d %d" % (pcap.ntoa(sip), f.sport, pcap.ntoa(dip),
f.dport, f.protocol)
l = self.dsum['no']
# here update verification results
try:
l[0] += 1
l[1] += nbytes
l[2] += npackets
except TypeError as e:
print >> sys.stderr, "%s" % e
print >> sys.stderr, s, entry
print >> sys.stderr, ftype, TYPE[ftype], f.ftype, TYPE[f.ftype]
exit(1)
s = self.dsum['sum']
s[0] += 1
s[1] += nbytes
s[2] += npackets
def count(self, pktlen, data, timestamp):
if not data:
return
self.total_packets += 1
data = stripJuniperEthernet(data)
streams = self.streams
streams_next_counter = self.streams_next_counter
streams_missing_packets = self.streams_missing_packets
streams_out_of_order = self.streams_out_of_order
"""
if (self.c == 2147):
print "Frame: %s" % self.c
print "Length: %s" % pktlen
print16(data)
print "Counter = %s" % (ta(data[57]))
print "Type = %s" % (ta(data[58]))
"""
rtp_version = None
protocol = None
if (data and len(data) >= 43):
## RTP Version is the first 2 bits of the 55th octet
rtp_version = ord(data[42]) >> 6
## 33 Octed has the IP protocol ... 17 is UDP
protocol = ord(data[23])
if (protocol == 17 and rtp_version == 2):
self.total_rtp += 1
if (protocol == 17):
self.total_udp += 1
"""
if (self.total_packets == 2431):
print16(data)
print
print "RTP Version %s (%s)" % (rtp_version, ta_ord(ord(data[42])))
print "Protocol %s (%s)" % (protocol, ta_ord(ord(data[23])))
print "Packet # %s" % self.total_packets
"""
if (rtp_version == 2 and protocol == 17):
## Get the source and destination information
source_address = pcap.ntoa(struct.unpack('i', data[26:30])[0])
destination_address = pcap.ntoa(struct.unpack('i', data[30:34])[0])
source_port = (ord(data[34]) << 8) + ord(data[35])
dest_port = (ord(data[36]) << 8) + ord(data[37])
## Payload is the last 7 bits in the 56th octet
payload = ta_ord(ord(data[43]) & 0x7F)
int_payload = ord(data[43]) & 0x7F
## Counter is a 16 bit field in the 57th and 58th octets
counter = ta_ord4((ord(data[44]) << 8) + ord(data[45]))
int_counter = (ord(data[44]) << 8) + ord(data[45])
## The RFC defines 96 to 127 as the dynamic payload types
## and this seems to be where Polycom puts the audio and video
## streams. We are only interested in these two streams for
## this analyzer
if (int_payload <= 127 and int_payload >= 96):
stream_id = "%s-%s-%s" % (destination_address, dest_port,
payload)
"""
if (stream_id == "192.168.105.27-49366-0x76"):
print16(data)
print
print "RTP Version %s (%s)" % (rtp_version, ta_ord(ord(data[45])))
print "Protocol %s (%s)" % (protocol, ta_ord(ord(data[23])))
print "Counter: %s, Int Counter: %s" % (counter, int_counter)
print "Packet # %s" % self.total_packets
sys.exit()
"""
if streams.has_key(stream_id):
## Alright, we are already tracking this stream
streams[stream_id] += 1
if streams_next_counter[stream_id] != int_counter:
## Not what we were expecting, so we have a missing packet
## So, is it something we should have seen earlier
if streams_missing_packets[stream_id].has_key(
streams_next_counter[stream_id]):
## Yup, it just arrived late
streams_out_of_order[stream_id].append(int_counter)
else:
## add it and everything in between to the missing packets
for i in range(streams_next_counter[stream_id],
int_counter):
streams_missing_packets[stream_id][i] = 1
## Set the next expected sequence number
streams_next_counter[stream_id] = int_counter + 1
else:
## This is a new stream
streams[stream_id] = 1
## Set the next expected counter
streams_next_counter[stream_id] = int_counter + 1
## Initialize missing packet and out of order packet dictionaries
streams_missing_packets[stream_id] = {}
streams_out_of_order[stream_id] = []
def list_all(ip_dict):
for ip in ip_dict:
print(pcap.ntoa(ip))
def ip_to_s(self, ip):
if ip == -1:
return "internet"
else:
return pcap.ntoa(ip)