예제 #1
0
def decodeipv4(ip):
    pktinfos = dict()
    pktinfos['src_addr'] = pcap.ntoa(struct.unpack('i',ip.src)[0])
    pktinfos['dst_addr'] = pcap.ntoa(struct.unpack('i',ip.dst)[0])
    pktinfos['proto'] = ip.p
    
    if dpkt.ip.IP_PROTO_TCP == ip.p: #Check for TCP packets
        tcp = ip.data
        pktinfos['proto_name'] = 'TCP'
        pktinfos['src_port'] = tcp.sport
        pktinfos['dst_port'] = tcp.dport
        payload = tcp.data
    elif dpkt.ip.IP_PROTO_UDP == ip.p: #Check for UDP packets
        udp = ip.data
        pktinfos['proto_name'] = 'UDP'
        pktinfos['src_port'] = udp.sport
        pktinfos['dst_port'] = udp.dport
        payload = udp.data
    elif dpkt.ip.IP_PROTO_ICMP == ip.p: #Check for ICMP packets
        icmp = ip.data
        pktinfos['proto_name'] = 'ICMP'
        pktinfos['src_port'] = 0
        pktinfos['dst_port'] = 0
        payload = str(icmp.data)
    else:
        return None, None
           
    return pktinfos, payload
    def analyse_mac(self, pkt):
        macs = pkt.Ether.src
        addrs = pkt.Ether.payload.src

        macd = pkt.Ether.dst
        addrd = pkt.Ether.payload.dst

        bsrc = netutils.ip_is_reserved(addrs)
        bdst = netutils.ip_is_reserved(addrd)

        # if macs == 0 or macd == 0 or macs == 0xffffffffffff or macd == 0xffffffffffff:
        #     return

        # if (addrs >> 24) == 255 or  (addrd >> 24) == 255:
        #     return

        if (not bsrc and not bdst) or addrs == addrd:
            self.alert.add("outside %s [%s] to %s [%s]" % (pcap.ntoa(addrs), netutils.mac_to_string(macs), pcap.ntoa(addrd), netutils.mac_to_string(macd)))  
        else:
            adds = self.add_mac(macs, addrs)
            addd = self.add_mac(macd, addrd)
            if not (adds and addd):
                if not adds:
                    self.alert.add("on source %s [%s] (to %s [%s])" % (pcap.ntoa(addrs), netutils.mac_to_string(macs), pcap.ntoa(addrd), netutils.mac_to_string(self.lmac[addrd])))
                else:
                    self.alert.add("on dest %s [%s] (from %s [%s])" % (pcap.ntoa(addrd), netutils.mac_to_string(macd), pcap.ntoa(addrs), netutils.mac_to_string(self.lmac[addrs])))
예제 #3
0
파일: httpsniff.py 프로젝트: wil/httpsniff
def decode_ip_packet(s):
    d = {}
    d['version']=(ord(s[0]) & 0xf0) >> 4
    d['header_len']=ord(s[0]) & 0x0f
    d['tos']=ord(s[1])
    d['total_len']=socket.ntohs(struct.unpack('H',s[2:4])[0])
    d['id']=socket.ntohs(struct.unpack('H',s[4:6])[0])
    d['flags']=(ord(s[6]) & 0xe0) >> 5
    d['fragment_offset']=socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)
    d['ttl']=ord(s[8])
    d['protocol']=ord(s[9])
    d['checksum']=socket.ntohs(struct.unpack('H',s[10:12])[0])
    d['source_address']=pcap.ntoa(struct.unpack('i',s[12:16])[0])
    d['destination_address']=pcap.ntoa(struct.unpack('i',s[16:20])[0])
    if d['header_len']>5:
        d['options']=s[20:4*(d['header_len']-5)]
    else:
        d['options']=None
    d['data']=s[4*d['header_len']:]
    if d['protocol'] in (socket.IPPROTO_TCP, socket.IPPROTO_UDP):
        d['src_port'] = socket.ntohs(struct.unpack('H',d['data'][:2])[0])
        d['dst_port'] = socket.ntohs(struct.unpack('H',d['data'][2:4])[0])

        if d['protocol'] == socket.IPPROTO_TCP:
            d['seq'] = pcap.ntoa(struct.unpack('i',d['data'][4:8])[0])
            d['ack'] = pcap.ntoa(struct.unpack('i',d['data'][8:12])[0])

            d['data_offset'] = (ord(d['data'][12]) & 0xf0) >> 4
            if len(d['data']) > d['data_offset'] * 4:
                d['payload'] = d['data'][d['data_offset']*4:]
    return d
예제 #4
0
    def pkt_handler(self, pkt):

        res = pkt.get_protocol("Ethernet", "IPv4", "TCP", "HTTP")
        if res is not None and res.type != "":

            if res.type == "POST":

                header_end = res.data.find("\n\r")
                if len(res.data) > header_end + 2:
                    info = res.data[header_end + 2:]
                    find = False
                    infoSearch = info.lower()
                    lres = list()
                    for word in l_wd:
                        pos = infoSearch.find(word)
                        if pos != -1:
                            find = True
                            lres.append(pos)

                    if find:
                        val = dict()
                        val["src"] = pcap.ntoa(pkt.Ether.payload.src)
                        val["dst"] = pcap.ntoa(pkt.Ether.payload.dst)
                        val["res"] = list()
                        for pos in lres:
                            val["res"].append(info[pos:pos + 50])

                        self.last.append(val)
                        if len(self.last) > 1000:
                            self.last.pop(0)
예제 #5
0
파일: tcpxm.py 프로젝트: zhangqin/tcpxm
def decode_ip_packet(s):
    d = {}
    d['version'] = (ord(s[0]) & 0xf0) >> 4
    d['header_len'] = ord(s[0]) & 0x0f
    d['tos'] = ord(s[1])
    d['total_len'] = socket.ntohs(struct.unpack('H', s[2:4])[0])
    d['id'] = socket.ntohs(struct.unpack('H', s[4:6])[0])
    d['flags'] = (ord(s[6]) & 0xe0) >> 5
    d['fragment_offset'] = socket.ntohs(struct.unpack('H', s[6:8])[0] & 0x1f)
    d['ttl'] = ord(s[8])
    d['protocol'] = ord(s[9])
    d['checksum'] = socket.ntohs(struct.unpack('H', s[10:12])[0])
    d['source_address'] = pcap.ntoa(struct.unpack('i', s[12:16])[0])
    d['destination_address'] = pcap.ntoa(struct.unpack('i', s[16:20])[0])
    if d['header_len'] > 5:
        d['options'] = s[20:4 * (d['header_len'] - 5)]
    else:
        d['options'] = None
    d['data'] = s[4 * d['header_len']:]
    d['source_port'] = socket.ntohs(struct.unpack('H', d['data'][0:2])[0])
    d['destination_port'] = socket.ntohs(struct.unpack('H', d['data'][2:4])[0])
    d['seq'] = socket.ntohl(struct.unpack('I', d['data'][4:8])[0])
    d['ack'] = socket.ntohl(struct.unpack('I', d['data'][8:12])[0])
    d['tcp_header_len'] = (ord(d['data'][12]) & 0xf0) >> 4
    d['tcp_bit'] = (ord(d['data'][13]) & 0x3f)
    d['tcp_data'] = d['data'][4 * d['tcp_header_len']:]
    return d
예제 #6
0
파일: tcpxm.py 프로젝트: ElvisWang/tcpxm
def decode_ip_packet(s):
    d                        = {}
    d['version']             = (ord(s[0]) & 0xf0) >> 4
    d['header_len']          = ord(s[0]) & 0x0f
    d['tos']                 = ord(s[1])
    d['total_len']           = socket.ntohs(struct.unpack('H',s[2:4])[0])
    d['id']                  = socket.ntohs(struct.unpack('H',s[4:6])[0])
    d['flags']               = (ord(s[6]) & 0xe0) >> 5
    d['fragment_offset']     = socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)
    d['ttl']                 = ord(s[8])
    d['protocol']            = ord(s[9])
    d['checksum']            = socket.ntohs(struct.unpack('H',s[10:12])[0])
    d['source_address']      = pcap.ntoa(struct.unpack('i',s[12:16])[0])
    d['destination_address'] = pcap.ntoa(struct.unpack('i',s[16:20])[0])
    if d['header_len'] > 5:
        d['options'] = s[20:4*(d['header_len']-5)]
    else:
        d['options'] = None
    d['data']             = s[4*d['header_len']:]
    d['source_port']      = socket.ntohs(struct.unpack('H',d['data'][0:2])[0])
    d['destination_port'] = socket.ntohs(struct.unpack('H',d['data'][2:4])[0])
    d['seq']              = socket.ntohl(struct.unpack('I',d['data'][4:8])[0])
    d['ack']              = socket.ntohl(struct.unpack('I',d['data'][8:12])[0])
    d['tcp_header_len']   = (ord(d['data'][12]) & 0xf0) >> 4
    d['tcp_bit']          = (ord(d['data'][13]) & 0x3f)
    d['tcp_data']         = d['data'][4*d['tcp_header_len']:]
    return d
예제 #7
0
파일: parse.py 프로젝트: sKabYY/WireDog
def __decode_ip(s):  
    d={}
    d['order'] = ['version','header_len','dsfield','total_len','id','flags','fragment_offset','time_to_live','protocol','checksum','src_address','dst_address','options','data']
    d['version'] = ((ord(s[0]) & 0xf0) >> 4)
    d['header_len'] = (ord(s[0]) & 0x0f) * 4;
    d['dsfield']= ord(s[1])
    d['total_len']= socket.ntohs(struct.unpack('H',s[2:4])[0])
    d['id']= '0x%.4X' % socket.ntohs(struct.unpack('H',s[4:6])[0])
    d['flags']= '0x%.2X' % ((ord(s[6]) & 0xe0) >> 5)
    d['fragment_offset']= '%d' % socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)
    d['time_to_live']= '%d' % ord(s[8])
    try:
        d['protocol']= ip_protocols[ord(s[9])]
    except:
        d['protocol']= 'Unknown'
        
    d['checksum']= '0x%.4X' % socket.ntohs(struct.unpack('H',s[10:12])[0])
    d['src_address']=pcap.ntoa(struct.unpack('i',s[12:16])[0])
    d['dst_address']=pcap.ntoa(struct.unpack('i',s[16:20])[0])
    if d['header_len']>20:
        d['options']=s[20:d['header_len']]
    else:
        d['options']=None
    d['data']=('%d bytes %s' % (len(s[d['header_len']:]),PROMPT),s[d['header_len']:])

    return d
예제 #8
0
def decodeipv4(ip):
    pktinfos = dict()
    pktinfos['src_addr'] = pcap.ntoa(struct.unpack('i',ip.src)[0])
    pktinfos['dst_addr'] = pcap.ntoa(struct.unpack('i',ip.dst)[0])
    pktinfos['proto'] = ip.p
    
    if dpkt.ip.IP_PROTO_TCP == ip.p: #Check for TCP packets
        tcp = ip.data
        pktinfos['proto_name'] = 'TCP'
        pktinfos['src_port'] = tcp.sport
        pktinfos['dst_port'] = tcp.dport
        payload = tcp.data
    elif dpkt.ip.IP_PROTO_UDP == ip.p: #Check for UDP packets
        udp = ip.data
        pktinfos['proto_name'] = 'UDP'
        pktinfos['src_port'] = udp.sport
        pktinfos['dst_port'] = udp.dport
        payload = udp.data
    elif dpkt.ip.IP_PROTO_ICMP == ip.p: #Check for ICMP packets
        icmp = ip.data
        pktinfos['proto_name'] = 'ICMP'
        pktinfos['src_port'] = 0
        pktinfos['dst_port'] = 0
        payload = str(icmp.data)
    else:
        return None, None
           
    return pktinfos, payload
예제 #9
0
def decode_ip_packet(s):
    '''
    Decoding ip packets. Accroding to the IP frame format,
    we can decode every field of the packet. 
    NOTE: We also decode the source port and destination port 
    here for convenience, since they are layer 4 elements
    '''
    d = {}
    d['version'] = (ord(s[0]) & 0xf0) >> 4
    d['header_len'] = ord(s[0]) & 0x0f
    d['tos'] = ord(s[1])
    d['total_len'] = socket.ntohs(struct.unpack('H', s[2:4])[0])
    d['id'] = socket.ntohs(struct.unpack('H', s[4:6])[0])
    d['flags'] = (ord(s[6]) & 0xe0)>>5
    d['fragment_offset'] = socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)
    d['ttl'] = ord(s[8])
    d['protocol'] = ord(s[9])
    d['checksum'] = socket.ntohs(struct.unpack('H',s[10:12])[0])
    d['source_address'] = pcap.ntoa(struct.unpack('L', s[12:16])[0])
    d['destination_address'] = pcap.ntoa(struct.unpack('L', s[16:20])[0])

    if d['header_len'] > 5:   # headr length
        d['options'] = s[20:4*(d['header_len'] - 5)]
    else:
        d['options']=None
    d['data'] = s[4*d['header_len']:]
    d['source_port'] = socket.ntohs(struct.unpack('H', d['data'][0:2])[0])
    d['destination_port'] = socket.ntohs(struct.unpack('H', d['data'][2:4])[0])
    return d
예제 #10
0
def decode_ip_packet(s):
  d={}
  #---IP Header---
  #d['version']=(ord(s[0]) & 0xf0) >> 4
  #d['header_len']=ord(s[0]) & 0x0f
  #d['tos']=ord(s[1])
  #d['total_len']=socket.ntohs(struct.unpack('H',s[2:4])[0])
  #d['id']=socket.ntohs(struct.unpack('H',s[4:6])[0])
  #d['flags']=(ord(s[6]) & 0xe0) >> 5
  #d['fragment_offset']=socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)
  #d['ttl']=ord(s[8])
  d['protocol']=ord(s[9])
  #d['checksum']=socket.ntohs(struct.unpack('H',s[10:12])[0])
  d['source_address']=pcap.ntoa(struct.unpack('i',s[12:16])[0])
  d['destination_address']=pcap.ntoa(struct.unpack('i',s[16:20])[0])
  #if d['header_len']>5:
  #  d['options']=s[20:4*(d['header_len']-5)]
  #else:
  #  d['options']=None
  #d['data']=s[4*d['header_len']:]

  #---TCP Header---
  #The difference between ntohs and ntohl is the difference between 16bit and 32bit integers.
  #d['source_port'] = socket.ntohs(struct.unpack('H',s[20:22])[0])
  #d['destination_port'] = socket.ntohs(struct.unpack('H',s[22:24])[0])
  d['sequence_number'] = socket.ntohl(struct.unpack('I',s[24:28])[0])
  d['ack_number'] = socket.ntohl(struct.unpack('I',s[28:32])[0])

  return d
예제 #11
0
    def pkt_handler(self, pkt):

        res = pkt.get_protocol("Ethernet", "IPv4", "TCP", "HTTP")
        if res is not None and res.type != "":

            if res.type == "POST":

                header_end = res.data.find("\n\r")
                if len(res.data) > header_end + 2:
                    info = res.data[header_end + 2:]
                    find = False
                    infoSearch = info.lower()
                    lres = list()
                    for word in l_wd:
                        pos = infoSearch.find(word)
                        if pos != -1:
                            find = True
                            lres.append(pos)

                    if find:
                        val = dict()
                        val["src"] = pcap.ntoa(pkt.Ether.payload.src)
                        val["dst"] = pcap.ntoa(pkt.Ether.payload.dst)
                        val["res"] = list()
                        for pos in lres:
                            val["res"].append(info[pos:pos+50])


                        self.last.append(val)
                        if len(self.last) > 1000:
                            self.last.pop(0)
예제 #12
0
def decode_ip_packet(s):
    '''
    Decoding ip packets. Accroding to the IP frame format,
    we can decode every field of the packet. 
    NOTE: We also decode the source port and destination port 
    here for convenience, since they are layer 4 elements
    '''
    d = {}
    d['version'] = (ord(s[0]) & 0xf0) >> 4
    d['header_len'] = ord(s[0]) & 0x0f
    d['tos'] = ord(s[1])
    d['total_len'] = socket.ntohs(struct.unpack('H', s[2:4])[0])
    d['id'] = socket.ntohs(struct.unpack('H', s[4:6])[0])
    d['flags'] = (ord(s[6]) & 0xe0) >> 5
    d['fragment_offset'] = socket.ntohs(struct.unpack('H', s[6:8])[0] & 0x1f)
    d['ttl'] = ord(s[8])
    d['protocol'] = ord(s[9])
    d['checksum'] = socket.ntohs(struct.unpack('H', s[10:12])[0])
    d['source_address'] = pcap.ntoa(struct.unpack('L', s[12:16])[0])
    d['destination_address'] = pcap.ntoa(struct.unpack('L', s[16:20])[0])

    if d['header_len'] > 5:  # headr length
        d['options'] = s[20:4 * (d['header_len'] - 5)]
    else:
        d['options'] = None
    d['data'] = s[4 * d['header_len']:]
    d['source_port'] = socket.ntohs(struct.unpack('H', d['data'][0:2])[0])
    d['destination_port'] = socket.ntohs(struct.unpack('H', d['data'][2:4])[0])
    return d
예제 #13
0
def decode_ip_packet(s):
    d = {}
    #---IP Header---
    #d['version']=(ord(s[0]) & 0xf0) >> 4
    #d['header_len']=ord(s[0]) & 0x0f
    #d['tos']=ord(s[1])
    #d['total_len']=socket.ntohs(struct.unpack('H',s[2:4])[0])
    #d['id']=socket.ntohs(struct.unpack('H',s[4:6])[0])
    #d['flags']=(ord(s[6]) & 0xe0) >> 5
    #d['fragment_offset']=socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)
    #d['ttl']=ord(s[8])
    d['protocol'] = ord(s[9])
    #d['checksum']=socket.ntohs(struct.unpack('H',s[10:12])[0])
    d['source_address'] = pcap.ntoa(struct.unpack('i', s[12:16])[0])
    d['destination_address'] = pcap.ntoa(struct.unpack('i', s[16:20])[0])
    #if d['header_len']>5:
    #  d['options']=s[20:4*(d['header_len']-5)]
    #else:
    #  d['options']=None
    #d['data']=s[4*d['header_len']:]

    #---TCP Header---
    #The difference between ntohs and ntohl is the difference between 16bit and 32bit integers.
    #d['source_port'] = socket.ntohs(struct.unpack('H',s[20:22])[0])
    #d['destination_port'] = socket.ntohs(struct.unpack('H',s[22:24])[0])
    d['sequence_number'] = socket.ntohl(struct.unpack('I', s[24:28])[0])
    d['ack_number'] = socket.ntohl(struct.unpack('I', s[28:32])[0])

    return d
예제 #14
0
파일: network.py 프로젝트: gmr/menwith
    def _ipv4_decode(self, packet_in):
        """Extract the IP header and populate a dictionary of values, returning
        a the dictionary and the remaining data to extract.

        :param str packet_in: The IP packet data
        :returns: tuple

        """
        out = {'version': struct.unpack('b', packet_in[0])[0] >> 4,
               'ihl': (struct.unpack('b', packet_in[0])[0] & 0x0F) * 4,
               'total_length': ntohs(struct.unpack('H', packet_in[2:4])[0]),
               'identification': ntohs(struct.unpack('H', packet_in[4:6])[0]),
               'flags': (ord(packet_in[6]) & 0xe0) >> 5,
               'fragment_offset': (ntohs(struct.unpack('H',
                                                       packet_in[6:8])[0]) &
                                   0x1f),
               'ttl': ord(packet_in[8]),
               'protocol': ord(packet_in[9]),
               'checksum': ntohs(struct.unpack('H', packet_in[10:12])[0]),
               'source': pcap.ntoa(struct.unpack('i', packet_in[12:16])[0]),
               'destination': pcap.ntoa(struct.unpack('i',
                                                      packet_in[16:20])[0])}

        # If our header size is more than 5 bytes, we have options
        if out['ihl'] > _IPV4_BASE_HEADER_SIZE:
            out['options'] = packet_in[_IPV4_BASE_HEADER_SIZE:out['ihl']]
        else:
            out['options'] = None

        # Return the decoded packet
        return out, packet_in[out['ihl']:]
예제 #15
0
def print_packet(pktlen, data, timestamp):

    if not data:
        return
    
    if data[12:14]=='\x08\x00':
        src_port, dest_port, payload = get_tcp_info(data[14:])
    else :
        return

    prefix = payload[:4]
    
#    print prefix

    if (mode & CAP_YMSG) and (prefix == 'YMSG') and (len(payload)>11) and (ord(payload[10]) == 0) and (ord(payload[11]) == 6) :
        print 'YMSG :: %s - %s' % (pcap.ntoa(struct.unpack('i',data[26:30])[0]) , parse_ymsg(payload))

    elif mode & CAP_POST: 
        content = None
        if prefix == 'POST' :
            content = parse_http_post(src_port, payload)
        elif http_requests.has_key(src_port):
            content = parse_partial_http_post(src_port, payload)
        if (content != None) :
                print 'POST :: %s - %s : %s \n'  % (pcap.ntoa(struct.unpack('i',data[26:30])[0]),pcap.ntoa(struct.unpack('i',data[30:34])[0]), content)
                
    elif (mode & CAP_FTP) and (prefix == 'USER') :
            print 'FTP :: %s - %s : %s'  % (pcap.ntoa(struct.unpack('i',data[26:30])[0]),pcap.ntoa(struct.unpack('i',data[30:34])[0]), payload)
            
    elif (mode & CAP_FTP) and (prefix == 'PASS') :
            print 'FTP :: %s - %s : %s'  % (pcap.ntoa(struct.unpack('i',data[26:30])[0]),pcap.ntoa(struct.unpack('i',data[30:34])[0]), payload)
예제 #16
0
def tcp_session_tuple_to_str(tup):
    """

    :param tup: a tuple as a result of PcapUtils.get_live_sessions
    :return: A string
    """
    return pcap.ntoa(tup[0]) + ":" + str(tup[2]) + " --> " + \
           pcap.ntoa(tup[1]) + ":" + str(tup[3])
예제 #17
0
파일: verification.py 프로젝트: 72Zn/picdfi
 def verify (self, f):
     #struct.unpack('!L',socket.inet_aton(ip))[0]
     sip = struct.unpack('!L',f.sip)[0]
     dip = struct.unpack('!L',f.dip)[0]
     if sip < dip:
             s = "%d%d%d%d%d" % (sip,f.sport,dip,f.dport,f.protocol)
     else:
             s = "%d%d%d%d%d" % (dip,f.dport,sip,f.sport,f.protocol)
     fid = hash(int(s))
     nflows = 1
     nbytes = f.nbytes
     npackets = f.npackets
     l = None
     try:
         entry = self[fid]
         ftype = entry.picdfi_type
         if ftype == TYPE['UNIDENTIFIED']:
             # unable to verify
             if f.ftype == TYPE['P2P']:
                 l = self.dsum['up']
                 #print >> sys.stderr, "Unverified P2P: %s" % entry
             elif f.ftype == TYPE['NONP2P'] or f.ftype == TYPE['POSSIBLE'] or f.ftype == TYPE['UNIDENTIFIED']:
                 l = self.dsum['un']
                 #print >> sys.stderr, "Unverified NONP2P: %s" % entry
         elif ftype == TYPE['P2P']:
             if f.ftype == TYPE['P2P']:
                 l = self.dsum['tp']
                 #print >> sys.stderr, "True Positive: %s" % entry
             elif f.ftype == TYPE['NONP2P'] or f.ftype == TYPE['POSSIBLE'] or f.ftype == TYPE['UNIDENTIFIED']:
                 l = self.dsum['fn']
                 #print >> sys.stderr, "False Negative: %s" % entry
         elif ftype == TYPE['NONP2P']:
             if f.ftype == TYPE['P2P']:
                 l = self.dsum['fp']
                 #print >> sys.stderr, "False Positive: %s" % entry
             elif f.ftype == TYPE['NONP2P'] or f.ftype == TYPE['POSSIBLE'] or f.ftype == TYPE['UNIDENTIFIED']:
                 l = self.dsum['tn']
                 #print >> sys.stderr, "True Negative: %s" % entry
         else:
             print >> sys.stderr, "Unknown type: %s, %s, %s" % (entry, ftype, TYPE[ftype])
     except KeyError as ke:
         print ke, s
         print "%s %d %s %d %d" % (pcap.ntoa(sip),f.sport,pcap.ntoa(dip),f.dport,f.protocol)
         l = self.dsum['no']
     # here update verification results
     try:
         l[0] += 1
         l[1] += nbytes
         l[2] += npackets
     except TypeError as e:
         print >> sys.stderr, "%s" % e
         print >> sys.stderr, s, entry
         print >> sys.stderr, ftype, TYPE[ftype], f.ftype, TYPE[f.ftype]
         exit(1)
     s = self.dsum['sum']
     s[0] += 1
     s[1] += nbytes
     s[2] += npackets
예제 #18
0
 def decode_IP_layer(self, data, pkt):
     pkt["version"] = (ord(data[0]) & 0xF0) >> 4
     pkt["iphlen"] = (ord(data[0]) & 0x0F) * 4
     pkt["dscp"] = ord(data[1]) >> 2
     pkt["len"] = socket.ntohs(struct.unpack("H", data[2:4])[0])
     pkt["proto"] = ord(data[9])
     pkt["srcip"] = pcap.ntoa(struct.unpack("i", data[12:16])[0])
     pkt["dstip"] = pcap.ntoa(struct.unpack("i", data[16:20])[0])
     pkt["data"] = data[pkt["iphlen"] :]
예제 #19
0
 def decode_IP_layer(self, data, pkt):
     pkt['version'] = (ord(data[0]) & 0xf0) >> 4
     pkt['iphlen'] = (ord(data[0]) & 0x0f) * 4
     pkt['dscp'] = ord(data[1]) >> 2
     pkt['len'] = socket.ntohs(struct.unpack('H', data[2:4])[0])
     pkt['proto'] = ord(data[9])
     pkt['srcip'] = pcap.ntoa(struct.unpack('i', data[12:16])[0])
     pkt['dstip'] = pcap.ntoa(struct.unpack('i', data[16:20])[0])
     pkt['data'] = data[pkt['iphlen']:]
예제 #20
0
파일: pcap2dev.py 프로젝트: etingof/snmpsim
def parsePacket(raw):
    pkt = {}

    # http://www.tcpdump.org/linktypes.html
    llHeaders = {
        0: 4,
        1: 14,
        108: 4,
        228: 0
    }

    if pcapObj.datalink() in llHeaders:
        raw = raw[llHeaders[pcapObj.datalink()]:]

    else:
        stats['unknown L2 protocol'] += 1

    pkt['version'] = (ord(raw[0]) & 0xf0) >> 4
    pkt['header_len'] = ord(raw[0]) & 0x0f
    pkt['tos'] = ord(raw[1])
    pkt['total_len'] = socket.ntohs(
        struct.unpack('H', raw[2:4])[0])
    pkt['id'] = socket.ntohs(
        struct.unpack('H', raw[4:6])[0])
    pkt['flags'] = (ord(raw[6]) & 0xe0) >> 5
    pkt['fragment_offset'] = socket.ntohs(
        struct.unpack('H', raw[6:8])[0] & 0x1f)
    pkt['ttl'] = ord(raw[8])
    pkt['protocol'] = ord(raw[9])
    pkt['checksum'] = socket.ntohs(
        struct.unpack('H', raw[10:12])[0])
    pkt['source_address'] = pcap.ntoa(
        struct.unpack('i', raw[12:16])[0])
    pkt['destination_address'] = pcap.ntoa(
        struct.unpack('i', raw[16:20])[0])

    if pkt['header_len'] > 5:
        pkt['options'] = raw[20:4 * (pkt['header_len'] - 5)]

    else:
        pkt['options'] = None

    raw = raw[4 * pkt['header_len']:]

    if pkt['protocol'] == 17:
        pkt['source_port'] = socket.ntohs(
            struct.unpack('H', raw[0:2])[0])
        pkt['destination_port'] = socket.ntohs(
            struct.unpack('H', raw[2:4])[0])
        raw = raw[8:]
        stats['UDP packets'] += 1

    pkt['data'] = raw
    stats['IP packets'] += 1

    return pkt
예제 #21
0
파일: parse.py 프로젝트: sKabYY/WireDog
def __decode_arp(s):  
    d = {}
    d['order'] = ['hardware type','protocol','hardware_size','protocol_size','opcode','src_mac','src_address','dst_mac','dst_address']
    d['hardware type'] = '0x%.4X' % socket.ntohs(struct.unpack('H',s[0:2])[0])
    d['protocol'] = protocols[s[2:4]]
    d['hardware_size'] = ord(s[4])
    d['protocol_size'] = ord(s[5])
    d['opcode'] = '0x%.4X' % socket.ntohs(struct.unpack('H',s[6:8])[0])
    d['src_mac'] =  __strfmac(s[8:])
    d['src_address'] = pcap.ntoa(struct.unpack('i',s[14:18])[0])
    d['dst_mac'] = __strfmac(s[18:])
    d['dst_address'] = pcap.ntoa(struct.unpack('i',s[24:28])[0])
    d['info'] = 'Who has %s ? Tell %s' % (d['dst_address'],d['src_address'])
    return d
예제 #22
0
    def decode_ip_packet(data):
        decoded_data = {}
        decoded_data['dst_mac'] = ':'.join(x.encode('hex') for x in data[0:6])
        decoded_data['src_mac'] = ':'.join(x.encode('hex') for x in data[6:12])
        decoded_data['ethettype'] = data[12:14]
        decoded_data['version'] = (ord(data[14]) & 0xf0) >> 4
        decoded_data['header_len'] = ord(data[14]) & 0x0f
        decoded_data['tos'] = ord(data[15])
        decoded_data['id'] = socket.ntohs(struct.unpack('H', data[18:20])[0])
        decoded_data['protocol'] = ord(data[23])
        decoded_data['source_address'] = pcap.ntoa(struct.unpack('i', data[26:30])[0])
        decoded_data['destination_address'] = pcap.ntoa(struct.unpack('i', data[30:34])[0])

        return decoded_data
예제 #23
0
	def decode_ip_packet(self,s):
    		d={}
    		d['version']=(ord(s[0]) & 0xf0) >> 4 #s[0],s[1] is an ascii character
    		d['header_len']=ord(s[0]) & 0x0f   
    		d['tos']=ord(s[1])    #type of service
    		d['total_len']=socket.ntohs(struct.unpack('H',s[2:4])[0])  #ntohs()--"Network to Host Short"
    		d['id']=socket.ntohs(struct.unpack('H',s[4:6])[0]) #fragment-reconstruction
    		d['flags']=(ord(s[6]) & 0xe0) >> 5    
    		d['fragment_offset']=socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)
    		d['ttl']=ord(s[8])
    		d['protocol']=ord(s[9])
    		d['checksum']=socket.ntohs(struct.unpack('H',s[10:12])[0])
    		d['source_address']=pcap.ntoa(struct.unpack('i',s[12:16])[0])
    		d['destination_address']=pcap.ntoa(struct.unpack('i',s[16:20])[0])
		if protocols[d['protocol']]=='tcp':
			d['source_port']=socket.ntohs(struct.unpack('H',s[20:22])[0]) 
			d['destination_port']=socket.ntohs(struct.unpack('H',s[22:24])[0]) 
			d['send_order']=str(struct.unpack('I',s[24:28])[0])
			d['def_order']=str(struct.unpack('I',s[28:32])[0])
			d['data_offset']=(ord(s[32]) & 0xf0) >> 4
			#s[33]:|_____|_____|_____|_____|_____|_____|_____|_____|
			#
			#      |_____|_____|_urg_|_ack_|_psh_|_rst_|_syn_|_fin_|    
 			d['urg']=(ord(s[33]) & 0x20) >> 5
			d['ack']=(ord(s[33]) & 0x10) >> 4
			d['psh']=(ord(s[33]) & 0x08) >> 3
			d['rst']=(ord(s[33]) & 0x04) >> 2
			d['syn']=(ord(s[33]) & 0x02) >> 1
			d['fin']=(ord(s[33]) & 0x01) 
			d['window_size']=socket.ntohs(struct.unpack('H',s[34:36])[0])
			d['tcp_chksm']=socket.ntohs(struct.unpack('H',s[36:38])[0])
			d['urg_ptr']=socket.ntohs(struct.unpack('H',s[38:40])[0])
		elif protocols[d['protocol']]=='udp':
			d['source_port']=socket.ntohs(struct.unpack('H',s[20:22])[0]) 
			d['destination_port']=socket.ntohs(struct.unpack('H',s[22:24])[0])
			d['udp_length']=socket.ntohs(struct.unpack('H',s[24:26])[0])
			d['udp_chksm']=socket.ntohs(struct.unpack('H',s[26:28])[0])
		elif protocols[d['protocol']]=='icmp':
			d['type']=ord(s[20])
			d['code']=ord(s[21])
			d['icmp_chksm']=socket.ntohs(struct.unpack('H',s[22:24])[0])
		
    		if d['header_len']>5:
    		    d['options']=s[20:4*(d['header_len']-5)]
    		else:
    		    d['options']=None
    		    d['data']=s[4*d['header_len']:]
    		return d
예제 #24
0
    def handle(self, plen, buff, ts):
        """
        Handles packets and whenever an igmp packet is found,
         parses it and calls on_pk( (ts, (ipSrc, ipDst), (macSrc, macDst), (igmpType, igmpGroup, igmpVer) ) ) .
        Use IgmpHandler.set_on_packet to add a handler.
        :param plen:
        :param buff:
        :param ts:
        :return:
        """
        # self.print_packet(len(buff), buff, ts)
        eth = dpkt.ethernet.Ethernet(buff)
        ip = eth.data
        if type(ip.data) == dpkt.igmp.IGMP:
            pk_igmp = ip.data
            if pk_igmp.type == 17:
                return
            ipSrc = self.inetAddrStr(ip.src)
            if self.source_filter is not None:
                # If we could not find the filter we're looking for, in the source ip
                if self.source_filter not in ipSrc:
                    return

            str_igmp = str(pk_igmp)
            # igbytes = (bytes(igmpPack)[0])
            # igmp_type = self.igmpPacketTypes[pk_igmp.type]
            igmp_gr = pcap.ntoa(struct.unpack('i', str_igmp[4:8])[0])
            ver = ip.p
            addrs_mac = (self.mac_addr(eth.src), self.mac_addr(eth.dst))
            addrs_ip = (ipSrc, self.inetAddrStr(ip.dst))
            self.on_pk(ts, addrs_ip, addrs_mac, (pk_igmp.type, igmp_gr, ver))
예제 #25
0
    def decode_ip_packet(data):
        decoded_data = {}
        decoded_data['dst_mac'] = ':'.join(x.encode('hex') for x in data[0:6])
        decoded_data['src_mac'] = ':'.join(x.encode('hex') for x in data[6:12])
        decoded_data['ethettype'] = data[12:14]
        decoded_data['version'] = (ord(data[14]) & 0xf0) >> 4
        decoded_data['header_len'] = ord(data[14]) & 0x0f
        decoded_data['tos'] = ord(data[15])
        decoded_data['id'] = socket.ntohs(struct.unpack('H', data[18:20])[0])
        decoded_data['protocol'] = ord(data[23])
        decoded_data['source_address'] = pcap.ntoa(
            struct.unpack('i', data[26:30])[0])
        decoded_data['destination_address'] = pcap.ntoa(
            struct.unpack('i', data[30:34])[0])

        return decoded_data
예제 #26
0
파일: utility.py 프로젝트: 72Zn/picdfi
def ptos(buf, ts):
    """ptos (buf,ts) -> str
    
    convert a packet to a nice string.
    inspired by print_packet of pcap sniff.py example
    """
    s = "%14s" % tstolocaltime(ts)
    if buf.type == dpkt.ethernet.ETH_TYPE_IP:
        s += ", %15s >> %15s, len: %4d, protocol: %3d" % (
            pcap.ntoa(struct.unpack("i", buf.ip.src)[0]),
            pcap.ntoa(struct.unpack("i", buf.ip.dst)[0]),
            buf.ip.len,
            buf.ip.p,
        )
        # check if udp or tcp
        if buf.ip.p == 17 or buf.ip.p == 6:
            s += ", sport: %6d, dport: %6d" % (buf.ip.data.sport, buf.ip.data.dport)
    return s
예제 #27
0
파일: pcap2dev.py 프로젝트: qnox81/snmpsim
def parsePacket(raw):
    pkt = {}

    # http://www.tcpdump.org/linktypes.html
    llHeaders = {0: 4, 1: 14, 108: 4, 228: 0}

    if pcapObj.datalink() in llHeaders:
        raw = raw[llHeaders[pcapObj.datalink()]:]

    else:
        stats['unknown L2 protocol'] += 1

    pkt['version'] = (ord(raw[0]) & 0xf0) >> 4
    pkt['header_len'] = ord(raw[0]) & 0x0f
    pkt['tos'] = ord(raw[1])
    pkt['total_len'] = socket.ntohs(struct.unpack('H', raw[2:4])[0])
    pkt['id'] = socket.ntohs(struct.unpack('H', raw[4:6])[0])
    pkt['flags'] = (ord(raw[6]) & 0xe0) >> 5
    pkt['fragment_offset'] = socket.ntohs(
        struct.unpack('H', raw[6:8])[0] & 0x1f)
    pkt['ttl'] = ord(raw[8])
    pkt['protocol'] = ord(raw[9])
    pkt['checksum'] = socket.ntohs(struct.unpack('H', raw[10:12])[0])
    pkt['source_address'] = pcap.ntoa(struct.unpack('i', raw[12:16])[0])
    pkt['destination_address'] = pcap.ntoa(struct.unpack('i', raw[16:20])[0])

    if pkt['header_len'] > 5:
        pkt['options'] = raw[20:4 * (pkt['header_len'] - 5)]

    else:
        pkt['options'] = None

    raw = raw[4 * pkt['header_len']:]

    if pkt['protocol'] == 17:
        pkt['source_port'] = socket.ntohs(struct.unpack('H', raw[0:2])[0])
        pkt['destination_port'] = socket.ntohs(struct.unpack('H', raw[2:4])[0])
        raw = raw[8:]
        stats['UDP packets'] += 1

    pkt['data'] = raw
    stats['IP packets'] += 1

    return pkt
예제 #28
0
파일: capture.py 프로젝트: xixuebin/pypcap
def decode_ip_packet(s):
    d = {}
    d['version'] = (ord(s[0]) & 0xf0) >> 4
    d['header_len'] = ord(s[0]) & 0x0f
    d['ToS'] = ord(s[1])
    d['total_len'] = socket.ntohs(struct.unpack('H', s[2:4])[0])
    d['id'] = socket.ntohs(struct.unpack('H', s[4:6])[0])
    d['flags'] = (ord(s[6]) & 0xe0) >> 5
    d['fragment_offset'] = socket.htons(struct.unpack('H', s[6:8])[0] & 0x1f)
    d['ttl'] = ord(s[8])
    d['protocol'] = ord(s[9])
    d['checksum'] = socket.htons(struct.unpack('H', s[10:12])[0])
    d['src_addr'] = pcap.ntoa(struct.unpack('i', s[12:16])[0])
    d['dst_addr'] = pcap.ntoa(struct.unpack('i', s[16:20])[0])
    if d['header_len'] > 5:
        d['options'] = s[20: 4 * (d['header_len'] - 5)]
    else:
        d['options'] = None
    d['data'] = s[4 * d['header_len']:]
    return d
예제 #29
0
 def parsePacket(self, data):
     host = re.search('host\:\s(.*?)\r?\n', data, re.IGNORECASE)
     if host: host = host.group(1)
     
     path = re.search('GET\s(.*?)\s', data, re.IGNORECASE)
     if path: path = path.group(1)
     
     ip = pcap.ntoa(struct.unpack('i',data[14:][12:16])[0])
     
     if host and path and ip: return (host, path, ip)
     else: return None
예제 #30
0
def decode_ip_packet(s):
  d={}
#  d['version']=(ord(s[0]) & 0xf0) >> 4
#  d['header_len']=ord(s[0]) & 0x0f
#  d['tos']=ord(s[1])
  d['total_len']=socket.ntohs(struct.unpack('H',s[2:4])[0])
#  d['id']=socket.ntohs(struct.unpack('H',s[4:6])[0])
#  d['flags']=(ord(s[6]) & 0xe0) >> 5
#  d['fragment_offset']=socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)
#  d['ttl']=ord(s[8])
#  d['protocol']=ord(s[9])
#  d['checksum']=socket.ntohs(struct.unpack('H',s[10:12])[0])
  d['source_address']=pcap.ntoa(struct.unpack('i',s[12:16])[0])
  d['destination_address']=pcap.ntoa(struct.unpack('i',s[16:20])[0])
#  if d['header_len']>5:
#    d['options']=s[20:4*(d['header_len']-5)]
#  else:
#    d['options']=None
#  d['data']=s[4*d['header_len']:]
  return d
예제 #31
0
def decode_ip_packet(s):
    d = {}
    d["version"] = (ord(s[0]) & 0xF0) >> 4
    d["header_len"] = ord(s[0]) & 0x0F
    d["tos"] = ord(s[1])
    d["total_len"] = socket.ntohs(struct.unpack("H", s[2:4])[0])
    d["id"] = socket.ntohs(struct.unpack("H", s[4:6])[0])
    d["flags"] = (ord(s[6]) & 0xE0) >> 5
    d["fragment_offset"] = socket.ntohs(struct.unpack("H", s[6:8])[0] & 0x1F)
    d["ttl"] = ord(s[8])
    d["protocol"] = ord(s[9])
    d["checksum"] = socket.ntohs(struct.unpack("H", s[10:12])[0])
    d["source_address"] = pcap.ntoa(struct.unpack("i", s[12:16])[0])
    d["destination_address"] = pcap.ntoa(struct.unpack("i", s[16:20])[0])
    if d["header_len"] > 5:
        d["options"] = s[20 : 4 * (d["header_len"] - 5)]
    else:
        d["options"] = None
    d["data"] = s[4 * d["header_len"] :]
    return d
예제 #32
0
def decode_ip_packet(s):
  d={}
#  d['version']=(ord(s[0]) & 0xf0) >> 4
#  d['header_len']=ord(s[0]) & 0x0f
#  d['tos']=ord(s[1])
  d['total_len']=socket.ntohs(struct.unpack('H',s[2:4])[0])
#  d['id']=socket.ntohs(struct.unpack('H',s[4:6])[0])
#  d['flags']=(ord(s[6]) & 0xe0) >> 5
#  d['fragment_offset']=socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)
#  d['ttl']=ord(s[8])
#  d['protocol']=ord(s[9])
#  d['checksum']=socket.ntohs(struct.unpack('H',s[10:12])[0])
  d['source_address']=pcap.ntoa(struct.unpack('i',s[12:16])[0])
  d['destination_address']=pcap.ntoa(struct.unpack('i',s[16:20])[0])
#  if d['header_len']>5:
#    d['options']=s[20:4*(d['header_len']-5)]
#  else:
#    d['options']=None
#  d['data']=s[4*d['header_len']:]
  return d
예제 #33
0
파일: pcap2dev.py 프로젝트: woodyle/snmpsim
def parsePacket(s):
    d={}

    # http://www.tcpdump.org/linktypes.html
    llHeaders = {
        0: 4,
        1: 14,
        108: 4,
        228: 0
    }

    if pcapObj.datalink() in llHeaders:
        s = s[llHeaders[pcapObj.datalink()]:]
    else:
        stats['unknown L2 protocol'] += 1
 
    d['version']=(ord(s[0]) & 0xf0) >> 4
    d['header_len']=ord(s[0]) & 0x0f
    d['tos']=ord(s[1])
    d['total_len']=socket.ntohs(struct.unpack('H',s[2:4])[0])
    d['id']=socket.ntohs(struct.unpack('H',s[4:6])[0])
    d['flags']=(ord(s[6]) & 0xe0) >> 5
    d['fragment_offset']=socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)
    d['ttl']=ord(s[8])
    d['protocol']=ord(s[9])
    d['checksum']=socket.ntohs(struct.unpack('H',s[10:12])[0])
    d['source_address']=pcap.ntoa(struct.unpack('i',s[12:16])[0])
    d['destination_address']=pcap.ntoa(struct.unpack('i',s[16:20])[0])
    if d['header_len']>5:
        d['options']=s[20:4*(d['header_len']-5)]
    else:
        d['options']=None
    s = s[4*d['header_len']:]
    if d['protocol'] == 17:
        d['source_port'] = socket.ntohs(struct.unpack('H',s[0:2])[0])
        d['destination_port'] = socket.ntohs(struct.unpack('H',s[2:4])[0])
        s = s[8:]
        stats['UDP packets'] +=1
    d['data'] = s
    stats['IP packets'] +=1
    return d
예제 #34
0
 def DecodeIPPacket(s):
     if len(s) < 20:
         return None
     d = {}
     d['version'] = (ord(s[0]) & 0xf0) >> 4
     d['header_len'] = ord(s[0]) & 0x0f
     d['tos'] = ord(s[1])
     d['total_len'] = socket.ntohs(struct.unpack('H', s[2:4])[0])
     d['id'] = socket.ntohs(struct.unpack('H', s[4:6])[0])
     d['flags'] = (ord(s[6]) & 0xe0) >> 5
     d['fragment_offset'] = socket.ntohs(struct.unpack('H', s[6:8])[0] & 0x1f)
     d['ttl'] = ord(s[8])
     d['protocol'] = ord(s[9])
     d['checksum'] = socket.ntohs(struct.unpack('H', s[10:12])[0])
     d['source_address'] = pcap.ntoa(struct.unpack('i', s[12:16])[0])
     d['destination_address'] = pcap.ntoa(struct.unpack('i', s[16:20])[0])
     if d['header_len'] > 5:
         d['options'] = s[20:4 * (d['header_len'] - 5)]
     else:
         d['options'] = None
     d['data'] = s[4 * d['header_len']:]
     return d
예제 #35
0
 def DecodeIPPacket(s):
     if len(s) < 20:
         return None
     d = {}
     d['version'] = (ord(s[0]) & 0xf0) >> 4
     d['header_len'] = ord(s[0]) & 0x0f
     d['tos'] = ord(s[1])
     d['total_len'] = socket.ntohs(struct.unpack('H', s[2:4])[0])
     d['id'] = socket.ntohs(struct.unpack('H', s[4:6])[0])
     d['flags'] = (ord(s[6]) & 0xe0) >> 5
     d['fragment_offset'] = socket.ntohs(struct.unpack('H', s[6:8])[0] & 0x1f)
     d['ttl'] = ord(s[8])
     d['protocol'] = ord(s[9])
     d['checksum'] = socket.ntohs(struct.unpack('H', s[10:12])[0])
     d['source_address'] = pcap.ntoa(struct.unpack('i', s[12:16])[0])
     d['destination_address'] = pcap.ntoa(struct.unpack('i', s[16:20])[0])
     if d['header_len'] > 5:
         d['options'] = s[20:4 * (d['header_len'] - 5)]
     else:
         d['options'] = None
     d['data'] = s[4 * d['header_len']:]
     return d
예제 #36
0
def decode_ip_packet(s):
    '''decode_ip_packet was taken from the example implementations that
       came along with python-libpcap.'''
    d={}
    d['version']=(ord(s[0]) & 0xf0) >> 4
    d['header_len']=ord(s[0]) & 0x0f
    d['tos']=ord(s[1])
    d['total_len']=socket.ntohs(struct.unpack('H',s[2:4])[0])
    d['id']=socket.ntohs(struct.unpack('H',s[4:6])[0])
    d['flags']=(ord(s[6]) & 0xe0) >> 5
    d['fragment_offset']=socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)
    d['ttl']=ord(s[8])
    d['protocol']=ord(s[9])
    d['checksum']=socket.ntohs(struct.unpack('H',s[10:12])[0])
    d['source_address']=pcap.ntoa(struct.unpack('i',s[12:16])[0])
    d['destination_address']=pcap.ntoa(struct.unpack('i',s[16:20])[0])
    if d['header_len']>5:
        d['options']=s[20:4*(d['header_len']-5)]
    else:
        d['options']=None
    d['data']=s[4*d['header_len']:]
    return d
예제 #37
0
    def _ipv4_decode(self, packet_in):
        """Extract the IP header and populate a dictionary of values, returning
        a the dictionary and the remaining data to extract.

        :param str packet_in: The IP packet data
        :returns: tuple

        """
        out = {
            'version':
            struct.unpack('b', packet_in[0])[0] >> 4,
            'ihl': (struct.unpack('b', packet_in[0])[0] & 0x0F) * 4,
            'total_length':
            ntohs(struct.unpack('H', packet_in[2:4])[0]),
            'identification':
            ntohs(struct.unpack('H', packet_in[4:6])[0]),
            'flags': (ord(packet_in[6]) & 0xe0) >> 5,
            'fragment_offset':
            (ntohs(struct.unpack('H', packet_in[6:8])[0]) & 0x1f),
            'ttl':
            ord(packet_in[8]),
            'protocol':
            ord(packet_in[9]),
            'checksum':
            ntohs(struct.unpack('H', packet_in[10:12])[0]),
            'source':
            pcap.ntoa(struct.unpack('i', packet_in[12:16])[0]),
            'destination':
            pcap.ntoa(struct.unpack('i', packet_in[16:20])[0])
        }

        # If our header size is more than 5 bytes, we have options
        if out['ihl'] > _IPV4_BASE_HEADER_SIZE:
            out['options'] = packet_in[_IPV4_BASE_HEADER_SIZE:out['ihl']]
        else:
            out['options'] = None

        # Return the decoded packet
        return out, packet_in[out['ihl']:]
예제 #38
0
    def decode_ip_packet(self, s):
        #decode ip packet
        d = {}
        d['version'] = (ord(s[0]) & 0xf0) >> 4
        d['header_len'] = ord(s[0]) & 0x0f
        d['tos'] = ord(s[1])
        d['total_len'] = socket.ntohs(struct.unpack('H', s[2:4])[0])
        d['id'] = socket.ntohs(struct.unpack('H', s[4:6])[0])
        d['flags'] = (ord(s[6]) & 0xe0) >> 5
        d['fragment_offset'] = socket.ntohs(
            struct.unpack('H', s[6:8])[0] & 0x1f)
        d['ttl'] = ord(s[8])
        d['protocol'] = ord(s[9])
        d['checksum'] = socket.ntohs(struct.unpack('H', s[10:12])[0])
        d['source_address'] = pcap.ntoa(struct.unpack('i', s[12:16])[0])
        d['destination_address'] = pcap.ntoa(struct.unpack('i', s[16:20])[0])
        if d['header_len'] > 5:
            d['options'] = s[20:4 * (d['header_len'] - 5)]
        else:
            d['options'] = None
        d['data'] = s[4 * d['header_len']:]

        #parse packetid and rule id
        d['ruleid'] = 0

        if d['total_len'] - d['header_len'] < 6:
            d['usertype'] = 0
            d['packetid'] = 0
            return d
        ed = d['total_len']
        #ed = len(s) + 1
        st = ed - 2
        #print d['total_len'],d['header_len'],ed
        d['packetid'] = socket.ntohs(struct.unpack('H', s[st:ed])[0])

        ed = st
        st = ed - 4
        d['usertype'] = socket.ntohl(struct.unpack('I', s[st:ed])[0])
        return d
예제 #39
0
def decode_ip_packet(s):
    '''decode_ip_packet was taken from the example implementations that
       came along with python-libpcap.'''
    d = {}
    d['version'] = (ord(s[0]) & 0xf0) >> 4
    d['header_len'] = ord(s[0]) & 0x0f
    d['tos'] = ord(s[1])
    d['total_len'] = socket.ntohs(struct.unpack('H', s[2:4])[0])
    d['id'] = socket.ntohs(struct.unpack('H', s[4:6])[0])
    d['flags'] = (ord(s[6]) & 0xe0) >> 5
    d['fragment_offset'] = socket.ntohs(struct.unpack('H', s[6:8])[0] & 0x1f)
    d['ttl'] = ord(s[8])
    d['protocol'] = ord(s[9])
    d['checksum'] = socket.ntohs(struct.unpack('H', s[10:12])[0])
    d['source_address'] = pcap.ntoa(struct.unpack('i', s[12:16])[0])
    d['destination_address'] = pcap.ntoa(struct.unpack('i', s[16:20])[0])
    if d['header_len'] > 5:
        d['options'] = s[20:4 * (d['header_len'] - 5)]
    else:
        d['options'] = None
    d['data'] = s[4 * d['header_len']:]
    return d
예제 #40
0
	def decode_arp_packet(self,s):
    		d={}
    		d['hardware_type']=socket.ntohs(struct.unpack('H',s[0:2])[0])
    		d['protocol_type']='IPv4'
    		d['MAC_length']=ord(s[4])
    		d['ip_length']=ord(s[5])
    		d['op_code']=socket.ntohs(struct.unpack('H',s[6:8])[0])
    		d['source_hardware_address1']=ord(s[8])
    		d['source_hardware_address2']=ord(s[9])
    		d['source_hardware_address3']=ord(s[10])
    		d['source_hardware_address4']=ord(s[11]) 
    		d['source_hardware_address5']=ord(s[12])
    		d['source_hardware_address6']=ord(s[13]) 
    		d['source_ip_address']=pcap.ntoa(struct.unpack('i',s[14:18])[0])
    		d['destination_hardware_address1']=ord(s[18])
    		d['destination_hardware_address2']=ord(s[19])
    		d['destination_hardware_address3']=ord(s[20])
    		d['destination_hardware_address4']=ord(s[21])
    		d['destination_hardware_address5']=ord(s[22])
   		d['destination_hardware_address6']=ord(s[23])
   
   		d['destination_ip_address']=pcap.ntoa(struct.unpack('i',s[24: 28])[0])
    		return d
	def __init__(self, s):
	#Decoding the IP packet
		self.version=(ord(s[0]) & 0xf0) >> 4
		self.ihdl=ord(s[0]) & 0x0f
		self.tos=ord(s[1])
		self.total_len=socket.ntohs(struct.unpack('H',s[2:4])[0])
		self.ident=socket.ntohs(struct.unpack('H',s[4:6])[0])
		self.flags=(ord(s[6]) & 0xe0) >> 5
		self.frag_offset=socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)
		self.ttl=ord(s[8])
		self.proto=ord(s[9])
		self.csum=socket.ntohs(struct.unpack('H',s[10:12])[0])
		self.src_ip=pcap.ntoa(struct.unpack('i',s[12:16])[0])
		self.dest_ip=pcap.ntoa(struct.unpack('i',s[16:20])[0])
		if self.ihdl > 5:
			self.options=s[20:4*(self.ihdl-5)]
		else:
			self.options=None
		self.l4_payload=s[4*self.ihdl:]
		#Create an object based on the payload.
		if (self.proto == 6): 
			self.l4_packet = TCP_packet(self.l4_payload)
		if (self.proto == 17): 
			self.l4_packet = UDP_packet(self.l4_payload)
예제 #42
0
def parse_packet(packet):
    data = ['src_ip', 'syn-flag', 'ack-flag', 'port']

    header_length = ord(packet[0]) & 0x0f

    # src ip
    data[0] = pcap.ntoa(unpack('i', packet[12:16])[0])
    # syn-flag
    data[1] = ord(packet[4 * header_length + 13]) >> 1 & 0x1
    # ack-flag
    data[2] = ord(packet[4 * header_length + 13]) >> 4 & 0x1
    # port number
    data[3] = (ord(packet[4 * header_length]) << 8) + ord(packet[4 * header_length + 1])

    return data
예제 #43
0
def parsePacket(s):
    d = {}

    # http://www.tcpdump.org/linktypes.html
    llHeaders = {0: 4, 1: 14, 108: 4, 228: 0}

    if pcapObj.datalink() in llHeaders:
        s = s[llHeaders[pcapObj.datalink()]:]
    else:
        stats['unknown L2 protocol'] += 1

    d['version'] = (ord(s[0]) & 0xf0) >> 4
    d['header_len'] = ord(s[0]) & 0x0f
    d['tos'] = ord(s[1])
    d['total_len'] = socket.ntohs(struct.unpack('H', s[2:4])[0])
    d['id'] = socket.ntohs(struct.unpack('H', s[4:6])[0])
    d['flags'] = (ord(s[6]) & 0xe0) >> 5
    d['fragment_offset'] = socket.ntohs(struct.unpack('H', s[6:8])[0] & 0x1f)
    d['ttl'] = ord(s[8])
    d['protocol'] = ord(s[9])
    d['checksum'] = socket.ntohs(struct.unpack('H', s[10:12])[0])
    d['source_address'] = pcap.ntoa(struct.unpack('i', s[12:16])[0])
    d['destination_address'] = pcap.ntoa(struct.unpack('i', s[16:20])[0])
    if d['header_len'] > 5:
        d['options'] = s[20:4 * (d['header_len'] - 5)]
    else:
        d['options'] = None
    s = s[4 * d['header_len']:]
    if d['protocol'] == 17:
        d['source_port'] = socket.ntohs(struct.unpack('H', s[0:2])[0])
        d['destination_port'] = socket.ntohs(struct.unpack('H', s[2:4])[0])
        s = s[8:]
        stats['UDP packets'] += 1
    d['data'] = s
    stats['IP packets'] += 1
    return d
예제 #44
0
def parse_packet(packet):
    data = ['src_ip', 'syn-flag', 'ack-flag', 'port']

    header_length = ord(packet[0]) & 0x0f

    # src ip
    data[0] = pcap.ntoa(unpack('i', packet[12:16])[0])
    # syn-flag
    data[1] = ord(packet[4 * header_length + 13]) >> 1 & 0x1
    # ack-flag
    data[2] = ord(packet[4 * header_length + 13]) >> 4 & 0x1
    # port number
    data[3] = (ord(packet[4 * header_length]) << 8) + ord(
        packet[4 * header_length + 1])

    return data
예제 #45
0
def decode_arp_packet(s):
    d={}
    d['linktype']=socket.ntohs(struct.unpack('H',s[0:2])[0])
    d['mac']=s[8:14]#struct.unpack("HHH",s[8:14]))
    d['srcip']=pcap.ntoa(struct.unpack("i",s[14:18])[0])
    #print '%x %x %x %x %x %x\n' %(d['mac'][0],d['mac'][1],d['mac'][2],d['mac'][3],d['mac'][4],d['mac'][5])

    if d['srcip'] in ip_mac_dic.keys():
        if ip_mac_dic[d['srcip']]!=d['mac']:
            print 'new mac\n'
            ip_mac_dic[d['srcip']]=d['mac']
            print '%s\n' %(d['srcip'])
            print '%02x:%02x:%02x:%02x:%02x:%02x\n' %(ord(d['mac'][0]),ord(d['mac'][1]),ord(d['mac'][2]),ord(d['mac'][3]),ord(d['mac'][4]),ord(d['mac'][5]))
    else:
        ip_mac_dic[d['srcip']]=d['mac']
        print 'new srcip and mac'
        print '%s\n' %(d['srcip'])
        print '%02x:%02x:%02x:%02x:%02x:%02x\n' %(ord(d['mac'][0]),ord(d['mac'][1]),ord(d['mac'][2]),ord(d['mac'][3]),ord(d['mac'][4]),ord(d['mac'][5]))
예제 #46
0
def handle_query(query, ip_dict, port_dict, ip_to_ip_dict, ip_port_dict):
    arr = query.split()
    if arr[0] == "list":
        list_all(ip_dict)
        print
        return

    # IP-specific queries
    try:
        ip = pcap.aton(arr[1])
    except:
        print("Couldn't parse IP address " + arr[1])
        return

    # Display all IPs that this IP has communicated with
    if arr[0] == "friends":
        for other in ip_dict[ip]:
            print(pcap.ntoa(other))
        print

    # List all live TCP sessions for IP
    if arr[0] == "live":
        list_live(ip, ip_dict, ip_to_ip_dict, ip_port_dict)
예제 #47
0
def handle_query(query, ip_dict, port_dict, ip_to_ip_dict, ip_port_dict):
    arr = query.split()
    if arr[0] == "list":
        list_all(ip_dict)
        print
        return

    # IP-specific queries
    try:
        ip = pcap.aton(arr[1])
    except:
        print("Couldn't parse IP address " + arr[1])
        return

    # Display all IPs that this IP has communicated with
    if arr[0] == "friends":
        for other in ip_dict[ip]:
            print(pcap.ntoa(other))
        print

    # List all live TCP sessions for IP
    if arr[0] == "live":
        list_live(ip, ip_dict, ip_to_ip_dict, ip_port_dict)
    def analyse_mac(self, pkt):
        macs = pkt.Ether.src
        addrs = pkt.Ether.payload.src

        macd = pkt.Ether.dst
        addrd = pkt.Ether.payload.dst

        bsrc = netutils.ip_is_reserved(addrs)
        bdst = netutils.ip_is_reserved(addrd)

        # if macs == 0 or macd == 0 or macs == 0xffffffffffff or macd == 0xffffffffffff:
        #     return

        # if (addrs >> 24) == 255 or  (addrd >> 24) == 255:
        #     return

        if (not bsrc and not bdst) or addrs == addrd:
            self.alert.add("outside %s [%s] to %s [%s]" %
                           (pcap.ntoa(addrs), netutils.mac_to_string(macs),
                            pcap.ntoa(addrd), netutils.mac_to_string(macd)))
        else:
            adds = self.add_mac(macs, addrs)
            addd = self.add_mac(macd, addrd)
            if not (adds and addd):
                if not adds:
                    self.alert.add(
                        "on source %s [%s] (to %s [%s])" %
                        (pcap.ntoa(addrs), netutils.mac_to_string(macs),
                         pcap.ntoa(addrd),
                         netutils.mac_to_string(self.lmac[addrd])))
                else:
                    self.alert.add(
                        "on dest %s [%s] (from %s [%s])" %
                        (pcap.ntoa(addrd), netutils.mac_to_string(macd),
                         pcap.ntoa(addrs),
                         netutils.mac_to_string(self.lmac[addrs])))
예제 #49
0
def ip_bytes_to_str(ip):
    """
    Converts a bytes representation of an ip to a string
    """
    return pcap.ntoa(struct.unpack('I', ip)[0])
예제 #50
0
    def decode_ip_packet(self, s):
        d = {}
        d['version'] = (ord(s[0]) & 0xf0) >> 4
        d['header_len'] = ord(s[0]) & 0x0f  #This is ip header length. 32bit
        d['tos'] = ord(s[1])
        d['total_len'] = socket.ntohs(struct.unpack('H', s[2:4])[0])
        d['id'] = socket.ntohs(struct.unpack('H', s[4:6])[0])
        d['flags'] = (ord(s[6]) & 0xe0) >> 5
        d['fragment_offset'] = socket.ntohs(
            struct.unpack('H', s[6:8])[0] & 0x1f)
        d['ttl'] = ord(s[8])
        d['protocol'] = ord(s[9])
        d['checksum'] = socket.ntohs(struct.unpack('H', s[10:12])[0])
        d['source_address'] = pcap.ntoa(struct.unpack('i', s[12:16])[0])
        d['destination_address'] = pcap.ntoa(struct.unpack('i', s[16:20])[0])
        if d['header_len'] > 5:
            d['options'] = s[20:4 * (d['header_len'] - 5)]
        else:
            d['options'] = None

        d['data'] = s[4 * d['header_len']:]

        # UDP parser:
        if d['protocol'] == socket.IPPROTO_UDP:
            udp_data = d['data']
            d['udp'] = {}
            d['udp']['source_port'] = socket.ntohs(
                struct.unpack('H', udp_data[0:2])[0])
            d['udp']['dest_port'] = socket.ntohs(
                struct.unpack('H', udp_data[2:4])[0])
            d['udp']['length'] = socket.ntohs(
                struct.unpack('H',
                              udp_data[4:6])[0])  #including header and data
            d['udp']['headerlen'] = 2  # UDP header length. 32bit
            d['udp']['checksum'] = socket.ntohs(
                struct.unpack('H', udp_data[6:8])[0])
            udp_payload = udp_data[8:]  # UDP header contains 8 bytes header.

            if d['udp']['source_port'] == 53 or d['udp']['dest_port'] == 53:
                d['udp']['type'] = 'dns'
            elif d['udp']['source_port'] == 137 or d['udp']['dest_port'] == 137:
                d['udp']['type'] = 'nbns'
            elif d['udp']['source_port'] == 123 or d['udp']['dest_port'] == 123:
                d['udp']['type'] = 'ntp'
            elif d['destination_address'] == '224.0.0.251':
                d['udp']['type'] = 'mdns'
            elif d['destination_address'] == '239.255.255.250':
                d['udp']['type'] = 'ssdp'
            else:
                maybe_rtp = {}
                maybertp_flag_0 = (((ord(udp_payload[0]) & 0xC0) >> 6) == 2)
                # 32 is a normal rtp header length.
                maybertp_flag_1 = (len(udp_payload) > 12)
                maybertp_flag_2 = 0
                maybertp_flag_3 = 0
                if maybertp_flag_0 and maybertp_flag_1:
                    maybe_rtp['total_len'] = d['udp'][
                        'length'] - d['udp']['headerlen'] * 4
                    maybe_rtp['headerlen'] = 3

                    maybe_rtp['V'] = maybertp_flag_0
                    maybe_rtp['P'] = (ord(udp_payload[0]) & 0x20) >> 5
                    maybe_rtp['X'] = (ord(udp_payload[0]) & 0x10) >> 4
                    maybe_rtp['CC'] = (ord(udp_payload[0]) & 0xF)
                    maybe_rtp['PT'] = (ord(udp_payload[1]) & 0x7F)
                    maybe_rtp['SequenceNumber'] = socket.ntohs(
                        struct.unpack('H', udp_payload[2:4])[0])
                    maybe_rtp['TimeStamp'] = socket.ntohl(
                        struct.unpack('I', udp_payload[4:8])[0])

                    maybe_rtp['SSRC'] = socket.ntohl(
                        struct.unpack('I', udp_payload[8:12])[0])
                    maybe_rtp['CSRC'] = []

                    maybertp_flag_2 = (maybe_rtp['PT'] >=
                                       97) and (maybe_rtp['PT'] <= 200)
                    #maybertp_flag_2 = True
                if maybertp_flag_2:
                    for idx in range(maybe_rtp['CC']):
                        maybe_rtp['CSRC'].append(
                            socket.ntohl(
                                struct.unpack(
                                    'I', udp_payload[12 + idx * 4:16 +
                                                     idx * 4])[0]))
                        maybe_rtp['headerlen'] += 1
                    start_pos = 12 + maybe_rtp['CC'] * 4
                    payload_start_pos = start_pos
                    if maybe_rtp['X'] == 1:
                        maybe_rtp['headerlen'] += 1
                        maybe_rtp['X_LEN'] = socket.ntohs(
                            struct.unpack(
                                'H',
                                udp_payload[start_pos + 2:start_pos + 4])[0])
                        maybe_rtp['headerlen'] += maybe_rtp['X_LEN']
                        maybe_rtp['EX'] = udp_payload[start_pos + 4:start_pos +
                                                      4 +
                                                      maybe_rtp['X_LEN'] * 4]
                        payload_start_pos += (maybe_rtp['X_LEN'] + 1) * 4
                    else:
                        maybe_rtp['X_LEN'] = 0
                        maybe_rtp['EX'] = []

                    if maybe_rtp['P'] == 1:
                        maybe_rtp['P_len'] = ord(s[d['total_len'] - 1])
                    else:
                        maybe_rtp['P_len'] = 0

                    # d['rtp']['payload_len'] = d['rtp']['total_len'] - d['udp']['headerlen'] * 4 - d['rtp']['P_len']
                    maybe_rtp['payload_len'] = maybe_rtp[
                        'total_len'] - maybe_rtp['headerlen'] * 4 - maybe_rtp[
                            'P_len']
                    maybe_rtp['payload'] = udp_payload[
                        payload_start_pos:payload_start_pos + 4 +
                        maybe_rtp['payload_len']]

                    if len(maybe_rtp['payload']) > 1:
                        h264_payloas_first_octet = ord(maybe_rtp['payload'][0])
                        # 0x67 SPS, 0x68 PPS 0x65 IDR, 0x61 non-IDR
                        maybertp_flag_3 = (
                            h264_payloas_first_octet
                            == 0x67) or (h264_payloas_first_octet == 0x68) or (
                                h264_payloas_first_octet
                                == 0x65) or (h264_payloas_first_octet == 0x61)
                        maybe_rtp['payload'] = 0

                #print "flag_0 : ", maybertp_flag_0
                #print "flag_1 : ", maybertp_flag_1
                #print "flag_2 : ", maybertp_flag_2
                #print "flag_3 : ", maybertp_flag_3

                if maybertp_flag_0 and maybertp_flag_1 and maybertp_flag_2 and maybertp_flag_3:
                    d['udp']['type'] = 'rtp-h264'
                    d['udp']['rtp'] = maybe_rtp
                    pass
                else:
                    d['udp']['type'] = 'other'

        return d
예제 #51
0
def ipi_to_string(data):
    return pcap.ntoa(data)
예제 #52
0
 def verify(self, f):
     #struct.unpack('!L',socket.inet_aton(ip))[0]
     sip = struct.unpack('!L', f.sip)[0]
     dip = struct.unpack('!L', f.dip)[0]
     if sip < dip:
         s = "%d%d%d%d%d" % (sip, f.sport, dip, f.dport, f.protocol)
     else:
         s = "%d%d%d%d%d" % (dip, f.dport, sip, f.sport, f.protocol)
     fid = hash(int(s))
     nflows = 1
     nbytes = f.nbytes
     npackets = f.npackets
     l = None
     try:
         entry = self[fid]
         ftype = entry.picdfi_type
         if ftype == TYPE['UNIDENTIFIED']:
             # unable to verify
             if f.ftype == TYPE['P2P']:
                 l = self.dsum['up']
                 #print >> sys.stderr, "Unverified P2P: %s" % entry
             elif f.ftype == TYPE['NONP2P'] or f.ftype == TYPE[
                     'POSSIBLE'] or f.ftype == TYPE['UNIDENTIFIED']:
                 l = self.dsum['un']
                 #print >> sys.stderr, "Unverified NONP2P: %s" % entry
         elif ftype == TYPE['P2P']:
             if f.ftype == TYPE['P2P']:
                 l = self.dsum['tp']
                 #print >> sys.stderr, "True Positive: %s" % entry
             elif f.ftype == TYPE['NONP2P'] or f.ftype == TYPE[
                     'POSSIBLE'] or f.ftype == TYPE['UNIDENTIFIED']:
                 l = self.dsum['fn']
                 #print >> sys.stderr, "False Negative: %s" % entry
         elif ftype == TYPE['NONP2P']:
             if f.ftype == TYPE['P2P']:
                 l = self.dsum['fp']
                 #print >> sys.stderr, "False Positive: %s" % entry
             elif f.ftype == TYPE['NONP2P'] or f.ftype == TYPE[
                     'POSSIBLE'] or f.ftype == TYPE['UNIDENTIFIED']:
                 l = self.dsum['tn']
                 #print >> sys.stderr, "True Negative: %s" % entry
         else:
             print >> sys.stderr, "Unknown type: %s, %s, %s" % (
                 entry, ftype, TYPE[ftype])
     except KeyError as ke:
         print ke, s
         print "%s %d %s %d %d" % (pcap.ntoa(sip), f.sport, pcap.ntoa(dip),
                                   f.dport, f.protocol)
         l = self.dsum['no']
     # here update verification results
     try:
         l[0] += 1
         l[1] += nbytes
         l[2] += npackets
     except TypeError as e:
         print >> sys.stderr, "%s" % e
         print >> sys.stderr, s, entry
         print >> sys.stderr, ftype, TYPE[ftype], f.ftype, TYPE[f.ftype]
         exit(1)
     s = self.dsum['sum']
     s[0] += 1
     s[1] += nbytes
     s[2] += npackets
예제 #53
0
    def count(self, pktlen, data, timestamp):
        if not data:
            return

        self.total_packets += 1
        data = stripJuniperEthernet(data)
        streams = self.streams
        streams_next_counter = self.streams_next_counter
        streams_missing_packets = self.streams_missing_packets
        streams_out_of_order = self.streams_out_of_order
        """
        if (self.c == 2147):
            print "Frame: %s" % self.c
            print "Length: %s" % pktlen
            print16(data)
            print "Counter = %s" % (ta(data[57]))
            print "Type = %s" % (ta(data[58]))
        """
        rtp_version = None
        protocol = None
        if (data and len(data) >= 43):
            ## RTP Version is the first 2 bits of the 55th octet
            rtp_version = ord(data[42]) >> 6
            ## 33 Octed has the IP protocol ... 17 is UDP
            protocol = ord(data[23])

            if (protocol == 17 and rtp_version == 2):
                self.total_rtp += 1
            if (protocol == 17):
                self.total_udp += 1
        """
        if (self.total_packets == 2431):
           print16(data)
           print
           print "RTP Version %s (%s)" % (rtp_version, ta_ord(ord(data[42])))
           print "Protocol %s (%s)" % (protocol, ta_ord(ord(data[23])))
           print "Packet # %s" % self.total_packets
        """

        if (rtp_version == 2 and protocol == 17):

            ## Get the source and destination information
            source_address = pcap.ntoa(struct.unpack('i', data[26:30])[0])
            destination_address = pcap.ntoa(struct.unpack('i', data[30:34])[0])
            source_port = (ord(data[34]) << 8) + ord(data[35])
            dest_port = (ord(data[36]) << 8) + ord(data[37])

            ## Payload is the last 7 bits in the 56th octet
            payload = ta_ord(ord(data[43]) & 0x7F)
            int_payload = ord(data[43]) & 0x7F

            ## Counter is a 16 bit field in the 57th and 58th octets
            counter = ta_ord4((ord(data[44]) << 8) + ord(data[45]))
            int_counter = (ord(data[44]) << 8) + ord(data[45])

            ## The RFC defines 96 to 127 as the dynamic payload types
            ## and this seems to be where Polycom puts the audio and video
            ## streams. We are only interested in these two streams for
            ## this analyzer
            if (int_payload <= 127 and int_payload >= 96):

                stream_id = "%s-%s-%s" % (destination_address, dest_port,
                                          payload)
                """
                if (stream_id == "192.168.105.27-49366-0x76"):
                    print16(data)
                    print 
                    print "RTP Version %s (%s)" % (rtp_version, ta_ord(ord(data[45])))
                    print "Protocol %s (%s)" % (protocol, ta_ord(ord(data[23])))
                    print "Counter: %s, Int Counter: %s" % (counter, int_counter)
                    print "Packet # %s" % self.total_packets
                    sys.exit()
                """

                if streams.has_key(stream_id):
                    ## Alright, we are already tracking this stream
                    streams[stream_id] += 1

                    if streams_next_counter[stream_id] != int_counter:
                        ## Not what we were expecting, so we have a missing packet

                        ## So, is it something we should have seen earlier
                        if streams_missing_packets[stream_id].has_key(
                                streams_next_counter[stream_id]):
                            ## Yup, it just arrived late
                            streams_out_of_order[stream_id].append(int_counter)
                        else:
                            ## add it and everything in between to the missing packets
                            for i in range(streams_next_counter[stream_id],
                                           int_counter):
                                streams_missing_packets[stream_id][i] = 1

                    ## Set the next expected sequence number
                    streams_next_counter[stream_id] = int_counter + 1

                else:
                    ## This is a new stream
                    streams[stream_id] = 1
                    ## Set the next expected counter
                    streams_next_counter[stream_id] = int_counter + 1
                    ## Initialize missing packet and out of order packet dictionaries
                    streams_missing_packets[stream_id] = {}
                    streams_out_of_order[stream_id] = []
예제 #54
0
def list_all(ip_dict):
    for ip in ip_dict:
        print(pcap.ntoa(ip))
 def ip_to_s(self, ip):
     if ip == -1:
         return "internet"
     else:
         return pcap.ntoa(ip)