def _pcap_process(pkt_queue):
"""
Continuously adds captured packet tuples (time, src_port, dst_port) into the
queue.
"""
# Captures the first 64 bytes of all Redis SYN-SYNACK traffic. This is
# sufficient for us to decipher the TCP src and dst ports.
client_po = pcap.pcapObject()
client_po.open_live(async_redis.CLIENT_INTERFACE, 64, 0, 100)
client_po.setfilter("(tcp[13] & 2 == 2) and (dst port %d)" % REDIS_PORT, 0, 0)
server_po = pcap.pcapObject()
server_po.open_live(async_redis.SERVER_INTERFACE, 64, 0, 100)
server_po.setfilter("(tcp[13] & 2 == 2) and (src port %d)" % REDIS_PORT, 0, 0)
# Keep reading from pcap
while True:
for po in (client_po, server_po):
pkt = po.next()
if pkt:
(_, data, timestamp) = pkt
(src_port, dst_port) = _get_tcp_src_dst_ports(data)
pkt_queue.put((timestamp, src_port, dst_port))
def decode_file(fname,res):
if interface != None:
try:
p = pcap.pcapObject()
net, mask = pcap.lookupnet(interface)
p.open_live(interface, 1600, 0, 100)
Message = " live capture started, using:%s\nStarting timestamp (%s) corresponds to %s"%(interface, time.time(), time.strftime('%x %X'))
print Message
#l.warning(Message)
while 1:
p.dispatch(1, Print_Packet_Tcpdump)
except (KeyboardInterrupt, SystemExit):
print '\n\nCRTL-C hit...\nCleaning up...'
sys.exit()
else:
try:
p = pcap.pcapObject()
p.open_offline(fname)
#l.warning('\n\n started, using:%s file'%(fname))
Version = IsCookedPcap(res)
if Version == 1:
thread = Thread(target = p.dispatch, args = (0, Print_Packet_Cooked))
thread.daemon=True
thread.start()
try:
while thread.is_alive():
thread.join(timeout=1)
except (KeyboardInterrupt, SystemExit):
print '\n\nCRTL-C hit..Cleaning up...'
threading.Event().set()
if Version == 2:
thread = Thread(target = p.dispatch, args = (0, Print_Packet_Cooked))
thread.daemon=True
thread.start()
try:
while thread.is_alive():
thread.join(timeout=1)
except (KeyboardInterrupt, SystemExit):
print '\n\nCRTL-C hit..Cleaning up...'
threading.Event().set()
if Version == 3:
thread = Thread(target = p.dispatch, args = (0, Print_Packet_Tcpdump))
thread.daemon=True
thread.start()
try:
while thread.is_alive():
thread.join(timeout=1)
except (KeyboardInterrupt, SystemExit):
print '\n\nCRTL-C hit..Cleaning up...'
threading.Event().set()
except Exception:
print 'Can\'t parse %s'%(fname)
def openLiveSniff(self, dev, filter=None):
"""
open up a libpcap object
def = mon mode interface as string aka wlan0
return object and radio tap boolen
"""
packet = None
try:
self.lp = pcap.pcapObject()
except AttributeError:
print "You have the wrong pypcap installed"
print "Use https://github.com/signed0/pylibpcap.git"
# check what these numbers mean
self.lp.open_live(dev, 1600, 0 ,100)
if filter is not None:
self.lp.setfilter(filter, 0, 0)
if self.lp.datalink() == 127:
rth = True
# snag a packet to look at header, this should always be a
# packet that wasnt injected so should have a rt header
while packet is None:
frame = self.lp.next()
if frame is not None:
packet = frame[1]
# set known header size
headsize = struct.unpack('h', packet[2:4])[0]
else:
rth = False
return (rth, headsize)
def openTun(self):
"""
open up a tuntap interface
path is /dev/net/tun in TAP (ether) mode
returns false if failed
"""
path = "/dev/net/tun"
if self.checkTun(path) is not False:
self.tun = os.open(path, os.O_RDWR)
# ifr = struct.pack("16sH", "tun%d", self.IFF_TAP | self.IFF_NO_PI)
ifr = struct.pack("16sH", "tun%d", self.IFF_TAP)
ifs = fcntl.ioctl(self.tun, self.TUNSETIFF, ifr)
#fcntl.ioctl(self.tun, self.TUNSETOWNER, 1000)
# return interface name
ifname = ifs[:16].strip("\x00")
# commented out... for now!
print "Interface %s created. Configure it and use it" % ifname
# put interface up
os.system("ifconfig %s up" %(ifname))
# return interface name
try:
self.lp = pcap.pcapObject()
self.lp.open_live(ifname, 1526, 0 ,100)
except AttributeError:
print "You have the wrong pypcap installed"
print "Use https://github.com/signed0/pylibpcap.git"
return ifname
else:
return False
def main() :
global mode
if len(sys.argv) < 2:
print 'usage: %s <interface> ' % sys.argv[0]
sys.exit(0)
# MAIN PROGRAM
if (len(sys.argv) >= 3) :
if sys.argv[2] == 'ymsg' :
mode = CAP_YMSG
elif sys.argv[2] == 'post' :
mode = CAP_POST
elif sys.argv[2] == 'ftp' :
mode = CAP_FTP
p = pcap.pcapObject()
dev = sys.argv[1]
net, mask = pcap.lookupnet(sys.argv[1])
p.open_live(dev, 1600, 1, 100)
p.setfilter('tcp', 0, 0)
p.setnonblock(1)
p.loop(0, print_packet)
def load_pcap(self, filename, layer=TRANSPORT_LAYER, strict=False):
"""Loads a pcap file and returns a list of Message objects
containing the reassembled messages for the specified OSI
layer.
Usage:
>>> import pcap_reassembler
>>> reassembler = pcap_reassembler.PcapReassembler()
>>> msgs = reassembler.load_pcap('http.cap')
>>> msgs[0].payload
'GET /download.html ...'
"""
if not DATA_LINK_LAYER <= layer <= TRANSPORT_LAYER:
raise ValueError("Specified OSI layer is not supported.")
self._tcp_stream = {}
self._msgs = []
self._count = 1
self._layer = layer
self._strict_policy = strict
p = pcap.pcapObject()
p.open_offline(filename)
# process all packets
try:
p.dispatch(-1, self._process_eth)
except Exception as e:
print e
# flush all TCP connections for remaining messages
for socks in self._tcp_stream:
self._tcp_flush(socks)
self._msgs.sort(key=lambda x: x.number)
return self._msgs
def sniff(recent, interface):
def save_packet(pktlen, data, timestamp):
# from http://pylibpcap.sourceforge.net/
if not data:
return
if data[12:14]=='\x08\x00':
decoded=decode_ip_packet(data[14:])
decoded['original_length'] = pktlen
recent.add(timestamp, decoded)
p = pcap.pcapObject()
try:
p.open_live(interface, 1600, 0, 100)
except Exception:
import traceback
traceback.print_exc()
os.abort()
p.setnonblock(True)
try:
while 1:
numRead = p.dispatch(1, save_packet)
if numRead == 0:
time.sleep(.01)
except:
os.abort()
def __init__(self):
'''
device: interface to do the scan
host_list: host_list to build the filter to scan
net_list: net_list to build the filter to scan
timeout: timeout to read (s)
capture_file: capture filename
promisc_mode: set the interface in promiscuous mode
'''
threading.Thread.__init__(self)
self.__device = ''
self.__host_list = []
self.__net_list = []
self.__status = SnifferStatus.STOPPED_OK
self.__last_error = ''
self.__pcapobj = pcap.pcapObject()
self.__timeout = 0
self.__setpromisc_mode = False
self.__capture_file = ''
self.__convertToPDML = False
self.__data = ''
self.__keep_working = True
self.__capture_size = 0
#For current status:
self.__elapsedTime = 0
self.__currentPackets = 0;
self.__mustStop = False
'''
def decode_file(fname):
"""Given the name of a pcap file, open it, decode the contents and yield each packet."""
if _debug: decode_file._debug("decode_file %r", fname)
if not pcap:
raise RuntimeError, "failed to import pcap"
# create a pcap object
p = pcap.pcapObject()
p.open_offline(fname)
i = 0
while 1:
# the object acts like an iterator
pkt = p.next()
if not pkt:
break
# returns a tuple
pktlen, data, timestamp = pkt
pkt = decode_packet(data)
if not pkt:
continue
# save the index and timestamp in the packet
pkt._index = i
pkt._timestamp = timestamp
yield pkt
i += 1
def issueRequest(serverip, serverport, timeout, req):
global break_wait
global res
# Reset the global vars we will use here
break_wait = 0
res = None
client = DhcpClient(client_listen_port=67, server_listen_port=serverport)
client.dhcp_socket.settimeout(timeout)
if serverip == '0.0.0.0':
req.SetOption('flags',[128, 0])
req_type = req.GetOption('dhcp_message_type')[0]
pcap_obj = pcap.pcapObject()
dev = pcap.lookupdev()
pcap_obj.open_live(dev, 1600, 0, 100)
pcap_obj.setfilter("udp port 67", 0, 0)
sent = 0
while break_wait < 1:
if(sent < 1):
sent = 1
client.SendDhcpPacketTo(req,serverip,serverport)
if req_type == 3 or req_type == 7:
return
pcap_obj.dispatch(1, get_packet)
return res
def run(self):
p = pcap.pcapObject()
#dev = pcap.lookupdev()
#dev = sys.argv[1]
while 1:
for i in dev
p.open_live(i, 1600, 0, 100)
try:
while 1:
p.dispatch(1, print_arp_packet)
sleep(10)
# specify 'None' to dump to dumpfile, assuming you have called
# the dump_open method
# p.dispatch(0, None)
# the loop method is another way of doing things
# p.loop(1, print_packet)
# as is the next() method
# p.next() returns a (pktlen, data, timestamp) tuple
# apply(print_packet,p.next())
except KeyboardInterrupt:
print '%s' % sys.exc_type
print 'shutting down'
print '%d packets received, %d packets dropped, %d packets dropped by interface' % p.stats()
def __init__(self, interface, filters=None):
pcap.lookupnet(interface)
self.pc = pcap.pcapObject()
self.pc.open_live(interface, 3200, False, 0)
BasePcapWrapper.__init__(self, filters)
def _open_next_file(self):
# In the past, python-libpcap did not clean up its fds. In
# 0.6.4-1 it does though and the following is a no-op.
self.pcap = None
# Are we done?
if not self.filenames:
raise StopIteration()
# Next file!
self.filename = self.filenames.pop(0)
# There is no pcap_fopen_offline(3pcap) call, so we'll
# have to use a temp-file if the file was zipped.
filename, is_tempfile = extract_to_tempfile(self.filename)
try:
self.pcap = pcap.pcapObject
except AttributeError:
# pcapy
self.pcap = pcap.open_offline(filename)
else:
# pylibpcap
self.pcap = pcap.pcapObject()
self.pcap.open_offline(filename)
if is_tempfile:
os.unlink(filename)
if self.pcap_filter:
self.pcap.setfilter(self.pcap_filter, 0, 0)
# Set link type, needed below
self.link_type = self.pcap.datalink()
def pcap_to_sqlite(pcap_file, sqlite_file):
"""Generate the SQLite base.
Read the pcap file given in parameter, extracts source and destination IP
and create the SQLite base.
"""
reader = pcap.pcapObject()
reader.open_offline(pcap_file)
conn = sqlite3.connect(sqlite_file)
c = conn.cursor()
if options.verbose:
print("Creating table.")
c.execute('''create table ip_link
(tts real, ip_src text, ip_dst text)''')
if options.verbose:
print("Reading pcap and inserting values in the table...")
while True:
try:
(_, payload, tts) = next(reader)
except:
break
if payload[12:14] == '\x08\x00':
decoded_ip_packet = decode_ip_packet(payload[14:])
c.execute('insert into ip_link values (?,?,?)', \
(str(tts), \
decoded_ip_packet['source_address'], \
decoded_ip_packet['destination_address']))
conn.commit()
c.close()
def capture():
p = pcap.pcapObject()
if len(sys.argv) == 2:
if sys.argv[1] == '-d' or sys.argv[1] == '--dev':
finddev.print_all_devs()
elif sys.argv[1] == '-h' or sys.argv[1] == '--help':
finddev.print_help()
else:
print '[-] Wrong order " %s' % sys.argv[1:], '"'
print_help()
elif len(sys.argv) == 4:
if sys.argv[1] == '-c':
dev = sys.argv[2]
net, mask = pcap.lookupnet(dev)
p.open_live(dev, 1600, 0, 100)
p.setfilter(string.join(sys.argv[3:], ' '), 0, 0)
try:
while True:
p.dispatch(1, show_packet)
except KeyboardInterrupt:
print '[-] %s' % sys.exc_type
print '[-] shutting down'
print '[+] %d packets received, %d packets dropped, %d packets dropped by interface' % p.stats()
else:
print '[-] Wrong order " %s' % sys.argv[1:], '"'
print_help()
def _setup_libpcap(self, device, port):
"""Setup the pcap object and return the handle for it.
:returns: pcap.pcapObject
"""
# Validate the device
if not self._validate_device(device):
raise ValueError('Can not validate the device: %s' % device)
# Create the pcap object
pcap_object = pcap.pcapObject()
# Open the device in promiscuous mode
try:
pcap_object.open_live(device, _SNAPSHOT_LENGTH, True, _TIMEOUT)
self._logger.info('Opened %s', device)
except Exception as error:
raise OSError('Permission error opening device %s' % error)
# Set our filter up
filter = 'dst port %i' % port
# Create our pcap filter looking for ip packets for the memcached server
pcap_object.setfilter(filter, 1, 0)
self._logger.info('Filter set to: %s', filter)
# Set our operation to non-blocking
pcap_object.setnonblock(1)
# Return the handle to the pcap object
return pcap_object
def main():
sc = sniff()
sc.toggleconnect()
if len(sys.argv) < 3:
print ('usage: sniff.py <interface> <expr>')
sys.exit(0)
p = pcap.pcapObject()
dev = sys.argv[1]
net, mask = pcap.lookupnet(dev)
# note: to_ms does nothing on linux
p.open_live(dev, 1600, 0, 100)
#p.dump_open('dumpfile')
p.setfilter(string.join(sys.argv[2:],' '), 0, 0)
# try-except block to catch keyboard interrupt. Failure to shut
# down cleanly can result in the interface not being taken out of promisc.
# mode
#p.setnonblock(1)
try:
while 1:
p.dispatch(1, sc.print_packet)
except KeyboardInterrupt:
sc.toggleconnect()
print ('%s' % sys.exc_type)
print ('shutting down')
print ('%d packets received, %d packets dropped, %d packets dropped by interface' % p.stats())
'''#open session
def load_pcap(filename, layer=TRANSPORT_LAYER, strict=False):
"""Loads a pcap file and returns a list of Message objects
containing the reassembled messages for the specified OSI
layer.
Usage:
>>> import pcap_reassembler
>>> msgs = pcap_reassembler.load_pcap('http.cap')
>>> msgs[0].payload
'GET /download.html ...'
"""
global _tcp_stream, _msgs, _count, _layer, _strict_policy
if not DATA_LINK_LAYER <= layer <= TRANSPORT_LAYER:
raise ValueError("Specified OSI layer is not supported.")
_tcp_stream = {}
_msgs = []
_count = 1
_layer = layer
_strict_policy = strict
p = pcap.pcapObject()
p.open_offline(filename)
# process all packets
p.dispatch(-1, _process_eth)
# flush all TCP connections for remaining messages
for socks in _tcp_stream:
_tcp_flush(socks)
_msgs.sort(key=lambda x: x.number)
return _msgs
def __init__(self, parent, iface = 'any', filter = None, snaplen = 65535, promisc = False, timeout = 10):
self.parent = parent
self.pcap = pcap.pcapObject()
self.pcap.open_live(iface, snaplen, promisc, 0)
if filter is not None:
self.pcap.setfilter(filter, 1, 0)
self.pcap.setnonblock(True)
reactor.addReader(self)
def prepare(self, interface):
sniffer = pcap.pcapObject()
net, mask = pcap.lookupnet(interface)
sniffer.open_live(interface, 1600, 0, 100)
sniffer.setfilter('tcp port 80', 0, 0)
self.sniffer = sniffer
def setupPort(port):
p = pcap.pcapObject()
dev = "eth0"
net, mask = pcap.lookupnet(dev)
p.open_live(dev, 1600, 0, 100)
filterString = "port " + str(port)
p.setfilter(filterString, 0, 0)
return p
def open_eths(eths):
devs = []
for (id, eth) in enumerate(eths):
dev = pcap.pcapObject()
dev.open_live(eth, 1500, 1, 0)
devs.append({"dev": dev, "eth": eth})
eventlet.spawn(handle_eth, id)
return devs
def start(self, iface):
self.stop() # stop previous sniffing session
self._pcap = pcap.pcapObject()
self._pcap.open_live(iface, 1600, 0, 100)
# pcap.setfilter
self.l2_prefix = 14 if self._pcap.datalink() else 4 # BSD DLT_NULL !!!
self.thread = Thread(target=self.sniff)
self.thread.daemon = True
self.thread.start()
def run(self):
p = pcap.pcapObject()
dev = "eth0"
net, mask = pcap.lookupnet(dev)
p.open_live(dev, 1600, 0, 100)
p.setfilter("tcp port 8000", 0, 0)
while not self.thread_stop:
p.dispatch(1, self.print_packet)
def __init__(self, analyser, filename):
""" constructor
:param analyser: the uninstantiated analyser class
:param filename: filename of the capture file
"""
packet_source.__init__(self,analyser)
self.p = pcap.pcapObject()
self.p.open_offline(filename)
def startListener(self):
p = pcap.pcapObject()
p.open_live(self.getInterfaceName(), 1600, 0, 100)
out.verbose("legitHost listener started")
try:
while True:
p.dispatch(1, self.handlePackets)
except KeyboardInterrupt:
out.error("Got keyboard interrupt.")
self.stop()
def pcapopen(fn = None):
from pcap import pcapObject
p = pcapObject()
try:
if fn: p.open_offline(fn)
else: p.open_live('any' , 200, False, 100)
p.dispatch(-1,cb)
except Exception as e:
print bold(red('error:')),red(str(e))
pass
def rdpcapng(filename):
tempf=TEMP_DIR+"/"+str(hash(filename))+".cap"
pc = pcap.pcapObject()
pc.open_offline(filename)
pc.dump_open(tempf)
pc.loop(0,None)
sniffed = rdpcap(tempf)
os.remove(tempf)
sniffed.listname=filename
return sniffed
def __init__(self, callback, interface='en0'):
super(Scrobbify, self).__init__()
self._stop = threading.Event()
self.callback = callback
self.p = pcap.pcapObject()
net, mask = pcap.lookupnet(interface)
self.p.open_live(interface, 1600, 0, 100)
self.p.setfilter(self.expr, 0, 0)
def __init__(self, *args, **kargs):
self.pcap = pcap.pcapObject()
if sys.platform == 'darwin' and 'pcap_set_rfmon' not in dir(self.pcap):
warning("Mac OS WiFI monitor mode not supported unless python-libpcap patched for OS X is used.")
if sys.platform == 'darwin':
self.pcap.pcap_set_rfmon(args[0], 1)
self.pcap.pcap_activate()
else:
self.pcap.open_live(*args, **kargs)
def consolemain(opts, args):
"""consolemain(opts,args)
depending on command line arguments and options creates the packet handler
and flowtable/identification objects and runs the simulations in an interactive
console.
"""
flist = []
# check args
if opts.vfile != '' or opts.nfile != '':
verify = picverification(vfile=opts.vfile, nfile=opts.nfile)
flowhandler = flowverifier(verify)
else:
verify = None
flowhandler = flowdestroyer()
if opts.dumpfile != '':
flowhandler = flowserializer(fname=opts.dumpfile)
# check if we got a single file to process
if opts.ifile != '':
flist += [opts.ifile]
# check if we got a path to process
if opts.ipath != '':
if not opts.ipath.endswith(os.sep):
opts.ipath += os.sep
flist += [add(opts.ipath, x) for x in os.listdir(opts.ipath)]
# check if we got a file list to process
if opts.ilist != '':
ilist = open(opts.ilist, 'r')
flist += ilist.read().split('\n')
ilist.close()
# create flowtable, identifier
ftab = picflowtable(A=opts.A, handler=flowhandler)
ident = picidentifier(dshort=opts.short,
dlong=opts.long,
P=opts.P,
B=opts.B)
# changed to support flist processing
start = time.time()
if len(flist) > 0:
for f in flist:
print "Process file: %s" % (f)
pcapo = pcap.pcapObject()
pcapo.open_offline(f)
pcapo.setfilter(' '.join(args), 0, 0)
pcaphandler = packethandler(opts=opts,
DLT=pcapo.datalink(),
ftab=ftab,
ident=ident)
# do it until EOF or SIGINT
try:
pcapo.loop(0, pcaphandler)
except KeyboardInterrupt:
break
else:
pcapo = pcap.pcapObject()
pcapo.open_live(opts.dev, opts.snaplen, opts.promisc, opts.to_ms)
pcapo.setfilter(' '.join(args), 0, 0)
pcaphandler = packethandler(opts=opts,
DLT=pcapo.datalink(),
ftab=ftab,
ident=ident)
try:
pcapo.loop(0, pcaphandler)
except KeyboardInterrupt:
pass
# shut down
print 'shutting down'
print '%d packets received, %d packets dropped, %d packets dropped by interface' % pcapo.stats(
)
print 'processed in %s' % (time.time() - start)
if opts.ofile != '':
handler.writer.close()
if verify and opts.dumpfile != '':
verify.verifyfile(opts.dumpfile)
return ftab, ident, pcapo, verify
self, oid, value, nohex=True)
if plainTag != textTag:
context['hextag'], context['hexvalue'] = textTag, textValue
else:
textTag, textValue = plainTag, plainValue
textOid, textTag, textValue = context['variationModule']['record'](
textOid, textTag, textValue, **context)
elif 'stopFlag' in context and context['stopFlag']:
raise error.NoDataNotification()
return textOid, textTag, textValue
pcapObj = pcap.pcapObject()
if listenInterface:
if verboseFlag:
log.msg('Listening on interface %s in %spromiscuous mode' %
(listenInterface, promiscuousMode is False and 'non-' or ''))
try:
pcapObj.open_live(listenInterface, 65536, promiscuousMode, 1000)
except Exception:
log.msg('Error opening interface %s for snooping: %s' %
(listenInterface, sys.exc_info()[1]))
sys.exit(-1)
elif captureFile:
if verboseFlag:
log.msg('Opening capture file %s' % captureFile)
try:
def __init__(self, *args, **kargs):
self.pcap = pcap.pcapObject()
self.pcap.open_live(*args, **kargs)
def __init__(self, iface, pktlen):
self.pc = pcap.pcapObject()
self.pc.open_live(iface, pktlen, 1, 0)
self.packet_count = 0
self.output = {}
def pcapReader(q, exitSignal, infile=None, interface=None, thrsh=0):
if not infile and not interface:
# FIXME: write warning here
return
if infile:
pc = pcap.pcapObject()
try:
pc.open_offline(infile)
except IOError:
#log("could not open pcap interface "+str(input_interface)+"\n")
pass
if interface:
pc = pcap.pcapObject()
try:
#pc.open_live(interface, snaplen, promisc, read_timeout)
pc.open_live(interface, 1600, 0, 100)
except IOError:
#log("could not open pcap interface "+str(input_interface)+"\n")
pass
except Exception:
# most likely we got no permission to open the interface
sys.stderr.write('could not open interface. insufficient '
'permissions?\n')
q.put(None)
return
pc.setfilter('udp', 0, 0)
basets = 0
newMappings = dict()
while True:
if exitSignal.is_set():
break
try:
packet = pc.next()
if not packet:
if infile:
# end of file
break
elif interface:
# read timeout
continue
payload = packet[1]
timestamp = int(packet[2])
# make sure we are dealing with IP traffic
# ref: http://www.iana.org/assignments/ethernet-numbers
try:
eth = dpkt.ethernet.Ethernet(payload)
except:
continue
if eth.type != 2048: continue
# make sure we are dealing with UDP
# ref: http://www.iana.org/assignments/protocol-numbers/
try:
ip = eth.data
except:
continue
if ip.p != 17: continue
# filter on UDP assigned ports for DNS
# ref: http://www.iana.org/assignments/port-numbers
try:
udp = ip.data
except:
continue
if udp.sport != 53 and udp.dport != 53: continue
# make the dns object out of the udp data and check for it being a RR (answer)
# and for opcode QUERY (I know, counter-intuitive)
try:
dns = dpkt.dns.DNS(udp.data)
except:
continue
if dns.qr != dpkt.dns.DNS_R: continue
if dns.opcode != dpkt.dns.DNS_QUERY: continue
if dns.rcode != dpkt.dns.DNS_RCODE_NOERR: continue
if len(dns.an) < 1: continue
if len(dns.qd) == 0: continue
aRecords = set()
queriedName = dns.qd[0].name
if not '.' in queriedName:
continue
#lastCname=queriedName
for answer in dns.an:
"""
FIXME: this doesn't work for multiple queries in one DNS packet
"""
#if answer.type == dpkt.dns.DNS_CNAME:
# lastCname=answer.cname
if answer.type == dpkt.dns.DNS_A:
ip = socket.inet_ntoa(answer.rdata)
try:
addr = IPAddress(ip)
except netaddr.AddrFormatError:
continue
else:
if (addr.is_unicast() and not addr.is_private()
and not addr.is_reserved()
and not addr.is_loopback()):
aRecords.add(addr)
if thrsh:
if (timestamp - basets) > thrsh:
basets = timestamp
newMappings.clear()
newIps = checkMapping(newMappings, queriedName, aRecords)
aRecords = newIps
if not aRecords:
continue
data = ((queriedName, ip.dst, aRecords), timestamp)
queued = False
while not queued:
try:
q.put_nowait(data)
except Queue.Full:
# we saturated the queue, let's give the reading
# process some time to empty it again, where we don't
# try to put something in the queue and thereby lock it
# continuously
time.sleep(sleeptime)
if q.empty():
sleeptime *= 0.5
elif q.qsize() >= q._maxsize:
sleeptime *= 2
if sleeptime > maxSleeptime:
sleeptime = maxSleeptime
else:
queued = True
except KeyboardInterrupt:
break
"""
send shutdown signal
"""
q.put(None)
def main():
p = pcap.pcapObject()
filename = sys.argv[1]
p.open_offline(filename)
p.dispatch(-1, packet_handler)
def run(self):
"""Sniffer main function"""
# Get logger
logger = logging.getLogger()
logger.info("Sniffer %i : Capture started on %s" % (self.id, self.dev))
# Init
last_update_t = time()
last_save_t = time()
capture = False
# Optimizations
db_on = self.database["on"]
lmod = self.lmod
term = self.terminated
pipe_send_fnt = self.pipe_sender.send
lfnt_pkthandle = list()
lfnt_trigger_update = list()
lfnt_trigger_save = list()
for mod in lmod:
lfnt_pkthandle.append(mod.pkt_handler)
lfnt_trigger_update.append(mod.trigger_data_update)
lfnt_trigger_save.append(mod.trigger_db_save)
# List loaded module
for mod in self.lmod:
logger.info(
"Sniffer %i : Load network module - websocket subprotocol " %
(self.id) + mod.__str__())
# Mysql database
mydb = self.database["class"](
host=self.database["conf"]["host"],
user=self.database["conf"]["user"],
passwd=self.database["conf"]["passwd"],
database=self.database["conf"]["database"],
port=self.database["conf"]["port"])
if db_on:
# connection to database
mydb.connection()
if mydb.is_connect():
for mod in lmod:
mod.database_init(mydb)
mydb.commit()
# Get device informations if possible (IP address assigned)
try:
net, mask = pcap.lookupnet(self.dev)
except:
net, mask = "192.168.1.0", "255.255.255.0"
# Create new pcap capture object
p = pcap.pcapObject()
try:
# (Dev, buffer, promiscuous mode, timeout)
p.open_live(self.dev, PCAP_PACKET_MAX_LEN, PCAP_PROMISCUOUS_MODE,
PCAP_SNIFFER_TIMEOUT)
# keep it in an available object
GetSniffer().set_sniffer(p)
capture = True
# Handler loop
# tt = (0, 0)
while not term.value:
pkt = p.next()
if pkt is not None:
# Decode packet
pktdec = Packet(pkt[0], pkt[1], pkt[2])
# a = time()
# send pkt to modules
map(lambda x: x(pktdec), lfnt_pkthandle)
# res = time() - a
# a, b = tt
# tt = (a+res, b+1)
# if tt[1] > 100:
# print "Time sniff :", tt[0]/tt[1], "Time Tot :", tt[0]
# tt = (0,0)
# Modules update call
if time() - last_update_t > MIN_TIME_MOD_UPDATE:
last_update_t = time()
l_res = list()
for mod in lmod:
data = mod.trigger_data_update()
if data is not None:
l_res.append((mod.protocol, data))
# Data to send with websocket
if len(l_res) > 0:
pipe_send_fnt(l_res)
# Modules save call
if db_on and mydb.connect is not None:
if time() - last_save_t > MIN_TIME_DB_UPDATE:
last_save_t = time()
map(lambda x: x(mydb), lfnt_trigger_save)
mydb.commit()
except KeyboardInterrupt:
logger.info("Sniffer %i : Interruption signal" % self.id)
except Exception as e:
logger.debug("Sniffer %i :" % self.id, exc_info=True)
# logger.error("Sniffer %i : %s" % (self.id, e.strerror))
print e
finally:
if capture:
if db_on:
mydb.close()
logger.info("Sniffer %i : Capture stopped..." % self.id)
pkt_recv, pkt_drop, pkt_devdrop = p.stats()
if pkt_recv > 0:
lost = pkt_drop / (pkt_recv * 1.0) * 100
else:
lost = 0.0
logger.info(
'Sniffer %i : %i packets received, %i packets dropped, %i packets dropped by interface - %d%%'
% (self.id, pkt_recv, pkt_drop, pkt_devdrop, lost))
def main(args):
global __dbconnection
global __dbconnect
if '-h' in args or '--help' in args:
print('Usage: {}'.format(args[0]))
script_path = os.path.dirname(args[0])
config = ConfigParser.RawConfigParser()
try:
config.read(os.path.join(script_path, 'config'))
except:
logging.error("Couldn't read configuration file")
return
if not check_config(config):
logging.error("Configuration files is missing one or more values")
return
def create_dbconnect():
dsn = config.get('dnsstatd', 'db_dsn')
def dbc():
global __dbconnection
__dbconnection = psycopg2.connect(dsn)
logging.info("Database connection established")
return dbc
__dbconnect = create_dbconnect()
try:
__dbconnect()
except psycopg2.DatabaseError as dbe:
logging.error("Error connecting to database: %s", dbe.message)
return
addrs = []
cap_dev = 'any'
ifaces = config.get('dnsstatd', 'dev').split(',')
if len(ifaces) == 1:
cap_dev = ifaces[0]
if ifaces[0] == 'any':
ifaces = netifaces.interfaces()
for iface in ifaces:
for addr in netifaces.ifaddresses(iface).get(netifaces.AF_INET, []):
addrs.append(addr['addr'])
for addr in netifaces.ifaddresses(iface).get(netifaces.AF_INET6, []):
if not '%' in addr['addr']:
addrs.append(addr['addr'])
pcap_filter = 'src port 53 and ({})'.format(' or '.join(
['src ' + x for x in addrs]))
p = pcap.pcapObject()
p.open_live(cap_dev, 8192, 0, 100)
p.setfilter(pcap_filter, 0, 0)
p.setnonblock(0)
logging.info("Listening on {} using filter \"{}\"".format(
cap_dev, pcap_filter))
logging.warning(
"python-libpcap will not release after SIGTERM until receieving one more packet"
)
try:
p.loop(0, handle_packet)
except KeyboardInterrupt:
logging.info('Caught signal, shutting down')
logging.info('{} packets, {} dropped, {} dropped by interface'.format(
*p.stats()))
def prepare(self):
'''
'''
self.p = pcap.pcapObject()
self.p.open_live(self.dev, 1500, 0, 100)
self.p.setfilter("port %d" % self.port, 0, 0)
def fpcap():
p = pcap.pcapObject()
p.open_live("eth1", 1600, 1, 750)
return p
plaintext = rc4.decrypt(frag.data, ip.src, ip.dst,
header.objectid, frag.iv,
frag.crc) # decrypt
if plaintext != None:
h = ObjectHeader(plaintext)
h.parse()
# print '\tobject content:\n\t\t'+str2hex(h.data)
if not (header.objectid in myObjects.keys()):
myObjects[header.objectid] = ''
myObjects[header.objectid] += h.data
if last:
print '\treassembled content:\n\t\t' + str2hex(
myObjects[header.objectid])
else:
print 'UNKNOWN (' + hex(t) + '), ' + str(len(
header.data)) + ' bytes follow'
print
counter += 1
try:
fname = sys.argv[1]
except:
fname = 'SkypeIRC.cap'
p = pcapObject()
p.open_offline(fname)
p.loop(0, iterate)
