def extract(folder, filename):
http_payload = ''
extracted_images = 1
pcap = PcapReader(filename)
pcap.parse()
for packet in pcap.get_packets():
if packet.layers[2]:
if packet.layers[2]['Source port'] == 80 or packet.layers[2]['Destination port'] == 80:
http_payload += str(packet.layers[2]['Data'])
boundaries = get_payload_boundaries(http_payload)
headers = get_http_headers_and_content(http_payload, boundaries)
clean_name = filename.split('/')
clean_name = clean_name[len(clean_name) - 1]
if headers:
for h in headers:
if 'image/jpeg' in h['Content-Type']:
image, image_type = extract_images(h, http_payload, boundaries)
if image is not None and image_type is not None:
filename = '%s-pycket_%s.%s' %(clean_name, extracted_images, image_type)
fd = open('%s/%s' % (folder, filename), 'wb')
fd.write(image)
fd.close()
extracted_images += 1
return extracted_images
def extract(folder, filename):
http_payload = ''
extracted_images = 1
pcap = PcapReader(filename)
pcap.parse()
for packet in pcap.get_packets():
if packet.layers[2]:
if packet.layers[2]['Source port'] == 80 or packet.layers[2][
'Destination port'] == 80:
http_payload += str(packet.layers[2]['Data'])
boundaries = get_payload_boundaries(http_payload)
headers = get_http_headers_and_content(http_payload, boundaries)
clean_name = filename.split('/')
clean_name = clean_name[len(clean_name) - 1]
if headers:
for h in headers:
if 'image/jpeg' in h['Content-Type']:
image, image_type = extract_images(h, http_payload, boundaries)
if image is not None and image_type is not None:
filename = '%s-pycket_%s.%s' % (
clean_name, extracted_images, image_type)
fd = open('%s/%s' % (folder, filename), 'wb')
fd.write(image)
fd.close()
extracted_images += 1
return extracted_images
def open_pcap(self):
fileName = QtGui.QFileDialog.getOpenFileName(self, "Open File", "/home", "Pcap files (*.pcap)")
if fileName:
try:
pcap_reader = PcapReader(fileName)
pcap_reader.parse()
for packet in pcap_reader.get_packets():
self.add_packet(packet)
except ValueError:
QtGui.QMessageBox.information(self, "Error", "'"+fileName+"' is not a pcap file.")
except:
print "Unexpected error:", sys.exc_info()[0]
def main(argv):
""" runs the ui main loop """
try:
inputfile = argv[0]
reader = PcapReader(inputfile)
while True:
selection = show_main_menu()
handle_user_selection(selection, reader)
except Exception as e:
print(e)
def filter(pcap_file_name, hosts, ports):
"""Given the file name pcap_file_name, scans the named packet dump for
packets matching the given transport layer ports and/or hosts, and yields a
PacketSynopsis. hosts and ports are sequences. To match any port, provide an
empty sequence; similarly for hosts."""
for p, m in PcapReader(pcap_file_name):
try:
e = dpkt.ethernet.Ethernet(p)
i = e.data
t = i.data
src = ip_address(i.src)
dstntn = ip_address(i.dst)
if ports and (t.dport not in ports) and (t.sport not in ports):
continue
if hosts and (src not in hosts) and (dstntn not in hosts):
continue
# This bit of cheese with Decimal is an attempt to avoid
# floating-point rounding errors, to maintain the same
# timestamps as found when you look at the pcap in
# Wireshark. It appears to work so far.
yield PacketSynopsis(timestamp=Decimal("%d.%06d" % m[:2]),
source_host=src,
source_port=t.sport,
destination_host=dstntn,
destination_port=t.dport,
frame_bytes=len(p),
ip_bytes=len(e.data),
transport_bytes=len(i.data),
application_bytes=len(t.data),
application_payload=t.data)
except Exception, e:
sys.stderr.write(str(type(e)) + ": " + e.message + "\n")
Config = ConfigParser()
Config.read(CONFIG_FILE)
HOST = Config.get('network', 'host')
PORT = Config.getint('network', 'port')
MAX_BYTES = Config.getint('logging', 'maxBytes')
BACKUP_COUNT = Config.getint('logging', 'backupCount')
BUFFER_OUTPUT = Config.getboolean('logging', 'useFileForOutput')
splunkLogger = SplunkLogger(path.join(LOG_PATH, 'output.log'), MAX_BYTES,
BACKUP_COUNT)
debugLogger = SplunkLogger(path.join(LOG_PATH, 'debug.log'), MAX_BYTES,
BACKUP_COUNT)
# ProcessPcap is about testing, we're reading a previously captured .pcap file
captureFile = Config.get('testing', 'file')
pkts = PcapReader(captureFile)
# For each packet in the pcap file, extract, decode and print AppFlow IPFIX records.
# NOTE: for testing, we want high log output (unless we care about speed)
debugLogger.setLevel(logging.WARNING)
f1 = time()
for p in pkts:
# assume layer 2 is Ethernet
l3type = unpack(">H", p[12:14])[0]
if l3type != 0x800: # not IP
debugLogger.info("DISCARD: Non-IP Packet")
continue
pos = 14 # Ethernet length
bdy = stream[dlmtr + 4:end]
if "gzip" in hdrs.get("content-encoding", "").lower():
return GzipFile(fileobj=StringIO(bdy)).read()
return bdy
if __name__ == "__main__":
import sys
from PcapReader import PcapReader
if 2 != len(sys.argv):
print "Usage: summarize_http pcap-file"
sys.exit(1)
frms = ethernet_frames([p for p, m in PcapReader(sys.argv[1])])
dt_grms = ip_datagrams(frms)
strms = tcp_streams(dt_grms)
for s in [t for t in strms]:
if (80 not in s) and (443 not in s) and (53 not in s):
continue
#print s
#for m in REQUEST_MATCHER.finditer(strms[s]):
# print m.group()
#for m in RESPONSE_MATCHER.finditer(strms[s]):
# print m.group()
#for m in REQUEST_RESPONSE_MATCHER.finditer(strms[s]):
# print m.group()
print[m.group() for m in summarize_http_connection(strms[s])]
cnctns[c].sort(compare_by_sequence)
d = []
for p in cnctns[c]:
try:
d.append(p.data)
except AttributeError, e:
pass
cnctns[c] = "".join(d)
except TypeError, e:
print "Packet:", type(e), str(e)
return cnctns
if __name__ == "__main__":
import sys
from PcapReader import PcapReader
if 2 != len(sys.argv):
print "Usage: reassemble.py pcap-file"
sys.exit(1)
strms = streams(PcapReader(sys.argv[1]))
for s in strms:
print "(begin", str(s), ")"
print strms[s]
print "(end", str(s), ")"
print
