def callback(self, packet, namespace): res = {} res['ip'] = packet[IPv6].src channel = False # icmp node if ICMPv6EchoReply in packet: channel = 'icmp_echo_result' res['mac'] = getMacFromPacket(packet) # icmp node name elif ICMPv6NIReplyName in packet: channel = 'icmp_name_result' res['device_name'] = packet[ICMPv6NIReplyName].fields["data"][1][ 1].strip() res['mac'] = getMacFromPacket(packet) # multicast report elif Raw in packet and binascii.hexlify(str(packet[Raw]))[0:2] == "8f": channel = 'multicast_result' handler = icmpv6.ICMPv6() reports = handler.parseMulticastReport(packet[Raw]) res['multicast_report'] = reports res['mac'] = getMacFromPacket(packet) # llmnr elif UDP in packet and packet[ UDP].dport == 5355 and LLMNRQuery in packet: channel = 'llmnr_result' try: handler = dns.DNS() dns_data = handler.parseLLMNRPacket(packet[LLMNRQuery]) if dns_data: res['dns_data'] = dns_data res['mac'] = getMacFromPacket(packet) else: res = None except Exception: pass # dns data elif UDP in packet and packet[UDP].dport == 5353 and Raw in packet: channel = 'mdns_result' try: handler = dns.DNS() dns_data = handler.parsemDNS(packet[Raw]) if dns_data: res['dns_data'] = dns_data res['mac'] = getMacFromPacket(packet) else: res = None except Exception: pass if channel and res: self.socketio.emit(channel, res, namespace=namespace)
def __init__(self, pcap_reader, options): ''' scans the pcap_reader for TCP packets, and adds them to the tcp.Flow they belong to, based on their socket Args: pcap_reader = pcaputil.ModifiedReader ''' self.flowdict = {} self.options = options self.options.dns = dns.DNS() debug_pkt_count = 0 # Determine the packet type. if (pcap_reader.datalink() == dpkt.pcap.DLT_EN10MB): PacketClass = dpkt.ethernet.Ethernet elif (pcap_reader.datalink() == dpkt.pcap.DLT_LINUX_SLL): PacketClass = dpkt.sll.SLL elif pcap_reader.datalink() == 0: # Loopback packet PacketClass = dpkt.loopback.Loopback elif pcap_reader.datalink() == 101: # RAW packet PacketClass = None else: raise Exception("Unkown packet type: %d" % reader.datalink()) try: for pkt in pcap_reader: debug_pkt_count += 1 # logging.debug("Processing packet %d", debug_pkt_count) # discard incomplete packets header = pkt[2] if header.caplen != header.len: # packet is too short logging.warning('discarding incomplete packet') # parse packet if PacketClass: packet = PacketClass(pkt[1]) ip_packet = packet.data else: packet = dpkt.ip.IP(pkt[1]) ip_packet = packet try: if isinstance(ip_packet, dpkt.ip.IP): if self.options.dns.check_dns(pkt[0], ip_packet): continue if isinstance(ip_packet.data, dpkt.tcp.TCP): # then it's a TCP packet process it tcppkt = tcp.Packet(pkt[0], ip_packet, ip_packet.data) self.process_packet(tcppkt) # organize by socket except dpkt.Error, error: logging.warning(error) except dpkt.dpkt.NeedData, error: logging.warning(error) logging.warning( 'A packet in the pcap file was too short, ' 'debug_pkt_count=%d', debug_pkt_count)
def testDnsckFile(self): open(self.dnsck_fname, 'w').write('dnsck') d = dns.DNS() self.assertEqual(d.Diagnostics.X_CATAWAMPUS_ORG_ExtraCheckServers, 'dnsck') d.Diagnostics.X_CATAWAMPUS_ORG_ExtraCheckServers = 'dnsck2' self.loop.RunOnce() self.assertEqual(open(self.dnsck_fname).read(), 'dnsck2\n')
def __init__(self, pcap_reader, options): ''' scans the pcap_reader for TCP packets, and adds them to the tcp.Flow they belong to, based on their socket Args: pcap_reader = pcaputil.ModifiedReader ''' self.flowdict = {} self.options = options self.options.dns = dns.DNS() debug_pkt_count = 0 try: for pkt in pcap_reader: debug_pkt_count += 1 log.debug("Processing packet %d", debug_pkt_count) # discard incomplete packets header = pkt[2] if header.caplen != header.len: # packet is too short log.warning('discarding incomplete packet') # parse packet try: dltoff = dpkt.pcap.dltoff if pcap_reader.dloff == dltoff[dpkt.pcap.DLT_LINUX_SLL]: eth = dpkt.sll.SLL(pkt[1]) else: # TODO(lsong): Check other packet type. Default is ethernet. eth = dpkt.ethernet.Ethernet(pkt[1]) if isinstance(eth.data, dpkt.ip.IP): ip = eth.data if self.options.dns.check_dns(pkt[0], ip): continue if isinstance(ip.data, dpkt.tcp.TCP): # then it's a TCP packet process it tcppkt = tcp.Packet(pkt[0], pkt[1], eth, ip, ip.data) self.process_packet(tcppkt) # organize by socket except dpkt.Error, error: log.warning(error) except dpkt.dpkt.NeedData, error: log.warning(error) log.warning( 'A packet in the pcap file was too short, ' 'debug_pkt_count=%d', debug_pkt_count)
def testValidateExports(self): d = dns.DNS() tr.handle.ValidateExports(d)
def udp_handler(self, addrs, payload, pkt): try: (src, sport), (dst, dport) = addrs if sport == 53 or dport == 53: d = dns.DNS(payload) id = d.get_transaction_id() flags = d.get_flags() if flags & dns.DNSFlags.QR_RESPONSE: mode = 'response' else: mode = 'query' res = { 'ts': nids.get_pkt_ts(), 'mode': mode, 'id': id, 'questions': [], 'answers': [], 'authoritatives': [], 'additionals': [] } def add_values(key, keys, values): info = {} values = list(values) values.reverse() values = tuple(values) for value in values: info[keys.pop()] = value res[key].append(info) qdcount = d.get_qdcount() if qdcount > 0: questions = d.get_questions() questions.reverse() while questions: add_values('questions', ['qname', 'qtype', 'qclass'], questions.pop()) ancount = d.get_ancount() if ancount > 0: answers = d.get_answers() answers.reverse() while answers: add_values('answers', ['qname', 'qtype', 'qclass', 'qttl', 'qrdata'], answers.pop()) nscount = d.get_nscount() if nscount > 0: authoritatives = d.get_authoritatives() authoritatives.reverse() while authoritatives: add_values('authoritatives', ['qname', 'qtype', 'qclass', 'qttl', 'qrdata'], authoritatives.pop()) arcount = d.get_arcount() if arcount > 0: additionals = d.get_additionals() additionals.reverse() while additionals: add_values('additionals', ['qname', 'qtype', 'qclass', 'qttl', 'qrdata'], additionals.pop()) print >> self.output, json.dumps(res) except Exception, e: print >> sys.stderr, 'Exception', e traceback.print_exc(file=sys.stderr)