def callback(self, packet, namespace):
res = {}
res['ip'] = packet[IPv6].src
channel = False
# icmp node
if ICMPv6EchoReply in packet:
channel = 'icmp_echo_result'
res['mac'] = getMacFromPacket(packet)
# icmp node name
elif ICMPv6NIReplyName in packet:
channel = 'icmp_name_result'
res['device_name'] = packet[ICMPv6NIReplyName].fields["data"][1][
1].strip()
res['mac'] = getMacFromPacket(packet)
# multicast report
elif Raw in packet and binascii.hexlify(str(packet[Raw]))[0:2] == "8f":
channel = 'multicast_result'
handler = icmpv6.ICMPv6()
reports = handler.parseMulticastReport(packet[Raw])
res['multicast_report'] = reports
res['mac'] = getMacFromPacket(packet)
# llmnr
elif UDP in packet and packet[
UDP].dport == 5355 and LLMNRQuery in packet:
channel = 'llmnr_result'
try:
handler = dns.DNS()
dns_data = handler.parseLLMNRPacket(packet[LLMNRQuery])
if dns_data:
res['dns_data'] = dns_data
res['mac'] = getMacFromPacket(packet)
else:
res = None
except Exception:
pass
# dns data
elif UDP in packet and packet[UDP].dport == 5353 and Raw in packet:
channel = 'mdns_result'
try:
handler = dns.DNS()
dns_data = handler.parsemDNS(packet[Raw])
if dns_data:
res['dns_data'] = dns_data
res['mac'] = getMacFromPacket(packet)
else:
res = None
except Exception:
pass
if channel and res:
self.socketio.emit(channel, res, namespace=namespace)
def __init__(self, pcap_reader, options):
'''
scans the pcap_reader for TCP packets, and adds them to the tcp.Flow
they belong to, based on their socket
Args:
pcap_reader = pcaputil.ModifiedReader
'''
self.flowdict = {}
self.options = options
self.options.dns = dns.DNS()
debug_pkt_count = 0
# Determine the packet type.
if (pcap_reader.datalink() == dpkt.pcap.DLT_EN10MB):
PacketClass = dpkt.ethernet.Ethernet
elif (pcap_reader.datalink() == dpkt.pcap.DLT_LINUX_SLL):
PacketClass = dpkt.sll.SLL
elif pcap_reader.datalink() == 0:
# Loopback packet
PacketClass = dpkt.loopback.Loopback
elif pcap_reader.datalink() == 101:
# RAW packet
PacketClass = None
else:
raise Exception("Unkown packet type: %d" % reader.datalink())
try:
for pkt in pcap_reader:
debug_pkt_count += 1
# logging.debug("Processing packet %d", debug_pkt_count)
# discard incomplete packets
header = pkt[2]
if header.caplen != header.len:
# packet is too short
logging.warning('discarding incomplete packet')
# parse packet
if PacketClass:
packet = PacketClass(pkt[1])
ip_packet = packet.data
else:
packet = dpkt.ip.IP(pkt[1])
ip_packet = packet
try:
if isinstance(ip_packet, dpkt.ip.IP):
if self.options.dns.check_dns(pkt[0], ip_packet):
continue
if isinstance(ip_packet.data, dpkt.tcp.TCP):
# then it's a TCP packet process it
tcppkt = tcp.Packet(pkt[0], ip_packet,
ip_packet.data)
self.process_packet(tcppkt) # organize by socket
except dpkt.Error, error:
logging.warning(error)
except dpkt.dpkt.NeedData, error:
logging.warning(error)
logging.warning(
'A packet in the pcap file was too short, '
'debug_pkt_count=%d', debug_pkt_count)
def testDnsckFile(self):
open(self.dnsck_fname, 'w').write('dnsck')
d = dns.DNS()
self.assertEqual(d.Diagnostics.X_CATAWAMPUS_ORG_ExtraCheckServers,
'dnsck')
d.Diagnostics.X_CATAWAMPUS_ORG_ExtraCheckServers = 'dnsck2'
self.loop.RunOnce()
self.assertEqual(open(self.dnsck_fname).read(), 'dnsck2\n')
def __init__(self, pcap_reader, options):
'''
scans the pcap_reader for TCP packets, and adds them to the tcp.Flow
they belong to, based on their socket
Args:
pcap_reader = pcaputil.ModifiedReader
'''
self.flowdict = {}
self.options = options
self.options.dns = dns.DNS()
debug_pkt_count = 0
try:
for pkt in pcap_reader:
debug_pkt_count += 1
log.debug("Processing packet %d", debug_pkt_count)
# discard incomplete packets
header = pkt[2]
if header.caplen != header.len:
# packet is too short
log.warning('discarding incomplete packet')
# parse packet
try:
dltoff = dpkt.pcap.dltoff
if pcap_reader.dloff == dltoff[dpkt.pcap.DLT_LINUX_SLL]:
eth = dpkt.sll.SLL(pkt[1])
else:
# TODO(lsong): Check other packet type. Default is ethernet.
eth = dpkt.ethernet.Ethernet(pkt[1])
if isinstance(eth.data, dpkt.ip.IP):
ip = eth.data
if self.options.dns.check_dns(pkt[0], ip):
continue
if isinstance(ip.data, dpkt.tcp.TCP):
# then it's a TCP packet process it
tcppkt = tcp.Packet(pkt[0], pkt[1], eth, ip,
ip.data)
self.process_packet(tcppkt) # organize by socket
except dpkt.Error, error:
log.warning(error)
except dpkt.dpkt.NeedData, error:
log.warning(error)
log.warning(
'A packet in the pcap file was too short, '
'debug_pkt_count=%d', debug_pkt_count)
def testValidateExports(self):
d = dns.DNS()
tr.handle.ValidateExports(d)
def udp_handler(self, addrs, payload, pkt):
try:
(src, sport), (dst, dport) = addrs
if sport == 53 or dport == 53:
d = dns.DNS(payload)
id = d.get_transaction_id()
flags = d.get_flags()
if flags & dns.DNSFlags.QR_RESPONSE:
mode = 'response'
else:
mode = 'query'
res = {
'ts': nids.get_pkt_ts(),
'mode': mode,
'id': id,
'questions': [],
'answers': [],
'authoritatives': [],
'additionals': []
}
def add_values(key, keys, values):
info = {}
values = list(values)
values.reverse()
values = tuple(values)
for value in values:
info[keys.pop()] = value
res[key].append(info)
qdcount = d.get_qdcount()
if qdcount > 0:
questions = d.get_questions()
questions.reverse()
while questions:
add_values('questions', ['qname', 'qtype', 'qclass'], questions.pop())
ancount = d.get_ancount()
if ancount > 0:
answers = d.get_answers()
answers.reverse()
while answers:
add_values('answers', ['qname', 'qtype', 'qclass', 'qttl', 'qrdata'], answers.pop())
nscount = d.get_nscount()
if nscount > 0:
authoritatives = d.get_authoritatives()
authoritatives.reverse()
while authoritatives:
add_values('authoritatives', ['qname', 'qtype', 'qclass', 'qttl', 'qrdata'], authoritatives.pop())
arcount = d.get_arcount()
if arcount > 0:
additionals = d.get_additionals()
additionals.reverse()
while additionals:
add_values('additionals', ['qname', 'qtype', 'qclass', 'qttl', 'qrdata'], additionals.pop())
print >> self.output, json.dumps(res)
except Exception, e:
print >> sys.stderr, 'Exception', e
traceback.print_exc(file=sys.stderr)