def __init__(self, buf):
self.destMac = utils.mac_addr(buf[0:6])
self.sourceMac = utils.mac_addr(buf[6:12])
self.type = consts.eth_types[''.join('%02x' % compat_ord(b)
for b in buf[12:14]).upper()]
self.type_code = ''.join('%02x' % compat_ord(b)
for b in buf[12:14]).upper()
def mac_parser(eth):
"""
Parse and convert src & dst Mac address in hex to string
Args:
eth: dpkt.ethernet.Ethernet
Returns:
tuple: (src_mac, dst_mac)
"""
return (':'.join('%02x' % compat_ord(b) for b in eth.src),
':'.join('%02x' % compat_ord(b) for b in eth.dst))
def mac_addr(address):
"""Convert a MAC address to a readable/printable string
Args:
address (str): a MAC address in hex form (e.g. '\x01\x02\x03\x04\x05\x06')
Returns:
str: Printable/readable MAC address
"""
return ':'.join('%02x' % compat_ord(b) for b in address)
def mac_addr(address):
"""
Casts ip raw in string format
:param address:
:return:
"""
return ':'.join('%02x' % compat_ord(b) for b in address)
def main():
try:
pcap = dpkt.pcap.Reader(open(sys.argv[1], 'rb'))
except (IOError, IndexError, ValueError):
print("Error: A pcap file could not be read")
sys.exit()
DG = nx.DiGraph()
for ts, pkt in pcap:
eth = dpkt.ethernet.Ethernet(pkt)
srcMac = ':'.join('%02x' % compat_ord(b) for b in eth.src)
dstMac = ':'.join('%02x' % compat_ord(b) for b in eth.dst)
DG.add_edge(srcMac, dstMac)
nx.draw(DG, with_labels=True, node_color='skyblue')
plt.draw()
plt.show()
def unpack_mac_addr(hex_addr):
"""Unpack MAC address from bytes representation.
:param bytes hex_addr: MAC address bytes
:returns: MAC address with colon-delimited octets
:rtype: str
"""
return ':'.join('%02x' % compat_ord(b) for b in hex_addr)
def mac_addr(address):
""" Convert a MAC address to a readable/printable string
Taken from the dpkt website
:param address: a string MAC address in hex form (e.g. '\x01\x02\x03\x04\x05\x06')
:returns: readable string of MAC address
"""
return ":".join("%02x" % compat_ord(b) for b in address)
def mac_addr(address):
"""Convert a MAC address to a readable/printable string
Args:
address (str): a MAC address in hex form (e.g. '\x01\x02\x03\x04\x05\x06')
Returns:
str: Printable/readable MAC address
"""
return ':'.join('%02x' % compat_ord(b) for b in address)
def parse_data(udp_data):
"""Conver data in UDP to readable string
Args:
udp_data: hex form
Returns:
str:
"""
return ' '.join('%02x' % compat_ord(b) for b in udp_data)
def _sniff(e, iface, queue):
prctl.set_name('AI detector - sniff packet')
pc = pcap.pcap(iface, promisc=True, immediate=True)
pc.setfilter('ip')
for ptime, pdata in pc:
eth = dpkt.ethernet.Ethernet(pdata)
ip = eth.data
sip = socket.inet_ntoa(ip.src)
smac = ':'.join('%02x' % compat_ord(b) for b in eth.src)
queue.put((sip, smac, str(pdata), ptime))
if e.is_set():
break
def mac_addr(address):
"""Convert a MAC address to a readable/printable string
Args:
address (str): a MAC address in hex form (e.g. '\x01\x02\x03\x04\x05\x06')
Returns:
str: Printable/readable MAC address
"""
global _macnum, _macdic
mac = ':'.join('%02x' % compat_ord(b) for b in address)
if mac not in _macdic:
_macdic[mac] = chr(_macnum)
_macnum += 1
return mac
def mac_addr(address):#converts mac address from hex to a readable format
return ':'.join('%02x' % compat_ord(b) for b in address)
def mac_addr(address):
''' Borrowed. '''
return ':'.join('%02x' % compat_ord(b) for b in address)
def mac_addr(address):
return ':'.join('%02x' % compat_ord(b) for b in address)
def feature_extract(pkt_tuple):
global flow_statics, src_addr_list, info
raw_pkt = pkt_tuple[0]
pkt_time = pkt_tuple[1]
eth = dpkt.ethernet.Ethernet(raw_pkt)
ip = eth.data
sip = socket.inet_ntoa(ip.src)
dip = socket.inet_ntoa(ip.dst)
smac = ':'.join('%02x' % compat_ord(b) for b in eth.src)
dmac = ':'.join('%02x' % compat_ord(b) for b in eth.dst)
protocol = None
global miss_count
if ip.p == dpkt.ip.IP_PROTO_UDP:
protocol = 'UDP'
elif ip.p == dpkt.ip.IP_PROTO_TCP:
protocol = 'TCP'
elif ip.p == dpkt.ip.IP_PROTO_ICMP:
protocol = 'ICMP'
proto = ip.data
try:
sport = str(proto.sport)
except:
sport = None
try:
dport = str(proto.dport)
except:
dport = None
if (sip, smac) not in src_addr_list:
src_addr_list.append((sip, smac))
ip_key = None
mac_key = None
pid = str(ip.id)
if sport != None or protocol == 'ICMP':
ip_key = (sip, dip, sport, dport, protocol)
mac_key = (smac, dmac, sport, dport, protocol)
if ip.off & dpkt.ip.IP_MF:
if (sip, pid) not in info:
if sport == None:
ip_key = (sip, dip, sport, dport, protocol, pid)
info[(sip, pid)] = ip_key
else:
ip_key = info[(sip, pid)]
if (smac, pid) not in info:
if sport == None:
mac_key = (smac, dmac, sport, dport, protocol, pid)
info[(smac, pid)] = mac_key
else:
mac_key = info[(smac, pid)]
else:
pass
# fragment packet has no UDP/TCP layer
if ip.off & dpkt.ip.IP_MF and sport != None:
if (sip, pid) in info:
old_key = info[(sip, pid)]
if old_key in flow_statics:
flow_statics[ip_key] = flow_statics[old_key].copy()
del flow_statics[old_key]
info[(sip, pid)] = ip_key
if (smac, pid) in info:
old_key = info[(smac, pid)]
if old_key in flow_statics:
flow_statics[mac_key] = flow_statics[old_key].copy()
del flow_statics[old_key]
info[(smac, pid)] = mac_key
elif ip.off & dpkt.ip.IP_MF == 0:
if (sip, pid) in info:
if sport == None:
ip_key = info[(sip, pid)]
else:
if info.get((sip, pid), None):
old_key = info[(sip, pid)]
if old_key in flow_statics:
flow_statics[ip_key] = flow_statics[old_key].copy()
del flow_statics[old_key]
info.pop((sip, pid), None)
if (smac, pid) in info:
if sport == None:
mac_key = info[(smac, pid)]
else:
if info.get((smac, pid), None):
old_key = info[(smac, pid)]
if old_key in flow_statics:
flow_statics[mac_key] = flow_statics[old_key].copy()
del flow_statics[old_key]
info.pop((sip, pid), None)
if ip_key == None or mac_key == None:
miss_count += 1
return
update_data(ip_key, eth, protocol, pkt_time)
update_data(mac_key, eth, protocol, pkt_time)
def mac_addr(address): #转换mac地址为字符串
return ':'.join('%02x' % compat_ord(b) for b in address)
def feature_extract(pkt_tuple):
global flow_statics, src_addr_list, total_count, info
total_count += 1
#outputfile.write('new packet\n')
if total_count % 10000 == 0:
print total_count
tmp = time.time()
raw_pkt = pkt_tuple[0]
pkt_time = pkt_tuple[1]
eth = dpkt.ethernet.Ethernet(raw_pkt)
ip = eth.data
sip = socket.inet_ntoa(ip.src)
dip = socket.inet_ntoa(ip.dst)
smac = ':'.join('%02x' % compat_ord(b) for b in eth.src)
dmac = ':'.join('%02x' % compat_ord(b) for b in eth.dst)
protocol = None
global miss_count
if ip.p == dpkt.ip.IP_PROTO_UDP:
protocol = 'UDP'
elif ip.p == dpkt.ip.IP_PROTO_TCP:
protocol = 'TCP'
elif ip.p == dpkt.ip.IP_PROTO_ICMP:
protocol = 'ICMP'
proto = ip.data
try:
sport = str(proto.sport)
except:
sport = None
try:
dport = str(proto.dport)
except:
dport = None
if (sip, smac) not in src_addr_list:
src_addr_list.append((sip, smac))
ip_key = None
mac_key = None
pid = str(ip.id)
#outputfile.write('count ' + sip + ' ' + dip + ' ' + str(sport) + ' ' + pid + ' ' + str(ip.off) + '\n')
#outputfile.flush()
#if protocol == 'UDP' or protocol == 'TCP' or protocol == 'ICMP':
if sport != None or protocol == 'ICMP':
ip_key = (sip, dip, sport, dport, protocol)
mac_key = (smac, dmac, sport, dport, protocol)
if ip.off & dpkt.ip.IP_MF:
if (sip, pid) not in info:
#if protocol == None:
if sport == None:
ip_key = (sip, dip, sport, dport, protocol, pid)
#outputfile.write('Add ' + str((sip, pid)) + ' ' + str(ip_key) + '\n')
#outputfile.flush()
info[(sip, pid)] = ip_key
else:
ip_key = info[(sip, pid)]
if (smac, pid) not in info:
#if protocol == None:
if sport == None:
mac_key = (smac, dmac, sport, dport, protocol, pid)
info[(smac, pid)] = mac_key
else:
mac_key = info[(smac, pid)]
else:
pass
# fragment packet has no UDP/TCP layer
#if ip.off & dpkt.ip.IP_MF and protocol != None:
if ip.off & dpkt.ip.IP_MF and sport != None:
if (sip, pid) in info:
old_key = info[(sip, pid)]
if old_key in flow_statics:
flow_statics[ip_key] = flow_statics[old_key].copy()
del flow_statics[old_key]
info[(sip, pid)] = ip_key
if (smac, pid) in info:
old_key = info[(smac, pid)]
if old_key in flow_statics:
flow_statics[mac_key] = flow_statics[old_key].copy()
del flow_statics[old_key]
info[(smac, pid)] = mac_key
elif ip.off & dpkt.ip.IP_MF == 0:
if (sip, pid) in info:
#if protocol == None:
#outputfile.write('info\n')
#outputfile.write(str(info)+'\n')
#outputfile.flush()
if sport == None:
#outputfile.write('info: '+str(info[(sip, pid)]) + '\n')
ip_key = info[(sip, pid)]
else:
if info.get((sip, pid), None):
old_key = info[(sip, pid)]
if old_key in flow_statics:
flow_statics[ip_key] = flow_statics[old_key].copy()
del flow_statics[old_key]
#del info[(sip, pid)]
info.pop((sip, pid), None)
#outputfile.write('Remove ' + str((sip, pid)) + '\n')
#outputfile.write('IP key: '+str(ip_key)+'\n')
#outputfile.flush()
if (smac, pid) in info:
#if protocol == None:
if sport == None:
#outputfile.write('info: '+str(info[(smac, pid)]) + '\n')
mac_key = info[(smac, pid)]
else:
if info.get((smac, pid), None):
old_key = info[(smac, pid)]
if old_key in flow_statics:
flow_statics[mac_key] = flow_statics[old_key].copy()
del flow_statics[old_key]
#del info[(smac, pid)]
info.pop((smac, pid), None)
#outputfile.write('Remove ' + str((smac, pid)) + '\n')
#outputfile.write('MAC key: '+str(mac_key)+'\n')
#outputfile.flush()
else:
pass
#outputfile.write(str(ip_key)+'\n')
#outputfile.write(str(mac_key)+'\n')
if ip_key == None or mac_key == None:
miss_count += 1
#print miss_count, pkt.time
outputfile.write('miss_count ' + str(miss_count)+' '+ str(pkt_time)+'\n')
#outputfile.write(str(ip_key)+'\n')
#outputfile.write(str(mac_key)+'\n')
#outputfile.write(str(sport)+' '+str(protocol)+' '+str(pid) + ' '+str(ip.off)+'\n')
#outputfile.write(str(info)+'\n')
outputfile.flush()
return
global attacker
if protocol == 'TCP' and proto.flags & dpkt.tcp.TH_SYN:
if (dip, dport) in ddos_target1:
if str(ip_key) not in attacker:
attacker.append(str(ip_key))
if str(mac_key) not in attacker:
attacker.append(str(mac_key))
if (sip, dip) in ddos_target2:
if str(ip_key) not in attacker:
attacker.append(str(ip_key))
if str(mac_key) not in attacker:
attacker.append(str(mac_key))
update_data(ip_key, eth, protocol, pkt_time)
update_data(mac_key, eth, protocol, pkt_time)
return
try:
# gets the packets from the pcap file that have the source address from the dot, and are tcp packets
#for packet in PcapReader('alexa10_B.pcap'): #('alexa_7_7_16.pcap'): # use PcapReader rather than rdpcap bc rdpcap creates a list in memory
#while rcapreader doesn't so it makes it possible to process huge pcap files
for filename in os.listdir("weather"):
if filename.endswith(".pcap"):
f = open("weather/" + filename, 'rb')
for packet in PcapReader("weather/" + filename):
#for packet in dpkt.pcap.Reader(f):
pcap = dpkt.pcap.Reader(f)
for ts, buf in pcap:
if (pcap is not None): #check for SSL here
eth = dpkt.ethernet.Ethernet(buf)
#print examples.print_packets.mac_addr(eth.src)
mac_source = ':'.join('%02x' % compat_ord(b) for b in eth.src) # MAC address!!!!
mac_dest = ':'.join('%02x' % compat_ord(b) for b in eth.dst)
if (mac_source == mac_address or mac_dest == mac_address):
if isinstance(eth.data, dpkt.ip.IP): #checks if the Ethernet data contains an IP packet
ip = eth.data
print ip.p
if isinstance(ip.data, dpkt.tcp.TCP): # check if there's a tcp layer
packets.append(buf)
#if (packet[Ether].src == mac_address or packet[Ether].dst == mac_address):
# if (IP in packet): # ath - if IP doesn't exist, could it then be a tcp layer or not?
# if (packet[IP].proto == 6): # 6 means it's the TCP layer
# packets.append(packet)
def mac_addr(addr):
from dpkt.compat import compat_ord
return ":".join("%02x"%compat_ord(b) for b in addr)
def mac_to_str(mac):
return ':'.join('%02x' % compat_ord(b) for b in mac)
def mac_addr(
address
): #Refer to Reference #Used to convert binary to mac addresses
return ":".join("%02x" % compat_ord(b) for b in address)
