Exemplo n.º 1
0
 def decodeLayer4(self, ipProtocolNum, l3Payload):
     if ipProtocolNum == Packets.UDP.protocol:
         l4Proto = "UDP"
         l4Decoder = Decoders.UDPDecoder()
         layer4 = l4Decoder.decode(l3Payload)
         l4SrcPort = layer4.get_uh_sport()
         l4DstPort = layer4.get_uh_dport()
         l4Payload = layer4.get_data_as_string()
         return (l4Proto, l4SrcPort, l4DstPort, l4Payload)
     elif ipProtocolNum == Packets.TCP.protocol:
         l4Proto = "TCP"
         l4Decoder = Decoders.TCPDecoder()
         layer4 = l4Decoder.decode(l3Payload)
         l4SrcPort = layer4.get_th_sport()
         l4DstPort = layer4.get_th_dport()
         l4Payload = layer4.get_data_as_string()
         return (l4Proto, l4SrcPort, l4DstPort, l4Payload)
     else:
         warnMessage = _(
             "Cannot import one of the provided packets since " +
             "its layer 4 is unsupported (Only UDP and TCP " +
             "are currently supported, packet IP protocol " +
             "number = {0})").format(ipProtocolNum)
         self.log.warn(warnMessage)
         raise NetzobImportException("PCAP", warnMessage, WARNING,
                                     self.INVALID_LAYER4)
Exemplo n.º 2
0
    def __decodeLayer4(self, ipProtocolNum, l3Payload):
        """Internal method that parses the specified header and extracts
        layer4 related proprieties."""

        if ipProtocolNum == Packets.UDP.protocol:
            l4Proto = "UDP"
            l4Decoder = Decoders.UDPDecoder()
            layer4 = l4Decoder.decode(l3Payload)
            l4SrcPort = layer4.get_uh_sport()
            l4DstPort = layer4.get_uh_dport()
            l4Payload = layer4.get_data_as_string()
            return (l4Proto, l4SrcPort, l4DstPort, l4Payload)
        elif ipProtocolNum == Packets.TCP.protocol:
            l4Proto = "TCP"
            l4Decoder = Decoders.TCPDecoder()
            layer4 = l4Decoder.decode(l3Payload)
            l4SrcPort = layer4.get_th_sport()
            l4DstPort = layer4.get_th_dport()
            l4Payload = layer4.get_data_as_string()
            return (l4Proto, l4SrcPort, l4DstPort, l4Payload)
        else:
            warnMessage = _(
                "Cannot import one of the provided packets since " +
                "its layer 4 is unsupported (Only UDP and TCP " +
                "are currently supported, packet IP protocol " +
                "number = {0})").format(ipProtocolNum)
            self._logger.warn(warnMessage)
            raise NetzobImportException("PCAP", warnMessage,
                                        self.INVALID_LAYER4)
Exemplo n.º 3
0
 def decodeLayer4(self, ipProtocolNum, l3Payload):
         if ipProtocolNum == Packets.UDP.protocol:
             l4Proto = "UDP"
             l4Decoder = Decoders.UDPDecoder()
             layer4 = l4Decoder.decode(l3Payload)
             l4SrcPort = layer4.get_uh_sport()
             l4DstPort = layer4.get_uh_dport()
             l4Payload = layer4.get_data_as_string()
             return (l4Proto, l4SrcPort, l4DstPort, l4Payload)
         elif ipProtocolNum == Packets.TCP.protocol:
             l4Proto = "TCP"
             l4Decoder = Decoders.TCPDecoder()
             layer4 = l4Decoder.decode(l3Payload)
             l4SrcPort = layer4.get_th_sport()
             l4DstPort = layer4.get_th_dport()
             l4Payload = layer4.get_data_as_string()
             return (l4Proto, l4SrcPort, l4DstPort, l4Payload)
         else:
             warnMessage = "Cannot import one of the provided packets since its layer 4 is unsupported (Only UDP and TCP are currently supported, packet IP protocol number = {0})".format(ipProtocolNum)
             logging.warn(warnMessage)
Exemplo n.º 4
0
def get_linux_packets(pcap_file):
    '''
    This program pairs UDP probes and ICMP error packets.
    Furthermore it records all unique protocols seen.
    It also collects fragmets of ip datagrams, if there are any.

    '''
    print("get_linux_packets")
    cap = open_offline(pcap_file)
    header, payload = cap.next()
    udp = 17
    icmp = 1
    icmp_echo = 8
    icmp_error = 11
    dns = 53
    stp = 123
    icmp_pairs = {}
    packets = []
    protocls = []
    i = 0
    j = 0
    k = 0
    num_icmp = 0
    banana = 0
    icmp_keys = []
    udp_keys = []
    pairs = []
    original_src = 0
    original_dst = 0
    fragments = {}
    while header:
        decoder = ImpactDecoder.EthDecoder()
        ether = decoder.decode(payload)

        if not is_ip(ether):
            header, payload = cap.next()
            continue

        iphdr = ether.child()
        proto = iphdr.get_ip_p()
        if proto not in protocls:
            protocls.append(proto)
        if proto != icmp and proto != udp:
            header, payload = cap.next()
            continue

        if proto == udp:
            udp_pkt = iphdr.child()
            src_p = udp_pkt.get_uh_sport()
            dst_p = udp_pkt.get_uh_dport()

            if (src_p == dns or dst_p == dns) or (src_p == stp
                                                  or dst_p == stp):
                header, payload = cap.next()
                continue

            if iphdr.get_ip_ttl() == 1:
                original_src = iphdr.get_ip_src()
                original_dst = iphdr.get_ip_dst()

            key = str(src_p) + str(dst_p)
            udp_keys.append(key)

            if key not in icmp_pairs:
                icmp_pairs[key] = u_pckt(header, udp_pkt, iphdr,
                                         header.getts())

            j += 1

        if proto == icmp:
            num_icmp += 1
            icmp_pckt = iphdr.child()
            if icmp_pckt.get_icmp_type(
            ) == icmp_error or 3:  # and banana == 0:
                banana += 1
                ether_off = ether.get_header_size()
                ip_off = iphdr.get_header_size()
                ic_off = icmp_pckt.get_header_size()
                total_off = ether_off + ip_off + ic_off

                uh_decoder = ImpactDecoder.UDPDecoder()
                original_udp = uh_decoder.decode(payload[total_off + 20:])
                key = str(original_udp.get_uh_sport()) + str(
                    original_udp.get_uh_dport())
                icmp_keys.append(key)

                if key in icmp_pairs:
                    pair1 = icmp_pairs.pop(key)
                    pairs.append((pair1,
                                  ic_pckt(header, icmp_pckt, iphdr,
                                          header.getts())))

        fragment_offset = iphdr.get_ip_off() << 3
        if iphdr.get_ip_src() == original_src and iphdr.get_ip_dst(
        ) == original_dst:
            if not iphdr.get_ip_df() and (iphdr.get_ip_mf() == 1
                                          or fragment_offset > 0):
                if iphdr.get_ip_id() not in fragments:
                    fragments[iphdr.get_ip_id()] = []  #1
                    fragments[iphdr.get_ip_id()].append(iphdr)
                else:
                    fragments[iphdr.get_ip_id()].append(iphdr)  #+= 1
            else:
                if iphdr.get_ip_id() in fragments:
                    fragments[iphdr.get_ip_id()].append(iphdr)  #+= 1

        header, payload = cap.next()

    probe_packets = []
    keys_in_pp = []

    for pair in pairs:
        if (pair[0].ip_header.get_ip_src() == original_src
                or pair[0].ip_header.get_ip_dst() == original_dst):
            probe_packets.append(pair[0])
            keys_in_pp.append(pair[0].ip_header.get_ip_id())

    for key in icmp_pairs:
        if (icmp_pairs[key].ip_header.get_ip_src() == original_src or icmp_pairs[key].ip_header.get_ip_dst()==original_dst) and \
            icmp_pairs[key].ip_header.get_ip_id() not in keys_in_pp:
            probe_packets.append(icmp_pairs[key])

    probe_packets.sort(key=lambda x: x.get_ts())
    pairs.sort(key=lambda x: x[0].ip_header.get_ip_ttl())

    return pairs, protocls, fragments, probe_packets