def parse(self, raw):
assert isinstance(raw, bytes)
self.next = None # In case of unfinished parsing
self.raw = raw
dlen = len(raw)
if dlen < ipv4.MIN_LEN:
self.msg('warning IP packet data too short to parse header: data len %u' % (dlen,))
return
(vhl, self.tos, self.iplen, self.id, self.frag, self.ttl,
self.protocol, self.csum, self.srcip, self.dstip) \
= struct.unpack('!BBHHHBBHII', raw[:ipv4.MIN_LEN])
self.v = vhl >> 4
self.hl = vhl & 0x0f
self.flags = self.frag >> 13
self.frag = self.frag & 0x1fff
self.dstip = IPAddr(self.dstip)
self.srcip = IPAddr(self.srcip)
if self.v != ipv4.IPv4:
self.msg('(ip parse) warning IP version %u not IPv4' % self.v)
return
elif self.hl < 5:
self.msg('(ip parse) warning IP header %u longer than len %u' \
% (self.hl, self.iplen))
return
elif self.iplen < ipv4.MIN_LEN:
self.msg('(ip parse) warning invalid IP len %u' % self.iplen)
return
elif (self.hl * 4) >= self.iplen or (self.hl * 4) > dlen:
self.msg('(ip parse) warning IP header %u longer than len %u' \
% (self.hl, self.iplen))
return
# At this point, we are reasonably certain that we have an IP
# packet
self.parsed = True
length = self.iplen
if length > dlen:
length = dlen # Clamp to what we've got
if self.protocol == ipv4.UDP_PROTOCOL:
self.next = udp(raw=raw[self.hl*4:length], prev=self)
elif self.protocol == ipv4.TCP_PROTOCOL:
self.next = tcp(raw=raw[self.hl*4:length], prev=self)
elif self.protocol == ipv4.ICMP_PROTOCOL:
self.next = icmp(raw=raw[self.hl*4:length], prev=self)
elif self.protocol == ipv4.IGMP_PROTOCOL:
self.next = igmp(raw=raw[self.hl*4:length], prev=self)
elif dlen < self.iplen:
self.msg('(ip parse) warning IP packet data shorter than IP len: %u < %u' % (dlen, self.iplen))
else:
self.next = raw[self.hl*4:length]
if isinstance(self.next, packet_base) and not self.next.parsed:
self.next = raw[self.hl*4:length]
def parse(self, raw):
assert isinstance(raw, bytes)
self.raw = raw
dlen = len(raw)
if dlen < ipv4.MIN_LEN:
self.msg('warning IP packet data too short to parse header: data len %u' % (dlen,))
return
(vhl, self.tos, self.iplen, self.id, self.frag, self.ttl,
self.protocol, self.csum, self.srcip, self.dstip) \
= struct.unpack('!BBHHHBBHII', raw[:ipv4.MIN_LEN])
self.v = vhl >> 4
self.hl = vhl & 0x0f
self.flags = self.frag >> 13
self.frag = self.frag & 0x1fff
if self.v != ipv4.IPv4:
self.msg('ip parse) warning IP version %u not IPv4' % self.v)
return
elif self.hl < 5:
self.msg('(ip parse) warning IP header %u longer than len %u' \
% (self.hl, self.iplen))
return
elif self.iplen < ipv4.MIN_LEN:
self.msg('(ip parse) warning invalid IP len %u' % self.iplen)
return
elif (self.hl * 4) >= self.iplen or (self.hl * 4) > dlen:
self.msg('(ip parse) warning IP header %u longer than len %u' \
% (self.hl, self.iplen))
return
self.dstip = IPAddr(self.dstip)
self.srcip = IPAddr(self.srcip)
# At this point, we are reasonably certain that we have an IP
# packet
self.parsed = True
length = self.iplen
if length > dlen:
length = dlen # Clamp to what we've got
if self.protocol == ipv4.UDP_PROTOCOL:
self.next = udp(raw=raw[self.hl*4:length], prev=self)
elif self.protocol == ipv4.TCP_PROTOCOL:
self.next = tcp(raw=raw[self.hl*4:length], prev=self)
elif self.protocol == ipv4.ICMP_PROTOCOL:
self.next = icmp(raw=raw[self.hl*4:length], prev=self)
elif dlen < self.iplen:
self.msg('(ip parse) warning IP packet data shorter than IP len: %u < %u' % (dlen, self.iplen))
else:
self.next = raw[self.hl*4:length]
if isinstance(self.next, packet_base) and not self.next.parsed:
self.next = raw[self.hl*4:length]
def parse(self):
dlen = len(self.arr)
if dlen < ipv4.MIN_LEN:
self.msg(
'warning IP packet data too short to parse header: data len %u'
% dlen)
return
(vhl, self.tos, self.iplen, self.id, self.frag, self.ttl,
self.protocol, self.csum, self.srcip, self.dstip) \
= struct.unpack('!BBHHHBBHII', self.arr[:ipv4.MIN_LEN])
self.v = vhl >> 4
self.hl = vhl & 0x0f
self.flags = self.frag >> 13
self.frag = self.frag & 0x1f
if self.v != ipv4.IPv4:
self.msg('ip parse) warning IP version %u not IPv4' % self.v)
return
elif self.hl < 5:
self.msg('(ip parse) warning IP header %u longer than len %u' \
% (self.hl, self.iplen))
return
elif self.iplen < ipv4.MIN_LEN:
self.msg('(ip parse) warning invalid IP len %u' % self.iplen)
return
elif (self.hl * 4) >= self.iplen or (self.hl * 4) > dlen:
self.msg('(ip parse) warning IP header %u longer than len %u' \
% (self.hl, self.iplen))
return
# At this point, we are reasonably certain that we have an IP
# packet
self.parsed = True
if self.protocol == ipv4.UDP_PROTOCOL:
self.next = udp(arr=self.arr[self.hl * 4:], prev=self)
elif self.protocol == ipv4.TCP_PROTOCOL:
self.next = tcp(arr=self.arr[self.hl * 4:], prev=self)
elif self.protocol == ipv4.ICMP_PROTOCOL:
self.next = icmp(arr=self.arr[self.hl * 4:], prev=self)
elif dlen < self.iplen:
self.msg(
'(ip parse) warning IP packet data shorter than IP len: %u < %u'
% (dlen, self.iplen))
else:
self.next = self.arr[self.hl * 4:].tostring()
if isinstance(self.next, packet_base) and not self.next.parsed:
self.next = self.arr[self.hl * 4:].tostring()
def parse(self):
dlen = len(self.arr)
if dlen < ipv4.MIN_LEN:
self.msg('warning IP packet data too short to parse header: data len %u' % dlen)
return
(vhl, self.tos, self.iplen, self.id, self.frag, self.ttl,
self.protocol, self.csum, self.srcip, self.dstip) \
= struct.unpack('!BBHHHBBHII', self.arr[:ipv4.MIN_LEN])
self.v = vhl >> 4
self.hl = vhl & 0x0f
self.flags = self.frag >> 13
self.frag = self.frag & 0x1f
if self.v != ipv4.IPv4:
self.msg('ip parse) warning IP version %u not IPv4' % self.v)
return
elif self.hl < 5:
self.msg('(ip parse) warning IP header %u longer than len %u' \
% (self.hl, self.iplen))
return
elif self.iplen < ipv4.MIN_LEN:
self.msg('(ip parse) warning invalid IP len %u' % self.iplen)
return
elif (self.hl * 4) >= self.iplen or (self.hl * 4) > dlen:
self.msg('(ip parse) warning IP header %u longer than len %u' \
% (self.hl, self.iplen))
return
# At this point, we are reasonably certain that we have an IP
# packet
self.parsed = True
if self.protocol == ipv4.UDP_PROTOCOL:
self.next = udp(arr=self.arr[self.hl*4:], prev=self)
elif self.protocol == ipv4.TCP_PROTOCOL:
self.next = tcp(arr=self.arr[self.hl*4:], prev=self)
elif self.protocol == ipv4.ICMP_PROTOCOL:
self.next = icmp(arr=self.arr[self.hl*4:], prev=self)
elif dlen < self.iplen:
self.msg('(ip parse) warning IP packet data shorter than IP len: %u < %u' % (dlen, self.iplen))
else:
self.next = self.arr[self.hl*4:].tostring()
if isinstance(self.next, packet_base) and not self.next.parsed:
self.next = self.arr[self.hl*4:].tostring()
def tcp(self, packet, extractedAttIndex, printKey):
return tcp(self, packet, extractedAttIndex, printKey)
def parse(self, raw):
assert isinstance(raw, bytes)
self.next = None # In case of unfinished parsing
self.raw = raw
dlen = len(raw)
if dlen < ipv4.MIN_LEN:
self.msg(
'warning IP packet data too short to parse header: data len %u'
% (dlen, ))
return
(vhl, self.tos, self.iplen, self.id, self.frag, self.ttl,
self.protocol, self.csum, self.srcip, self.dstip) \
= struct.unpack('!BBHHHBBHII', raw[:ipv4.MIN_LEN])
self.v = vhl >> 4
self.hl = vhl & 0x0f
self.flags = self.frag >> 13
self.frag = self.frag & 0x1fff
self.dstip = IPAddr(self.dstip)
self.srcip = IPAddr(self.srcip)
if self.v != ipv4.IPv4:
self.msg('(ip parse) warning: IP version %u not IPv4' % self.v)
return
if self.hl < 5:
self.msg('(ip parse) warning: IP header length shorter than MIN_LEN (IHL=%u => header len=%u)' \
% (self.hl, 4 * self.hl))
return
if self.iplen < ipv4.MIN_LEN:
self.msg('(ip parse) warning: Invalid IP len %u' % self.iplen)
return
if (self.hl * 4) > self.iplen:
self.msg('(ip parse) warning: IP header longer than IP length including payload (%u vs %u)' \
% (self.hl, self.iplen))
return
if (self.hl * 4) > dlen:
self.msg('(ip parse) warning: IP header is truncated')
return
self.raw_options = raw[self.MIN_LEN:self.hl * 4]
# At this point, we are reasonably certain that we have an IP
# packet
self.parsed = True
length = self.iplen
if length > dlen:
length = dlen # Clamp to what we've got
if self.frag != 0:
# We can't parse payloads!
self.next = raw[self.hl * 4:length]
elif self.protocol == ipv4.UDP_PROTOCOL:
self.next = udp(raw=raw[self.hl * 4:length], prev=self)
elif self.protocol == ipv4.TCP_PROTOCOL:
self.next = tcp(raw=raw[self.hl * 4:length], prev=self)
elif self.protocol == ipv4.ICMP_PROTOCOL:
self.next = icmp(raw=raw[self.hl * 4:length], prev=self)
elif self.protocol == ipv4.IGMP_PROTOCOL:
self.next = igmp(raw=raw[self.hl * 4:length], prev=self)
elif self.protocol == ipv4.GRE_PROTOCOL:
self.next = gre(raw=raw[self.hl * 4:length], prev=self)
elif dlen < self.iplen:
self.msg(
'(ip parse) warning IP packet data shorter than IP len: %u < %u'
% (dlen, self.iplen))
else:
self.next = raw[self.hl * 4:length]
if isinstance(self.next, packet_base) and not self.next.parsed:
self.next = raw[self.hl * 4:length]
def parse (self, raw, offset=0):
assert isinstance(raw, bytes)
self.next = None # In case of unfinished parsing
self.raw = raw
if len(raw) < self.MIN_LEN:
self.msg('warning IP packet data too short to parse header:'
' data len %u' % (len(raw),))
return
(vtcfl, self.payload_length, nht, self.hop_limit) \
= struct.unpack('!IHBB', raw[offset:offset+8])
self.srcip = IPAddr6(raw[offset+8:offset+24], raw=True)
self.dstip = IPAddr6(raw[offset+24:offset+40], raw=True)
self.next_header_type = nht
offset += 40
self.v = vtcfl >> 28
self.tc = (vtcfl >> 20) & 0xff
self.flow = vtcfl & 0xfffff
if self.v != 6:
self.msg('ip parse) warning IP version %u not IPv6' % self.v)
return
length = self.payload_length
if length > len(raw):
length = len(raw) # Clamp to what we've got
self.msg('(ipv6) warning IP packet data incomplete (%s of %s)'
% (len(raw), self.payload_length))
while nht != ipv6.NO_NEXT_HEADER:
c = _extension_headers.get(nht)
if c:
if length < 8:
self.msg('(ipv6) warning, packet data incomplete')
return
try:
offset,o = c.unpack_new(raw, offset, max_length = length)
length -= len(o)
except TruncatedException:
self.msg('(ipv6) warning, packet data truncated')
return
self.extension_headers.append(o)
nht = o.next_header_type
else:
break
self.parsed = True
#TODO: This should be done a better way (and shared with IPv4?).
if nht == self.UDP_PROTOCOL:
self.next = udp(raw=raw[offset:offset+length], prev=self)
elif nht == self.TCP_PROTOCOL:
self.next = tcp(raw=raw[offset:offset+length], prev=self)
elif nht == self.ICMP6_PROTOCOL:
self.next = icmpv6(raw=raw[offset:offset+length], prev=self)
# elif nht == self.IGMP_PROTOCOL:
# self.next = igmp(raw=raw[offset:offset+length], prev=self)
elif nht == self.NO_NEXT_HEADER:
self.next = None
else:
self.next = raw[offset:offset+length]
if isinstance(self.next, packet_base) and not self.next.parsed:
self.next = raw[offset:offset+length]
def parse(self, raw, offset=0):
assert isinstance(raw, bytes)
self.next = None # In case of unfinished parsing
self.raw = raw
if len(raw) < self.MIN_LEN:
self.msg('warning IP packet data too short to parse header:'
' data len %u' % (len(raw), ))
return
(vtcfl, self.payload_length, nht, self.hop_limit) \
= struct.unpack('!IHBB', raw[offset:offset+8])
self.srcip = IPAddr6(raw[offset + 8:offset + 24], raw=True)
self.dstip = IPAddr6(raw[offset + 24:offset + 40], raw=True)
self.next_header_type = nht
offset += 40
self.v = vtcfl >> 28
self.tc = (vtcfl >> 20) & 0xff
self.flow = vtcfl & 0xfffff
if self.v != 6:
self.msg('ip parse) warning IP version %u not IPv6' % self.v)
return
length = self.payload_length
if length > len(raw):
length = len(raw) # Clamp to what we've got
self.msg('(ipv6) warning IP packet data incomplete (%s of %s)' %
(len(raw), self.payload_length))
while nht != ipv6.NO_NEXT_HEADER:
c = _extension_headers.get(nht)
if c:
if length < 8:
self.msg('(ipv6) warning, packet data incomplete')
return
try:
offset, o = c.unpack_new(raw, offset, max_length=length)
length -= len(o)
except TruncatedException:
self.msg('(ipv6) warning, packet data truncated')
return
self.extension_headers.append(o)
nht = o.next_header_type
else:
break
self.parsed = True
#TODO: This should be done a better way (and shared with IPv4?).
if nht == self.UDP_PROTOCOL:
self.next = udp(raw=raw[offset:offset + length], prev=self)
elif nht == self.TCP_PROTOCOL:
self.next = tcp(raw=raw[offset:offset + length], prev=self)
elif nht == self.ICMP6_PROTOCOL:
self.next = icmpv6(raw=raw[offset:offset + length], prev=self)
# elif nht == self.IGMP_PROTOCOL:
# self.next = igmp(raw=raw[offset:offset+length], prev=self)
elif nht == self.NO_NEXT_HEADER:
self.next = None
else:
self.next = raw[offset:offset + length]
if isinstance(self.next, packet_base) and not self.next.parsed:
self.next = raw[offset:offset + length]
s.bind((HOST, 0))
# Include IP headers
s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
# receive all packages
s.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON)
data = recieveData(s)
unpackedData = struct.unpack("!BBHHHBBH4s4s", data[:20])
protocol = unpackedData[6]
ipobj = ip()
udpobj = udp()
icmpobj = icmp()
tcpobj = tcp()
# part for tcp protocol
if (ipobj.getProtocol(protocol) == "Transmission Control Protocol"):
tcpobj.parseTCP(data)
payloadTCP = data[40:]
# check payload if there is malicious signature
appDetect.checkAppDetectTCP(str(payloadTCP))
#blackList.checkBlackListTCP(str(payloadTCP))
browserFirefox.checkbrowserFirefoxTCP(str(payloadTCP))
# part for udp protocol
if (ipobj.getProtocol(protocol) == "User Datagram Protocol"):
udpobj.parseUDP(data)
# part for ICMP protocol
