def main():
# This code allows this program to run equally well on my laptop and my desktop. I did it this
# way to demonstrate different interface names. If I was really clever, I'd figure out how to do this
# under MS-Windows
if sys.argv[1] == "-i":
pc = pcap.pcap(sys.argv[2])
elif sys.argv[1] == "-f":
pc = dpkt.pcap.Reader(open(sys.argv[2]))
else:
print """Use -i INTERFACE to [packet capture from an interface.
Use -f FILENAME to read a packet capture file"""
sys.exit(2)
initialize_tables()
for (src, sport, dst, dport, data) in udp_iterator(pc):
# Uncomment if you want to see all UDP packets
# print "from ", socket.inet_ntoa(src),":",sport, " to ", socket.inet_ntoa(dst),":",dport
if dport == 53:
# UDP/53 is a DNS query
dns = dpkt.dns.DNS(data)
if dns.opcode != dpkt.dns.DNS_QUERY:
print "A DNS packet was sent to the nameserver, but the opcode was %d instead of DNS_QUERY (this is a software error)" % dns.opcode
if dns.qr != dpkt.dns.DNS_Q:
print "A DNS packet was sent to the name server, but dns.qr is not 0 and should be. It is %d" % dns.qr
print "query for ", dns.qd[
0].name, "ID is ", dns.id, "dns.qr is ", dns.qr, "query type is ", dns.qd[
0].type, type_table[dns.qd[0].type]
print "dns.qd is ", dns.qd
elif sport == 53:
# UDP/53 is a DNS response
dns = dpkt.dns.DNS(data)
print "responding to ", dns.id, "dns.qr is ", dns.qr
if dns.qr != dpkt.dns.DNS_R:
print "A DNS packet was received from a name server, but dns.qr is not 1 and should be. It is %d" % dns.qr
if dns.get_rcode() == dpkt.dns.DNS_RCODE_NOERR:
print "Response has no error"
elif dns.get_rcode() == dpkt.dns.DNS_RCODE_NXDOMAIN:
print "There is no name in this domain"
else:
print "Response is something other than NOERR or NXDOMAIN %d - this software is incomplete" % dns.get_rcode(
)
print "The response packet has %d RRs" % len(dns.an)
# Decode the RR records in the NS section
for rr in dns.ns:
decode_dns_response(rr, "NS")
# Decode the answers in the DNS answer
for rr in dns.an:
decode_dns_response(rr, "AN")
# Decode the additional responses
for rr in dns.ar:
decode_dns_response(rr, "AR")
print "dns.qd is ", dns.qd
def main() :
# This code allows this program to run equally well on my laptop and my desktop. I did it this
# way to demonstrate different interface names. If I was really clever, I'd figure out how to do this
# under MS-Windows
if sys.argv[1] == "-i" :
pc = pcap.pcap( sys.argv[2] )
elif sys.argv[1] == "-f" :
pc = dpkt.pcap.Reader( open ( sys.argv[2] ) )
else :
print """Use -i INTERFACE to [packet capture from an interface.
Use -f FILENAME to read a packet capture file"""
sys.exit(2)
initialize_tables()
for (src, sport, dst, dport, data ) in udp_iterator(pc) :
# Uncomment if you want to see all UDP packets
# print "from ", socket.inet_ntoa(src),":",sport, " to ", socket.inet_ntoa(dst),":",dport
if dport == 53 :
# UDP/53 is a DNS query
dns = dpkt.dns.DNS(data)
if dns.opcode != dpkt.dns.DNS_QUERY :
print "A DNS packet was sent to the nameserver, but the opcode was %d instead of DNS_QUERY (this is a software error)" % dns.opcode
if dns.qr != dpkt.dns.DNS_Q :
print "A DNS packet was sent to the name server, but dns.qr is not 0 and should be. It is %d" % dns.qr
print "query for ", dns.qd[0].name, "ID is ", dns.id, "dns.qr is ", dns.qr, "query type is ", dns.qd[0].type, type_table[dns.qd[0].type]
print "dns.qd is ", dns.qd
elif sport == 53 :
# UDP/53 is a DNS response
dns = dpkt.dns.DNS(data)
print "responding to ", dns.id, "dns.qr is ", dns.qr
if dns.qr != dpkt.dns.DNS_R :
print "A DNS packet was received from a name server, but dns.qr is not 1 and should be. It is %d" % dns.qr
if dns.get_rcode() == dpkt.dns.DNS_RCODE_NOERR :
print "Response has no error"
elif dns.get_rcode() == dpkt.dns.DNS_RCODE_NXDOMAIN :
print "There is no name in this domain"
else :
print "Response is something other than NOERR or NXDOMAIN %d - this software is incomplete" % dns.get_rcode()
print "The response packet has %d RRs" % len(dns.an)
# Decode the RR records in the NS section
for rr in dns.ns :
decode_dns_response ( rr, "NS")
# Decode the answers in the DNS answer
for rr in dns.an :
decode_dns_response ( rr, "AN" )
# Decode the additional responses
for rr in dns.ar :
decode_dns_response ( rr, "AR" )
print "dns.qd is ", dns.qd
def main():
# This code allows this program to run equally well on my laptop and my desktop. I did it this
# way to demonstrate different interface names. If I was really clever, I'd figure out how to do this
# under MS-Windows
if sys.argv[1] == "-i":
pc = pcap.pcap(sys.argv[2])
elif sys.argv[1] == "-f":
pc = dpkt.pcap.Reader(open(sys.argv[2]))
else:
print """Use -i INTERFACE to [packet capture from an interface.
Use -f FILENAME to read a packet capture file"""
sys.exit(2)
initialize_tables()
mdns_ip = socket.inet_aton('224.0.0.251')
for (src, sport, dst, dport, data) in udp_iterator(pc):
# Uncomment if you want to see all UDP packets
#print "from ", socket.inet_ntoa(src),":",sport, " to ", socket.inet_ntoa(dst),":",dport
if src != mdns_ip and dst != mdns_ip and dport != 5353 and sport != 5353:
continue
assert dport == 5353 or sport == 5353
dns = dpkt.dns.DNS(data)
print '\n', datetime.datetime.now(), socket.inet_ntoa(
src), ":", sport, " to ", socket.inet_ntoa(dst), ":", dport
print_hdr(dns)
#print dns.__repr__()
#print '%r' % data
if dns.qr == 0:
#print "from ", socket.inet_ntoa(src),":",sport, " to ", socket.inet_ntoa(dst),":",dport,type(data),len(data),'%r' % data
# UDP/53 is a DNS query
if dns.opcode != dpkt.dns.DNS_QUERY:
print "A DNS packet was sent to the nameserver, but the opcode was %d instead of DNS_QUERY (this is a software error)" % dns.opcode, 'dns.id is', dns.id
if dns.qr != dpkt.dns.DNS_Q:
print "A DNS packet was sent to the name server, but dns.qr is not 0 and should be. It is %d" % dns.qr
if (len(dns.qd) > 0):
for i in range(len(dns.qd)):
print "query for ", dns.qd[
i].name, "query type is ", dns.qd[i].type, type_table[
dns.qd[i].type]
else:
print "query for ", '????'
if dns.qr == 1 or len(dns.an) > 0:
# UDP/53 is a DNS response
if dns.qr != dpkt.dns.DNS_R: #this is not an error, a query packet may contain answers
print "A DNS packet was received from a name server, but dns.qr is not 1 and should be. It is %d" % dns.qr
if dns.rcode == dpkt.dns.DNS_RCODE_NOERR:
pass #print "no error",
elif dns.rcode == dpkt.dns.DNS_RCODE_NXDOMAIN:
print "There is no name in this domain"
else:
print "Response is something other than NOERR or NXDOMAIN %d - this software is incomplete" % dns.get_rcode(
)
# Decode the RR records in the NS section
for rr in dns.ns:
decode_dns_response(rr, "NS")
# Decode the answers in the DNS answer
i = 0
for rr in dns.an:
#print 'RR[%d]:%r'%(i,rr);i +=1
decode_dns_response(rr, "AN")
# Decode the additional responses
for rr in dns.ar:
decode_dns_response(rr, "AR")
def main() :
# This code allows this program to run equally well on my laptop and my desktop. I did it this
# way to demonstrate different interface names. If I was really clever, I'd figure out how to do this
# under MS-Windows
if sys.argv[1] == "-i" :
pc = pcap.pcap( sys.argv[2] )
elif sys.argv[1] == "-f" :
pc = dpkt.pcap.Reader( open ( sys.argv[2] ) )
else :
print """Use -i INTERFACE to [packet capture from an interface.
Use -f FILENAME to read a packet capture file"""
sys.exit(2)
initialize_tables()
mdns_ip=socket.inet_aton('224.0.0.251');
for (src, sport, dst, dport, data ) in udp_iterator(pc) :
# Uncomment if you want to see all UDP packets
#print "from ", socket.inet_ntoa(src),":",sport, " to ", socket.inet_ntoa(dst),":",dport
if src != mdns_ip and dst != mdns_ip and dport != 5353 and sport != 5353:continue
assert dport == 5353 or sport == 5353
dns = dpkt.dns.DNS(data)
print '\n',datetime.datetime.now(), socket.inet_ntoa(src),":",sport, " to ", socket.inet_ntoa(dst),":",dport
print_hdr(dns)
#print dns.__repr__()
#print '%r' % data
if dns.qr == 0:
#print "from ", socket.inet_ntoa(src),":",sport, " to ", socket.inet_ntoa(dst),":",dport,type(data),len(data),'%r' % data
# UDP/53 is a DNS query
if dns.opcode != dpkt.dns.DNS_QUERY :
print "A DNS packet was sent to the nameserver, but the opcode was %d instead of DNS_QUERY (this is a software error)" % dns.opcode,'dns.id is',dns.id
if dns.qr != dpkt.dns.DNS_Q :
print "A DNS packet was sent to the name server, but dns.qr is not 0 and should be. It is %d" % dns.qr
if (len(dns.qd)>0):
for i in range(len(dns.qd)):
print "query for ", dns.qd[i].name, "query type is ", dns.qd[i].type, type_table[dns.qd[i].type]
else:
print "query for ", '????'
if dns.qr == 1 or len(dns.an)>0:
# UDP/53 is a DNS response
if dns.qr != dpkt.dns.DNS_R : #this is not an error, a query packet may contain answers
print "A DNS packet was received from a name server, but dns.qr is not 1 and should be. It is %d" % dns.qr
if dns.rcode == dpkt.dns.DNS_RCODE_NOERR :
pass#print "no error",
elif dns.rcode == dpkt.dns.DNS_RCODE_NXDOMAIN :
print "There is no name in this domain"
else :
print "Response is something other than NOERR or NXDOMAIN %d - this software is incomplete" % dns.get_rcode()
# Decode the RR records in the NS section
for rr in dns.ns :
decode_dns_response ( rr, "NS")
# Decode the answers in the DNS answer
i=0
for rr in dns.an :
#print 'RR[%d]:%r'%(i,rr);i +=1
decode_dns_response ( rr, "AN" )
# Decode the additional responses
for rr in dns.ar :
decode_dns_response ( rr, "AR" )
def processa(src, dst, sport, dport, data,timestamp):
# loadSitiMalevoli()
try:
sorgente=socket.inet_ntoa(src)
destinazione = socket.inet_ntoa(dst)
timestamp="{:.9f}".format(timestamp)
timestamp = str(datetime.fromtimestamp( float(timestamp) ))
try:
dns = dpkt.dns.DNS(data)
except (IndexError, dpkt.dpkt.UnpackError) as x:
print x
return
if dns.qr == dpkt.dns.DNS_Q:#dport == 53 :
# UDP/53 is a DNS query
#richiesta
if dst in dns_blacklist:
## è un allarme!
##lascio in binario in quanto faccio la comparazione in binario è ultrarapida
if crea_risposta==1:
manda_risposta_fantoccio(dns,sorgente,destinazione,sport,dport)
if crea_risposta==2:
manda_risposta_NXD(dns,sorgente,destinazione,sport,dport)
##ricordo che la src sarà il destinatario e la dst sarà la sorgente
line=timestamp+", "+str(sorgente) +", "+str(destinazione)+","+dns.qd[0].name+", DomandaADnsNonLecito"
scrivi(line,output_ALARM)
if dst not in dns_whitelist:
line=timestamp+", "+str(sorgente) +", "+str(destinazione)+", "+dns.qd[0].name
scrivi(line,output_Q)
if dns.qr == dpkt.dns.DNS_R:
# UDP/53 is a DNS response
if dns.get_rcode() == dpkt.dns.DNS_RCODE_NOERR:
if src in dns_blacklist:
## è un allarme!
##lascio in binario in quanto faccio la comparazione in binario è ultrarapida
line=timestamp+", "+str(destinazione) +", "+str(sorgente)+","+dns.qd[0].name+", RispostaDaDnsNonLecito"
scrivi(line,output_ALARM)
line=timestamp+", "+str(destinazione) +", "+str(sorgente)+", "+str(dns.qd[0].name)
sito= dns.qd[0].name
result = regexp.match(sito,re.IGNORECASE)
if result == None :#and not malevoli.has_key(sito) :
##è una ricerca precisa di chiave... quindi non è ottima me funziona
##qui loggo i siti leciti che NON fanno parte di unimore
scrivi(line,output_R_ok)
return
if dns.get_rcode() == dpkt.dns.DNS_RCODE_NXDOMAIN:
line=timestamp+", "+str(destinazione) +", "+str(sorgente)+", "+str(dns.qd[0].name)
sito= dns.qd[0].name
result = regexp.match(sito,re.IGNORECASE)
if result == None :
##anche qui,stampo solo i siti che risultano errati ma che NON sono universitari
scrivi(line,output_R_no)
except dpkt.dpkt.NeedData, KeyboardInterrupt:
global errati
errati=errati+1
