def __init__(self,
promisc=True,
buffer_size=None,
read_timeout=100,
show_packets=False):
self._pcap_t = None
self._packets = None
assert promisc in (True, False), "promisc must be either True or False"
self._promisc = promisc
self._buffer_size = buffer_size
self._read_timeout = read_timeout
assert show_packets in (
True, False), "show_packets must be either True or False"
self._show_packets = show_packets
self._pcap_lock = threading.Lock()
try:
from impacket.ImpactDecoder import LinuxSLLDecoder
self._decoder = LinuxSLLDecoder()
except ImportError:
self._decoder = None
def __init__(self, pcapObj):
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Tipo de datalink não suportado: " % datalink)
self.pcap = pcapObj
Thread.__init__(self)
def __init__(self, cap_stream):
multiprocessing.Process.__init__(self)
self.cap_stream = cap_stream
self.datalink = cap_stream.datalink()
if pcapy.DLT_EN10MB == self.datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == self.datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % self.datalink)
def __init__(self, pcapObj):
# Query the type of the link and instantiate a decoder accordingly.
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.pcap = pcapObj
Thread.__init__(self)
def __init__(self, pcapObj):
# Query the type of the link and instantiate a decoder accordingly.
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.pcap = pcapObj
self.connections = {}
def __init__(self, pcapObj=None, Interface=None):
datalink = pcapObj.datalink()
self.Interface = Interface
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Unsupported datalink type: " % datalink)
self.pcap = pcapObj
self.buffer_traffic = []
Thread.__init__(self)
def __init__(self, pcapy_object): """ PacketLoop(Thread) Class Constructor """ datalink = pcapy_object.datalink() if pcapy.DLT_EN10MB == datalink: self.decoder = EthDecoder() elif pcapy.DLT_LINUX_SLL == datalink: self.decoder = LinuxSLLDecoder() else: print "Datalink type not supported: " % datalink exit() self.pcap = pcapy_object Thread.__init__(self) self.stop = False
def __init__(self, pcapReader, dstIp, dstPort):
self.socket_ = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
self.dest = (dstIp, dstPort)
# Query datalink type and instantiate the corresponding decoder
datalink = pcapReader.datalink()
if datalink == pcapy.DLT_EN10MB:
self.decoder = EthDecoder()
elif datalink == pcapy.DLT_LINUX_SLL:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported");
self.pcapReader = pcapReader
self.counter = 0
def __init__(self, pcapObj,subnet,arptable):
# Query the type of the link and instantiate a decoder accordingly.
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.pcap = pcapObj
self.subnet = subnet
self.arptable = arptable
Thread.__init__(self)
def __init__(self, pcapObj):
""" Query the type of the link and instantiate a decoder accordingly. """
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.pcap = pcapObj
self.buffer = [] # init internal buffer
self.quit = False # quit thread?
Thread.__init__(self)
def __init__(self, pcapObj, server_ports, ws_path, soap_request_handler,
server):
# Query the type of the link and instantiate a decoder accordingly.
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception('Datalink type not supported: %s' % (datalink, ))
self.pcap = pcapObj
self.server_ports = set(server_ports)
self.ws_path = ws_path
self.server = server
self.soap_request_handler = soap_request_handler
self.valid_http_methods = set(['GET', 'POST'])
self._shortest_method_name = min(
[len(x) for x in self.valid_http_methods])
self._longest_method_name = max(
[len(x) for x in self.valid_http_methods])
Thread.__init__(self)
self.packet_counter = 0
self.connections = ConnectionManager()
self.http_request_counter = Counter()
self.soap_call_counter = Counter()
self.server_conn = None
self._needs_server_update = False
self._last_server_update = 0
class OSCServer(Thread):
def __init__(self, callback, dev='any', port=3333, ignoreIp=None):
Thread.__init__(self)
DEV = dev # interface to listen on
MAX_LEN = 1514 # max size of packet to capture
PROMISCUOUS = 1 # promiscuous mode?
READ_TIMEOUT = 100 # in milliseconds
self.MAX_PKTS = -1 # number of packets to capture; -1 => no limit
self.p = open_live(DEV, MAX_LEN, PROMISCUOUS, READ_TIMEOUT)
myfilter = 'udp and port ' + str(port)
if ignoreIp:
myfilter += ' and not dst host ' + ignoreIp
self.p.setfilter(myfilter)
self.callback = callback
self.packets = 0
datalink = self.p.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
def ph(self, hdr, data):
p = self.decoder.decode(data)
ip = p.child()
udp = ip.child()
self.packets += 1
self.callback(udp.get_data_as_string())
def run(self):
self.p.loop(self.MAX_PKTS, self.ph)
class DecoderThread(Thread):
"""
Main decoder/network sniffer class (running in separate thread).
"""
def __init__(self, pcapObj):
""" Query the type of the link and instantiate a decoder accordingly. """
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.pcap = pcapObj
Thread.__init__(self)
def run(self):
""" Sniff ad infinitum.
PacketHandler shall be invoked by pcap for every packet. """
self.pcap.loop(0, self.packetHandler)
def packetHandler(self, hdr, data):
""" Use the ImpactDecoder to turn the rawpacket into a hierarchy
of ImpactPacket instances.
Display the packet in human-readable form.
http://d.hatena.ne.jp/shoe16i/mobile?date=20090203§ion=p1 """
decoded_data = self.decoder.decode(data)
tcp = decoded_data.child().child()
data = tcp.get_packet()
decoded_data = data
for item in regex_links.finditer(str(decoded_data)):
if not item: continue
pos = item.start()
print item.groups()[0], "\n"
class OSCServer(Thread) :
def __init__(self, callback, dev='any', port = 3333, ignoreIp = None) :
Thread.__init__(self)
DEV = dev # interface to listen on
MAX_LEN = 1514 # max size of packet to capture
PROMISCUOUS = 1 # promiscuous mode?
READ_TIMEOUT = 100 # in milliseconds
self.MAX_PKTS = -1 # number of packets to capture; -1 => no limit
self.p = open_live(DEV, MAX_LEN, PROMISCUOUS, READ_TIMEOUT)
myfilter = 'udp and port '+str(port)
if ignoreIp:
myfilter+=' and not dst host '+ignoreIp
self.p.setfilter(myfilter)
self.callback = callback
self.packets = 0
datalink = self.p.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
def ph(self,hdr, data):
p = self.decoder.decode(data)
ip = p.child()
udp = ip.child()
self.packets+=1
self.callback( udp.get_data_as_string())
def run(self) :
self.p.loop(self.MAX_PKTS,self.ph)
class UdpSender:
def __init__(self, pcapReader, dstIp, dstPort):
self.socket_ = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
self.dest = (dstIp, dstPort)
# Query datalink type and instantiate the corresponding decoder
datalink = pcapReader.datalink()
if datalink == pcapy.DLT_EN10MB:
self.decoder = EthDecoder()
elif datalink == pcapy.DLT_LINUX_SLL:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported");
self.pcapReader = pcapReader
self.counter = 0
def run(self):
# Sniff ad infinitum
# Packet handler will be invoked by pcap for every packet
self.pcapReader.loop(0, self.packetHandler)
def packetHandler(self, hdr, data):
# Use the ImpactDecoder to turn the raw packet into a hierarchy of
# ImpactPacket instances
# Display the packet en human-readable form
dl_header = self.decoder.decode(data)
ip_header = dl_header.child()
self.counter += 1
data_to_send = ip_header.get_packet()
self.socket_.sendto(data_to_send, self.dest)
print "Transfered packet No. %d" % self.counter
class Decoder:
def __init__(self, pcapObj, folder):
# Query the type of the link and instantiate a decoder accordingly.
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.pcap = pcapObj
self.connections = {}
folder = folder
def start(self):
# Sniff ad infinitum.
# PacketHandler shall be invoked by pcap for every packet.
self.pcap.loop(0, self.packetHandler)
def packetHandler(self, hdr, data):
# Use the ImpactDecoder to turn the rawpacket into a hierarchy
# of ImpactPacket instances.
try:
p = self.decoder.decode(data)
ip = p.child()
protocol = ip.get_ip_p()
# Build a distinctive key for this pair of peers.
if protocol == 6:
tcp = ip.child()
proto = 'TCP'
src = (ip.get_ip_src(), tcp.get_th_sport())
dst = (ip.get_ip_dst(), tcp.get_th_dport())
con = Connection(proto, src, dst)
elif protocol == 17:
udp = ip.child()
proto = 'UDP'
src = (ip.get_ip_src(), udp.get_uh_sport())
dst = (ip.get_ip_dst(), udp.get_uh_dport())
con = Connection(proto, src, dst)
# If there isn't an entry associated yetwith this connection,
# open a new pcapdumper and create an association.
if not self.connections.has_key(con):
fn = con.getFilename()
fn = '%s/%s' % (folder, fn)
# print "Found a new connection, storing into:", fn
if fn not in files:
files.append(fn)
try:
dumper = self.pcap.dump_open(fn)
except pcapy.PcapError, e:
print "Can't write packet to:", fn
return
self.connections[con] = dumper
# Write the packet to the corresponding file.
self.connections[con].dump(hdr, data)
except Exception as e:
print str(e)
pass
class DecoderThread(Thread):
"""A thread to sniff packets on my machine,
read the SYN number and send it to the peer"""
def __init__(self, pcapObj, udp_obj):
self.udp_obj = udp_obj
# Query the type of the link and instantiate a decoder accordingly.
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.pcap = pcapObj
Thread.__init__(self)
def run(self):
# Sniff ad infinitum.
# PacketHandler shall be invoked by pcap for every packet.
self.pcap.loop(1, self.packetHandler)
def packetHandler(self, hdr, data):
# Use the ImpactDecoder to turn the rawpacket into a hierarchy
# of ImpactPacket instances.
# Display the packet in human-readable form.
try:
packet = self.decoder.decode(data)
#print 'Try to send SYN...'
syn = packet.child().child().get_th_seq()
self.udp_obj.send_SYN_to_ConnectionBroker(syn)
except:
print "Unexpected error:", sys.exc_info()[0], sys.exc_info()[1]
def __init__(self, pcapObj):
# Query the type of the link and instantiate a decoder accordingly.
self.proto_id = None
self.src_ip = None
self.tgt_ip = None
self.src_port = None
self.tgt_port = None
self.msgs = [] # error msgs
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.pcap = pcapObj
self.connections = []
class Decoder:
def __init__(self, pcapObj):
# Query the type of the link and instantiate a decoder accordingly.
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.pcap = pcapObj
self.connections = {}
def start(self):
# Sniff ad infinitum.
# PacketHandler shall be invoked by pcap for every packet.
self.pcap.loop(0, self.packetHandler)
def packetHandler(self, hdr, data):
# Use the ImpactDecoder to turn the rawpacket into a hierarchy
# of ImpactPacket instances.
try:
p = self.decoder.decode(data)
ip = p.child()
protocol = ip.get_ip_p()
# Build a distinctive key for this pair of peers.
if protocol == 6:
tcp = ip.child()
proto = 'TCP'
src = (ip.get_ip_src(), tcp.get_th_sport())
dst = (ip.get_ip_dst(), tcp.get_th_dport())
con = Connection(proto, src, dst)
elif protocol == 17:
udp = ip.child()
proto = 'UDP'
src = (ip.get_ip_src(), udp.get_uh_sport())
dst = (ip.get_ip_dst(), udp.get_uh_dport())
con = Connection(proto, src, dst)
# If there isn't an entry associated yetwith this connection,
# open a new pcapdumper and create an association.
if not self.connections.has_key(con):
fn = con.getFilename()
print "Found a new connection, storing into:", fn
try:
dumper = self.pcap.dump_open(fn)
except pcapy.PcapError, e:
print "Can't write packet to:", fn
return
self.connections[con] = dumper
# Write the packet to the corresponding file.
self.connections[con].dump(hdr, data)
except Exception as e:
print str(e)
pass
def __init__(self, bridge, subnet, arptable):
# Open interface for capturing.
self.pcap = open_live(bridge.bridgename, 65536, 1, 100)
# Query the type of the link and instantiate a decoder accordingly.
datalink = self.pcap.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.bridge = bridge
self.subnet = subnet
self.arptable = arptable
self.protocols = args.discovery_protos or self.protocols
Thread.__init__(self)
def __init__(self, bridge, subnet, arptable):
# Open interface for capturing.
self.pcap = open_live(bridge.bridgename, 65536, 1, 100)
# Query the type of the link and instantiate a decoder accordingly.
datalink = self.pcap.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.bridge = bridge
self.subnet = subnet
self.arptable = arptable
self.protocols = args.discovery_protos or self.protocols
Thread.__init__(self)
def __init__(self, pcapObj):
self.searchTerm = 'commands'
self.hostDict = {}
self.flowDict = {}
self.arbitraryChunkedLength = 30000 # as length of chunked tranfers can not be measured, we will provide an artibrary length for now
# OSC functionality (multicasting for now)
sendAddress = '127.0.0.1', 57120
self.oscClient=OSCClient()
self.oscClient.connect(sendAddress)
# Query the type of the link and instantiate a decoder accordingly.
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.pcap = pcapObj
Thread.__init__(self)
class Decoder:
def __init__(self, pcapObj):
# Query the type of the link and instantiate a decoder accordingly.
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.pcap = pcapObj
self.connections = {}
def start(self):
# Sniff ad infinitum.
# PacketHandler shall be invoked by pcap for every packet.
self.pcap.loop(0, self.packetHandler)
def packetHandler(self, hdr, data):
"""Handles an incoming pcap packet. This method only knows how
to recognize TCP/IP connections.
Be sure that only TCP packets are passed onto this handler (or
fix the code to ignore the others).
Setting r"ip proto \tcp" as part of the pcap filter expression
suffices, and there shouldn't be any problem combining that with
other expressions.
"""
# Use the ImpactDecoder to turn the rawpacket into a hierarchy
# of ImpactPacket instances.
p = self.decoder.decode(data)
ip = p.child()
tcp = ip.child()
# Build a distinctive key for this pair of peers.
src = (ip.get_ip_src(), tcp.get_th_sport() )
dst = (ip.get_ip_dst(), tcp.get_th_dport() )
con = Connection(src,dst)
# If there isn't an entry associated yetwith this connection,
# open a new pcapdumper and create an association.
if not self.connections.has_key(con):
fn = con.getFilename()
print "Found a new connection, storing into:", fn
try:
dumper = self.pcap.dump_open(fn)
except pcapy.PcapError, e:
print "Can't write packet to:", fn
return
self.connections[con] = dumper
# Write the packet to the corresponding file.
self.connections[con].dump(hdr, data)
class Decoder:
def __init__(self, pcapObj):
# Query the type of the link and instantiate a decoder accordingly.
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.pcap = pcapObj
self.connections = {}
def start(self):
# Sniff ad infinitum.
# PacketHandler shall be invoked by pcap for every packet.
self.pcap.loop(0, self.packetHandler)
def packetHandler(self, hdr, data):
"""Handles an incoming pcap packet. This method only knows how
to recognize TCP/IP connections.
Be sure that only TCP packets are passed onto this handler (or
fix the code to ignore the others).
Setting r"ip proto \tcp" as part of the pcap filter expression
suffices, and there shouldn't be any problem combining that with
other expressions.
"""
# Use the ImpactDecoder to turn the rawpacket into a hierarchy
# of ImpactPacket instances.
p = self.decoder.decode(data)
ip = p.child()
tcp = ip.child()
# Build a distinctive key for this pair of peers.
src = (ip.get_ip_src(), tcp.get_th_sport())
dst = (ip.get_ip_dst(), tcp.get_th_dport())
con = Connection(src, dst)
# If there isn't an entry associated yetwith this connection,
# open a new pcapdumper and create an association.
if not self.connections.has_key(con):
fn = con.getFilename()
print "Found a new connection, storing into:", fn
try:
dumper = self.pcap.dump_open(fn)
except pcapy.PcapError, e:
print "Can't write packet to:", fn
return
self.connections[con] = dumper
# Write the packet to the corresponding file.
self.connections[con].dump(hdr, data)
def __init__(self, pcapObj, filename=None):
# Query the type of the link and instantiate a decoder accordingly.
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.pcap = pcapObj
self.connections = {}
# added by yair
self.packet_count = 0
self.packet_list = []
self.filename = filename
self.dir = None
# a dictionary containing all TCP streams
self.streams = {}
class Decoder:
def __init__(self, pcapObj):
# Query the type of the link and instantiate a decoder accordingly.
self.proto_id = None
self.src_ip = None
self.tgt_ip = None
self.src_port = None
self.tgt_port = None
self.msgs = [] # error msgs
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.pcap = pcapObj
self.connections = []
def start(self):
# Sniff ad infinitum.
# PacketHandler shall be invoked by pcap for every packet.
self.pcap.loop(0, self.packetHandler)
def packetHandler(self, hdr, data):
"""Handles an incoming pcap packet. This method only knows how
to recognize TCP/IP connections.
Be sure that only TCP packets are passed onto this handler (or
fix the code to ignore the others).
Setting r"ip proto \tcp" as part of the pcap filter expression
suffices, and there shouldn't be any problem combining that with
other expressions.
"""
# Use the ImpactDecoder to turn the rawpacket into a hierarchy
# of ImpactPacket instances.
try:
p = self.decoder.decode(data)
logging.debug("start decoding" )
except Exception, e:
logging.error("p = self.decoder.decode(data) failed for device" )
msgs.append(str(e))
# get the details from the decoded packet data
if p:
try:
self.src_ip = p.child().get_ip_src()
self.tgt_ip = p.child().get_ip_dst()
self.proto_id = p.child().child().protocol
except Exception, e:
logging.error("exception while parsing ip packet: %s" % str(e))
self.msgs.append(str(e))
class DecoderThread(Thread):
def __init__(self, pcapObj):
# Query the type of the link and instantiate a decoder accordingly.
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.pcap = pcapObj
Thread.__init__(self)
def run(self):
# Sniff ad infinitum.
# PacketHandler shall be invoked by pcap for every packet.
self.pcap.loop(0, self.packetHandler)
def packetHandler(self, hdr, data):
# Use the ImpactDecoder to turn the rawpacket into a hierarchy
# of ImpactPacket instances.
# Display the packet in human-readable form.
print self.decoder.decode(data)
class DecoderThread(Thread):
def __init__(self, pcapObj):
# Query the type of the link and instantiate a decoder accordingly.
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.pcap = pcapObj
Thread.__init__(self)
def run(self):
# Sniff ad infinitum.
# PacketHandler shall be invoked by pcap for every packet.
self.pcap.loop(0, self.packetHandler)
def packetHandler(self, hdr, data):
# Use the ImpactDecoder to turn the rawpacket into a hierarchy
# of ImpactPacket instances.
# Display the packet in human-readable form.
print self.decoder.decode(data)
class DecoderThread(Thread):
def __init__(self, pcapObj,subnet,arptable):
# Query the type of the link and instantiate a decoder accordingly.
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.pcap = pcapObj
self.subnet = subnet
self.arptable = arptable
Thread.__init__(self)
#super(Thread, self).__init__()
def run(self):
# Sniff ad infinitum.
# PacketHandler shall be invoked by pcap for every packet.
self.pcap.loop(0, self.packetHandler)
def packetHandler(self, hdr, data):
e = self.decoder.decode(data)
if e.get_ether_type() == impacket.ImpactPacket.IP.ethertype:
#print e.child().get_ip_src()
ip = e.child()
ttl = ip.get_ip_ttl()
## Uneven but not 1 or 255 ttl means it's probably coming from a router ##
if (ttl % 2) > 0 and ttl > 1 and ttl != 255:
self.subnet.gatewaymac = e.get_ether_shost()
self.subnet.sourcemac = e.get_ether_dhost()
self.subnet.sourceaddress = ip.get_ip_dst()
if e.get_ether_type() == impacket.ImpactPacket.ARP.ethertype:
arp = e.child()
self.subnet.registeraddress(arp.get_ar_tpa())
self.subnet.registeraddress(arp.get_ar_spa())
if arp.get_op_name(arp.get_ar_op()) == "REPLY":
print "got arp reply"
self.arptable.registeraddress(arp.get_ar_spa(), arp.as_hrd(arp.get_ar_sha()))
if arp.get_op_name(arp.get_ar_op()) == "REQUEST":
self.arptable.registeraddress(arp.get_ar_spa(), arp.as_hrd(arp.get_ar_sha()))
class ReaderAndDecoderThread(multiprocessing.Process):
def __init__(self, cap_stream):
multiprocessing.Process.__init__(self)
self.cap_stream = cap_stream
self.datalink = cap_stream.datalink()
if pcapy.DLT_EN10MB == self.datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == self.datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % self.datalink)
def run(self):
global read_count
while True:
success = False
try:
# Quit reader (Keyboardinterrupt)
if exit_reader_and_decoder_thread.is_set():
break
(header, packet) = self.cap_stream.next()
if header is not None:
success = True
sec, usec = header.getts()
packet_queue.put((sec, usec, self.decoder.decode(packet)))
with read_count.get_lock():
read_count.value += 1
elif config.pcap_file:
reader_end_of_file.set()
break
except (pcapy.PcapError, socket.timeout):
traceback.print_exc()
pass
except KeyboardInterrupt:
break
if not success:
time.sleep(REGULAR_SENSOR_SLEEP_TIME)
class DecoderThread(Thread):
def __init__(self, pcapObj,subnet,arptable):
# Query the type of the link and instantiate a decoder accordingly.
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.pcap = pcapObj
self.subnet = subnet
self.arptable = arptable
Thread.__init__(self)
#super(Thread, self).__init__()
def run(self):
# Sniff ad infinitum.
# PacketHandler shall be invoked by pcap for every packet.
self.pcap.loop(0, self.packetHandler)
def packetHandler(self, hdr, data):
e = self.decoder.decode(data)
if e.get_ether_type() == impacket.ImpactPacket.IP.ethertype:
#print e.child().get_ip_src()
ip = e.child()
ttl = ip.get_ip_ttl()
## Uneven but not 1 or 255 ttl means it's probably coming from a router ##
if (ttl % 2) > 0 and ttl > 1 and ttl != 255:
self.subnet.gatewaymac = e.get_ether_shost()
self.subnet.sourcemac = e.get_ether_dhost()
self.subnet.sourceaddress = ip.get_ip_dst()
if e.get_ether_type() == impacket.ImpactPacket.ARP.ethertype:
arp = e.child()
self.subnet.registeraddress(arp.get_ar_tpa())
self.subnet.registeraddress(arp.get_ar_spa())
if arp.get_op_name(arp.get_ar_op()) == "REPLY":
print "got arp reply"
self.arptable.registeraddress(arp.get_ar_spa(), arp.as_hrd(arp.get_ar_sha()))
if arp.get_op_name(arp.get_ar_op()) == "REQUEST":
self.arptable.registeraddress(arp.get_ar_spa(), arp.as_hrd(arp.get_ar_sha()))
def start(self):
self.p = open_live(self.interface, 1600, 0, 100)
## self.p.setnonblock(1)
if self.filter:
self.p.setfilter(self.filter)
# Query the type of the link and instantiate a decoder accordingly.
datalink = self.p.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.tk.after(POLL_PERIOD, self.poll)
self.tk.after(REFRESH_PERIOD, self.timerDraw)
self.tk.bind('q', self.quit)
self.tk.mainloop()
class DecoderThread(Thread):
def __init__(self, pcapObj):
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Tipo de datalink não suportado: " % datalink)
self.pcap = pcapObj
Thread.__init__(self)
def run(self):
self.pcap.loop(0, self.packetHandler)
def display_hex(self, pkt):
return pkt.get_data_as_string()
def packetHandler(self, hdr, data):
p = self.decoder.decode(data)
ip = p.child()
tcp = ip.child()
src = (ip.get_ip_src(), tcp.get_th_sport())
dst = (ip.get_ip_dst(), tcp.get_th_dport())
seq = tcp.get_th_seq()
ack = tcp.get_th_ack()
flags = tcp.get_th_flags()
win = tcp.get_th_win()
sum = tcp.get_th_sum()
urp = tcp.get_th_urp()
payload = self.display_hex(p)
print('\n')
print(f'SRC -> {src[0]}:{src[1]} | DST -> {dst[0]}:{dst[1]} | [{flags}:{ack}] Seq={seq} Win={win} Size={len(payload)} Sum={sum} Urp={urp}')
if dst[0] == '172.17.7.232':
print(bcolors.OKGREEN + str(payload) + bcolors.ENDC)
else:
print(bcolors.WARNING + str(payload) + bcolors.ENDC)
print('\n')
def __init__(self, promisc=True, buffer_size=None, read_timeout=100, show_packets=False):
self._pcap_t = None
self._packets = None
assert promisc in (True, False), "promisc must be either True or False"
self._promisc = promisc
self._buffer_size = buffer_size
self._read_timeout = read_timeout
assert show_packets in (True, False), "show_packets must be either True or False"
self._show_packets = show_packets
self._pcap_lock = threading.Lock()
try:
from impacket.ImpactDecoder import LinuxSLLDecoder
self._decoder = LinuxSLLDecoder()
except ImportError:
self._decoder = None
class NetdudeDecoder(Decoder):
"""
"""
def __init__(self,pcapObj ):
"""
"""
self.proto_id = None
self.src_ip = None
self.tgt_ip = None
self.src_port = None
self.tgt_port = None
self.msgs = [] # error msgs
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.pcap = pcapObj
self.connections = []
def packetHandler(self, hdr, data):
try:
p = self.decoder.decode(data)
logging.debug("start decoding" )
except Exception, e:
logging.error("p = self.decoder.decode(data) failed for device" )
msgs.append(str(e))
# get the details from the decoded packet data
if p:
try:
self.src_ip = p.child().get_ip_src()
self.tgt_ip = p.child().get_ip_dst()
self.proto_id = p.child().child().protocol
except Exception, e:
logging.error("exception while parsing ip packet: %s" % str(e))
self.msgs.append(str(e))
class DecoderThread(Thread):
def __init__(self, pcapObj, queue):
# Query the type of the link and instantiate a decoder accordingly.
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.queue = queue
self.pcap = pcapObj
Thread.__init__(self)
def run(self):
# Sniff ad infinitum.
# PacketHandler shall be invoked by pcap for every packet.
self.pcap.loop(0, self.packetHandler)
def packetHandler(self, hdr, data):
# Use the ImpactDecoder to turn the rawpacket into a hierarchy
# of ImpactPacket instances, then send it to the Visualiser
# which drives the Holiday lights.
try:
p = self.decoder.decode(data)
except (Exception, KeyboardInterrupt) as e:
print e
return
try:
protocol = p.child().__class__.__name__
size = p.get_size()
src = False
if protocol == 'IP' or protocol == 'UDP':
src = p.child().get_ip_src()
dest = p.child().get_ip_dst()
elif protocol == 'IP6':
src = p.child().get_source_address()
dest = p.child().get_destination_address()
print "IP6", src, dest
src = False
if src:
l = size_to_length(size)
if src[0:2] == '10':
col = local_ip_to_rgb(src)
#col = ip_to_rgb(dest)
v = SPEED / l
i = 0
else:
if RETURN_SAME:
col = local_ip_to_rgb(src)
else:
col = ip_to_rgb(src)
v = -SPEED / l
i = -52
gradient = make_pulse(col, l)
#print gradient
self.queue.put(pulse.Pulse(i, v, gradient))
#print protocol, src, " -> ", dest, "Size ", size
except Exception as e:
print "Decoding failed"
print e
return
class DecoderThread(Thread):
def __init__(self, pcapObj=None, FilePath=None, Interface=None):
datalink = pcapObj.datalink()
self.FilePath = FilePath
self.Interface = Interface
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Unsupported datalink type: " % datalink)
self.pcap = pcapObj
Thread.__init__(self)
def run(self):
self.pcap.loop(0, self.packetHandler)
def display_hex(self, pkt):
return pkt.get_data_as_string()
def packetHandler(self, hdr, data):
p = self.decoder.decode(data)
ip = p.child()
tcp = ip.child()
payload = self.display_hex(p)
try:
srcPort = tcp.get_th_sport()
except AttributeError:
srcPort = 0
try:
dstPort = tcp.get_th_dport()
except AttributeError:
dstPort = 0
if dstPort > 0:
sumBytePayload = sum(payload) / dstPort
lenPayload = len(payload) / dstPort
else:
sumBytePayload = sum(payload)
lenPayload = len(payload)
try:
protocol = tcp.protocol
except AttributeError:
return
io = 1 #input
if protocol is None: #ARP
return
#protocol 17 = UDP
if protocol == 1: #ICMP
if tcp.get_icmp_num_addrs() > 0:
io = 0 #output
if protocol == 6: #TCP
myAddr = ni.ifaddresses(self.Interface)[ni.AF_INET][0]['addr']
if myAddr != ip.get_ip_dst():
io = 0 #output
#Protocol|I/O|SrcPort|DstPort|SumPayload|LenPayload
LOGS = str(protocol) + '|' + str(io) + '|' + str(srcPort) + '|' + str(dstPort) + '|' + str(sumBytePayload) + '|' +\
str(lenPayload) + '\n'
with open(self.FilePath, 'a') as wf:
wf.write(LOGS)
wf.close()
class DecoderThread(Thread):
def __init__(self, bridge, subnet, arptable):
# Open interface for capturing.
self.pcap = open_live(bridge.bridgename, 1500, 0, 100)
# Query the type of the link and instantiate a decoder accordingly.
datalink = self.pcap.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.bridge = bridge
self.subnet = subnet
self.arptable = arptable
self.running = True
Thread.__init__(self)
def run(self):
# Sniff ad infinitum.
# PacketHandler shall be invoked by pcap for every packet.
while self.running:
self.pcap.dispatch(1, self.packetHandler)
def stop(self):
self.running = False
time.sleep(0.1)
def packetHandler(self, hdr, data):
e = self.decoder.decode(data)
if e.get_ether_type() == impacket.eap.DOT1X_AUTHENTICATION:
eapol = e.child()
if eapol.get_packet_type() == eapol.EAP_PACKET:
eap = eapol.child()
eapr = eap.child()
# Only client sends responses with identity
if eap.get_code() == eap.RESPONSE and eapr.get_type() == eapr.IDENTITY:
self.subnet.clientmac = e.get_ether_shost()
elif e.get_ether_type() == impacket.ImpactPacket.IP.ethertype:
ip = e.child()
if isinstance(ip.child(), impacket.ImpactPacket.UDP):
udp = ip.child()
if isinstance(udp.child(), impacket.dhcp.BootpPacket):
bootp = udp.child()
if isinstance(bootp.child(), impacket.dhcp.DhcpPacket):
dhcp = bootp.child()
if dhcp.getOptionValue('message-type') == dhcp.DHCPDISCOVER:
self.subnet.clientmac = e.get_ether_shost()
elif dhcp.getOptionValue('message-type') == dhcp.DHCPREQUEST:
self.subnet.clientmac = e.get_ether_shost()
elif dhcp.getOptionValue('message-type') == dhcp.DHCPACK:
self.subnet.clientip = self.subnet.int2ip(bootp["yiaddr"])
self.subnet.clientmac = e.get_ether_dhost()
self.subnet.gatewayip = self.subnet.int2ip(dhcp.getOptionValue("router")[0])
self.subnet.gatewaymac = e.get_ether_shost()
self.subnet.subnetmask = self.subnet.ip2array(
self.subnet.int2ip(dhcp.getOptionValue("subnet-mask")))
self.subnet.subnet = self.subnet.ip2array(self.subnet.int2ip(
dhcp.getOptionValue("subnet-mask") & bootp["yiaddr"]))
self.subnet.dhcp = True
elif dhcp.getOptionValue('message-type') == dhcp.DHCPOFFER:
self.subnet.clientip = self.subnet.int2ip(bootp["yiaddr"])
self.subnet.clientmac = e.get_ether_dhost()
self.subnet.gatewayip = self.subnet.int2ip(dhcp.getOptionValue("router")[0])
self.subnet.gatewaymac = e.get_ether_shost()
self.subnet.subnetmask = self.subnet.ip2array(
self.subnet.int2ip(dhcp.getOptionValue("subnet-mask")))
self.subnet.subnet = self.subnet.ip2array(self.subnet.int2ip(
dhcp.getOptionValue("subnet-mask") & bootp["yiaddr"]))
self.subnet.dhcp = True
else:
if not self.subnet.dhcp:
ttl = ip.get_ip_ttl()
# Uneven but not 1 or 255 ttl means it's probably coming from a router
if (ttl % 2) > 0 and ttl > 1 and ttl != 255:
self.subnet.gatewaymac = e.get_ether_shost()
self.subnet.clientmac = e.get_ether_dhost()
self.subnet.clientip = ip.get_ip_dst()
elif e.get_ether_type() == impacket.ImpactPacket.ARP.ethertype:
arp = e.child()
if not self.subnet.dhcp:
self.subnet.registeraddress(arp.get_ar_tpa())
self.subnet.registeraddress(arp.get_ar_spa())
if arp.get_op_name(arp.get_ar_op()) == "REPLY":
logging.debug("got arp reply")
self.arptable.registeraddress(arp.get_ar_spa(), arp.as_hrd(arp.get_ar_sha()))
if arp.get_op_name(arp.get_ar_op()) == "REQUEST":
self.arptable.registeraddress(arp.get_ar_spa(), arp.as_hrd(arp.get_ar_sha()))
class DecoderThread(Thread):
protocols = ['DHCP', 'HTTP', 'dot1x', 'ARP', 'TTL']
def __init__(self, bridge, subnet, arptable):
# Open interface for capturing.
self.pcap = open_live(bridge.bridgename, 65536, 1, 100)
# Query the type of the link and instantiate a decoder accordingly.
datalink = self.pcap.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.bridge = bridge
self.subnet = subnet
self.arptable = arptable
self.protocols = args.discovery_protos or self.protocols
Thread.__init__(self)
def run(self):
self.running = True
# Reset the link
try:
cmd("mii-tool -R %s 2>/dev/null" % ' '.join(self.bridge.interfaces))
except:
pass
# Sniff ad infinitum.
# PacketHandler shall be invoked by pcap for every packet.
while self.running:
self.pcap.dispatch(1, self.packetHandler)
def stop(self):
self.running = False
time.sleep(0.1)
def packetHandler(self, hdr, data):
try:
e = self.decoder.decode(data)
except:
return
if e.get_ether_type() == impacket.ImpactPacket.ARP.ethertype:
arp = e.child()
if arp.get_op_name(arp.get_ar_op()) == "REPLY":
self.arptable.registeraddress(arp.get_ar_spa(), arp.as_hrd(arp.get_ar_sha()))
if arp.get_op_name(arp.get_ar_op()) == "REQUEST":
self.arptable.registeraddress(arp.get_ar_spa(), arp.as_hrd(arp.get_ar_sha()))
# Got both interface sides. No more discovery needed
if self.bridge.clientsiteint and self.bridge.switchsideint:
return
if 'dot1x' in self.protocols and not self.subnet.dhcp and \
e.get_ether_type() == impacket.eap.DOT1X_AUTHENTICATION:
eapol = e.child()
if eapol.get_packet_type() == eapol.EAP_PACKET:
eap = eapol.child()
eapr = eap.child()
# Only client sends responses with identity
if eap.get_code() == eap.RESPONSE and eapr.get_type() == eapr.IDENTITY:
self.subnet.clientmac = self.subnet.clientmac or e.get_ether_shost()
self.subnet.clientip = self.subnet.clientip or \
self.arptable.mac2ip(self.subnet.get_clientmac)
elif e.get_ether_type() == impacket.ImpactPacket.IP.ethertype:
ip = e.child()
if isinstance(ip.child(), impacket.ImpactPacket.UDP):
udp = ip.child()
if 'DHCP' in self.protocols and \
isinstance(udp.child(), impacket.dhcp.BootpPacket):
bootp = udp.child()
if isinstance(bootp.child(), impacket.dhcp.DhcpPacket):
dhcp = bootp.child()
if dhcp.getOptionValue('message-type') == dhcp.DHCPDISCOVER:
self.subnet.clientmac = e.get_ether_shost()
elif dhcp.getOptionValue('message-type') == dhcp.DHCPREQUEST:
self.subnet.clientmac = e.get_ether_shost()
elif dhcp.getOptionValue('message-type') == dhcp.DHCPACK or \
dhcp.getOptionValue('message-type') == dhcp.DHCPOFFER:
if not self.subnet.clientip:
self.subnet.clientip = self.subnet.int2ip(bootp["yiaddr"])
self.subnet.gatewayip = self.subnet.int2ip(dhcp.getOptionValue("router")[0])
self.subnet.gatewaymac = e.get_ether_shost()
self.subnet.subnetmask = self.subnet.ip2array(
self.subnet.int2ip(dhcp.getOptionValue("subnet-mask")))
self.subnet.subnet = self.subnet.ip2array(self.subnet.int2ip(
dhcp.getOptionValue("subnet-mask") & bootp["yiaddr"]))
self.subnet.dnsip = self.subnet.int2ip(dhcp.getOptionValue("domain-name-server")[0])
self.subnet.dhcp = True
elif isinstance(ip.child(), impacket.ImpactPacket.TCP):
tcp = ip.child()
if 'HTTP' in self.protocols and \
re.search(r'[A-Z]+ [^ ] HTTP/1\.', tcp.get_data_as_string()):
self.subnet.gatewaymac = self.subnet.gatewaymac or e.get_ether_dhost()
print(self.subnet.get_gatewaymac())
self.subnet.gatewayip = self.subnet.gatewayip or \
self.arptable.mac2ip(self.subnet.get_gatewaymac())
self.subnet.clientmac = self.subnet.clientmac or e.get_ether_shost()
self.subnet.clientip = self.subnet.clientip or ip.get_ip_src()
elif 'TTL' in self.protocols and not self.subnet.dhcp:
ttl = ip.get_ip_ttl()
# Uneven but not 1 or 255 ttl means it's probably coming from a router
if (ttl % 2) > 0 and ttl > 1 and ttl != 255:
self.subnet.gatewaymac = self.subnet.gatewaymac or e.get_ether_shost()
self.subnet.gatewayip = self.subnet.gatewayip or \
self.arptable.mac2ip(self.subnet.get_gatewaymac())
self.subnet.clientmac = self.subnet.clientmac or e.get_ether_dhost()
self.subnet.clientip = self.subnet.clientip or ip.get_ip_dst()
elif 'ARP' in self.protocols and not self.subnet.dhcp and \
e.get_ether_type() == impacket.ImpactPacket.ARP.ethertype:
arp = e.child()
self.subnet.registeraddress(arp.get_ar_tpa())
self.subnet.registeraddress(arp.get_ar_spa())
def run(self):
global maxcount
global maxbytes
global history
global persistant
global running
global last_dump
flows = {}
count = 0
# Arguments here are:
# device
# snaplen (maximum number of bytes to capture _per_packet_)
# promiscious mode (1 for true)
# timeout (in milliseconds)
cap = pcapy.open_live(FLAGS.i, 1500, 1, 1000)
# We get layer 1 packets. Therefore we need to use the right decoder.
datalink = cap.datalink()
if pcapy.DLT_EN10MB == datalink:
decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
decoder = LinuxSLLDecoder()
else:
print '%s Datalink type not supported: ' %(datetime.datetime.now(),
datalink)
sys.exit(1)
# Read packets -- header contains information about the data from pcap,
# payload is the actual packet as a string
(header, payload) = cap.next()
while header:
count += 1
if FLAGS.verbose:
print ('%s captured %d bytes, truncated to %d bytes'
%(datetime.datetime.now(), header.getlen(), header.getcaplen()))
try:
# The link level packet contains a payload
l = decoder.decode(payload)
p = l.child()
key = None
if p.ethertype == 0x800:
# This is an IP packet
ip = p.child()
ips = [p.get_ip_src(), p.get_ip_dst()]
ips.sort()
if ip.protocol == 1:
# ICMP
if FLAGS.verbose:
print (' ICMP: %s -> %s type %s'
%(p.get_ip_src(), p.get_ip_dst(),
ip.get_type_name(ip.get_icmp_type())))
key = 'ICMP %s' % repr(ips)
elif ip.protocol == 6:
# TCP
if FLAGS.verbose:
print ' TCP: %s:%d -> %s:%d' %(p.get_ip_src(),
ip.get_th_sport(),
p.get_ip_dst(),
ip.get_th_dport())
ports = [ip.get_th_sport(), ip.get_th_dport()]
ports.sort()
key = 'TCP %s %s' %(repr(ips), repr(ports))
elif ip.protocol == 17:
# UDP
if FLAGS.verbose:
print ' UDP: %s:%d -> %s:%d' %(p.get_ip_src(),
ip.get_uh_sport(),
p.get_ip_dst(),
ip.get_uh_dport())
ports = [ip.get_uh_sport(), ip.get_uh_dport()]
ports.sort()
key = 'TCP %s %s' %(repr(ips), repr(ports))
elif ip.protocol:
print '%s Unknown IP protocol %s' %(datetime.datetime.now(),
ip.protocol)
if key:
flows.setdefault(key, (0, 0, 0, 0))
(a_count, a_bytes, b_count, b_bytes) = flows[key]
if ips == [p.get_ip_src(), p.get_ip_dst()]:
a_count += 1
a_bytes += header.getlen()
else:
b_count += 1
b_bytes += header.getlen()
flows[key] = (a_count, a_bytes, b_count, b_bytes)
else:
print '%s Unknown ethertype %x' %(datetime.datetime.now(),
p.ethertype)
except impacket.ImpactPacket.ImpactPacketException, e:
print '%s Sniffer skipped packet: %s' %(datetime.datetime.now(), e)
self.data_lock.acquire()
if time.time() - last_dump > 30:
# Recalibrate maximums
maxcount = 100
maxbytes = 100
for flow in flows:
(acount, abytes, bcount, bbytes) = flows[flow]
if acount > maxcount:
maxcount = acount
if bcount > maxcount:
maxcount = bcount
if abytes > maxbytes:
maxbytes = abytes
if bbytes > maxbytes:
maxbytes = bbytes
# Append to history
history.append(flows)
history = history[-30:]
# Write to persistant history as well
persistant.setdefault('history', {})
persistant['history'][time.time()] = flows
persistant.sync()
if len(persistant['history']) > 29:
print '%s Committing suicide' % datetime.datetime.now()
persistant.close()
running = False
raise SystemExit()
print ('%s Sniffer captured %d packets in the last 30 seconds'
%(datetime.datetime.now(), count))
count = 0
flows = {}
last_dump = time.time()
self.data_lock.release()
del header
del payload
(header, payload) = cap.next()
class Pcap(object):
def __init__(self,
promisc=True,
buffer_size=None,
read_timeout=100,
show_packets=False):
self._pcap_t = None
self._packets = None
assert promisc in (True, False), "promisc must be either True or False"
self._promisc = promisc
self._buffer_size = buffer_size
self._read_timeout = read_timeout
assert show_packets in (
True, False), "show_packets must be either True or False"
self._show_packets = show_packets
self._pcap_lock = threading.Lock()
try:
from impacket.ImpactDecoder import LinuxSLLDecoder
self._decoder = LinuxSLLDecoder()
except ImportError:
self._decoder = None
def _set_buffer(self, buffer_size):
w.pcap_set_buffer_size(self._pcap_t, buffer_size)
def _set_timeout(self, read_timeout):
w.pcap_set_timeout(self._pcap_t, read_timeout)
@property
def packets(self):
for p in iter(self._packets.get, None):
yield p
@property
def packet_count(self):
return self._packets.qsize()
@property
def activated(self):
return self._pcap_t is not None
@property
def snaplen(self):
if not self.activated:
raise PcapError(w.PCAP_ERROR_NOT_ACTIVATED)
return w.pcap_snapshot(self._pcap_t)
@snaplen.setter
def snaplen(self, snaplen):
if not self.activated:
raise PcapError(w.PCAP_ERROR_NOT_ACTIVATED)
return w.pcap_set_snaplen(self._pcap_t, snaplen) == 0
@property
def promisc(self):
return self._promisc
def _set_promisc(self, state):
w.pcap_set_promisc(self._pcap_t, state)
@property
def tstamp_types(self):
return [(val, w.pcap_tstamp_type_val_to_name(val),
w.pcap_tstamp_type_val_to_description(val))
for val in w.pcap_list_tstamp_types(self._pcap_t)]
@property
def datalink(self):
dl = w.pcap_datalink(self._pcap_t)
for dl_type, dl_name, dl_description in self.datalinks:
if dl == dl_type:
return dl_name
return None
def set_datalink(self, dlt):
return w.pcap_set_datalink(self._pcap_t, dlt) == 0
@property
def datalinks(self):
if not self.activated:
raise PcapError(w.PCAP_ERROR_NOT_ACTIVATED)
return [(val, w.pcap_datalink_val_to_name(val),
w.pcap_datalink_val_to_description(val))
for val in w.pcap_list_datalinks(self._pcap_t)]
def set_tstamp_type(self, tstamp_type):
return w.pcap_set_tstamp_type(self._pcap_t, tstamp_type) == 0
def _activate(self):
self._packets = Queue()
w.pcap_activate(self._pcap_t)
def _start(self):
self._activate()
self._start_loop()
def _start_loop(self):
thread.start_new_thread(self._loop, tuple())
def _loop(self):
user = str(id(self))
_pcap_user_mapping[user] = self
while True:
with self._pcap_lock:
if self.activated:
ret = w.pcap_dispatch(self._pcap_t, -1, _packet_handler,
user)
if ret is None:
break
else:
break
del _pcap_user_mapping[user]
def close(self):
if self._pcap_t:
w.pcap_breakloop(self._pcap_t)
with self._pcap_lock:
if self._pcap_t:
w.pcap_close(self._pcap_t)
self._pcap_t = None
def _packet_handler(self, hdr, packet):
packet_dict = dict(tv_sec=hdr.ts.tv_sec,
tv_usec=hdr.ts.tv_usec,
len=hdr.len,
caplen=hdr.caplen,
data=packet,
decoded=None)
if self._decoder:
packet_dict['decoded'] = self._decoder.decode(packet)
if self._show_packets:
print packet_dict['decoded']
self._packets.put(packet_dict)
def open_dev(self, dev='any'):
"""Create and activate pcap on a device. If no `dev` is specified then
'any' i used.
"""
self._pcap_t = w.pcap_create(dev)
self._set_promisc(self._promisc)
if self._buffer_size:
self._set_buffer(self._buffer_size)
if self._read_timeout:
self._set_timeout(self._read_timeout)
self._start()
def open_file(self, filename):
"""Create and activate pcap with a file or filename."""
if isinstance(filename, basestring):
self._pcap_t = w.pcap_open_offline(filename)
else:
self._pcap_t = w.pcap_fopen_offline(filename)
self._start()
class DecoderThread(Thread):
def __init__(self, pcapObj=None, Interface=None):
datalink = pcapObj.datalink()
self.Interface = Interface
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Unsupported datalink type: " % datalink)
self.pcap = pcapObj
self.buffer_traffic = []
Thread.__init__(self)
def run(self):
self.pcap.loop(0, self.packetHandler)
def display_hex(self, pkt):
return pkt.get_data_as_string()
def encode_protocol(self, protocol):
# tcp=1;udp=2;others=3
if protocol == 6:
return 1
elif protocol == 17:
return 2
else:
return 3
def encode_port(self, port):
# ports longer than 3 digits are irrelevant
if len(str(port)) > 3:
return 0
else:
return int(port)
def packetHandler(self, hdr, data):
p = self.decoder.decode(data)
ip = p.child()
tcp = ip.child()
payload = self.display_hex(p)
myAddr = ni.ifaddresses(self.Interface)[ni.AF_INET][0]['addr']
try:
srcIP = ip.get_ip_src()
if myAddr == srcIP:
srcIP = 0
except AttributeError:
srcIP = 0
try:
dstIP = ip.get_ip_dst()
if myAddr == dstIP:
dstIP = 0
except AttributeError:
dstIP = 0
try:
srcPort = tcp.get_th_sport()
except AttributeError:
srcPort = 0
try:
dstPort = tcp.get_th_dport()
except AttributeError:
dstPort = 0
if dstPort > 0:
sumBytePayload = sum(payload) / dstPort
else:
sumBytePayload = sum(payload)
try:
protocol = tcp.protocol
except AttributeError:
return
io = 1 # input
if protocol is None: # ARP
return
# protocol 17 = UDP
if protocol == 1: # ICMP
if tcp.get_icmp_num_addrs() > 0:
io = 0 # output
if protocol == 6: # TCP
myAddr = ni.ifaddresses(self.Interface)[ni.AF_INET][0]['addr']
if myAddr != ip.get_ip_dst():
io = 0 # output
protocol = self.encode_protocol(protocol)
srcPort = self.encode_port(srcPort)
dstPort = self.encode_port(dstPort)
if len(self.buffer_traffic) > 10:
self.buffer_traffic = []
self.buffer_traffic.append(
[protocol, io, srcPort, dstPort, sumBytePayload])
self.model = Thread(target=ModelPredict,
args=(protocol, io, srcPort, dstPort,
sumBytePayload, srcIP, dstIP,
self.buffer_traffic))
self.model.start()
class DecoderThread(Thread):
def __init__(self, pcapObj):
self.searchTerm = 'commands'
self.hostDict = {}
self.flowDict = {}
self.arbitraryChunkedLength = 30000 # as length of chunked tranfers can not be measured, we will provide an artibrary length for now
# OSC functionality (multicasting for now)
sendAddress = '127.0.0.1', 57120
self.oscClient=OSCClient()
self.oscClient.connect(sendAddress)
# Query the type of the link and instantiate a decoder accordingly.
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.pcap = pcapObj
Thread.__init__(self)
def run(self):
# Sniff ad infinitum.
# PacketHandler shall be invoked by pcap for every packet.
self.pcap.loop(0, self.packetHandler)
def packetHandler(self, hdr, data):
# Use the ImpactDecoder to turn the rawpacket into a hierarchy of ImpactPacket instances.
eth = self.decoder.decode(data)
ip = eth.child()
tcp = ip.child()
src = (ip.get_ip_src(), tcp.get_th_sport() )
dst = (ip.get_ip_dst(), tcp.get_th_dport() )
self.detectHTTP(tcp, src, dst)
def detectHTTP(self, tcp, src, dst):
packetString = tcp.get_data_as_string()
srcIp = src[0]
dstIp = dst[0]
self.detectRequestOrNewResponseOrExistingResponse(packetString, src, dst, tcp)
def detectRequestOrNewResponseOrExistingResponse(self, packetString, src, dst, tcp):
request = HTTPRequest(packetString)
if request.error_code is None: # detect request
self.parseRequest(request, src, dst)
elif packetString[:8] == "HTTP/1.1": # detect response
# only pass if a request was sent
flowKey = (src, dst)
if flowKey in self.hostDict:
self.parseNewResponse(packetString, src, dst, tcp)
else:
flowKey = (src, dst)
if flowKey in self.flowDict: # continue if packet is a continuation of an existing response
body = packetString # with an existing response the body is the entire packetstring
self.parseExistingResponse(flowKey, body, src, dst, tcp)
def parseRequest(self, request, src, dst):
if request.command == 'GET' and request.request_version == 'HTTP/1.1':
# store the host and path related to this request by unique key for later lookup:
self.hostDict[(dst, src)] = {}
self.hostDict[(dst, src)]['host'] = request.headers['host']
self.hostDict[(dst, src)]['path'] = request.path
def parseNewResponse(self, packetString, src, dst, tcp):
responseCode = packetString[9:12]
if responseCode == '200': # just okay responses for now
if '\r\n\r\n' in packetString: # only proceed if the response has a body
bodyIndex = packetString.index('\r\n\r\n') + 4
body = packetString[bodyIndex:]
socket = FakeSocket(packetString)
response = HTTPResponse(socket)
response.begin()
headerArray = response.getheaders()
for item in headerArray:
flowKey = (src, dst)
if item[0] == 'content-type' and 'text/html' in item[1]: # accept any kind of text content
for item in headerArray:
if item[0] == 'content-length':
length = int(item[1])
self.parseFixedLengthResponse(flowKey, body, length, src, dst, tcp, responseCode)
elif item[0] == 'transfer-encoding' and item[1] == 'chunked':
print 'found chunked'
self.parseChunkedResponse(flowKey, body, src, dst, tcp, responseCode)
else:
print "body not found"
def parseFixedLengthResponse(self, flowKey, body, length, src, dst, tcp, responseCode):
self.flowDict[flowKey] = {'body': body, 'type': 'fixedLength', 'length': length}
self.doStart(flowKey, body, src, dst, tcp, responseCode, 'fixedLength')
contentLength = self.arbitraryChunkedLength
progress = float(len(body)) / float(contentLength)
packetContentLength = progress
searchResults = self.bodySearch(body, contentLength)
self.sendInfoAboutThisPacket(body, progress, packetContentLength, searchResults)
def parseChunkedResponse(self, flowKey, body, src, dst, tcp, responseCode):
self.flowDict[flowKey] = {'body': body, 'type': 'chunked'}
self.doStart(flowKey, body, src, dst, tcp, responseCode, 'chunked')
contentLength = self.flowDict[flowKey]['length']
progress = float(len(body)) / float(contentLength)
packetContentLength = progress
searchResults = self.bodySearch(body, contentLength)
self.sendInfoAboutThisPacket(body, progress, packetContentLength, searchResults)
def parseExistingResponse(self, flowKey, body, src, dst, tcp):
if self.flowDict[flowKey]['type'] == 'fixedLength':
contentLength = self.flowDict[flowKey]['length']
progress, packetContentLength = self.accumulateBodyAndReturnPacketPosition(flowKey, body, contentLength)
mappedSearchResults = self.bodySearch(body, contentLength)
self.sendInfoAboutThisPacket(body, progress, packetContentLength, mappedSearchResults)
self.detectFixedLengthEnd(flowKey, src, dst)
elif self.flowDict[flowKey]['type'] == 'chunked':
contentLength = self.arbitraryChunkedLength
progress, packetContentLength = self.accumulateBodyAndReturnPacketPosition(flowKey, body, contentLength)
searchResults = self.bodySearch(body, contentLength)
self.sendInfoAboutThisPacket(body, progress, packetContentLength, mappedSearchResults)
self.detectChunkedEnd(packetString, src, dst)
def accumulateBodyAndReturnPacketPosition(self, flowKey, body, contentLength):
existingBody = self.flowDict[flowKey]['body']
newBody = self.flowDict[flowKey]['body'] = existingBody + body
progress = float(len(newBody)) / float(contentLength)
packetContentLength = float(len(body)) / float(contentLength)
return progress, packetContentLength
def sendInfoAboutThisPacket(self, body, progress, packetContentLength, mappedSearchResults):
# call or response - relevant?
self.oscSender('/progress', [progress])
# if mappedSearchResults: # if list is not empty
# self.oscSender('/searchResults', mappedSearchResults)
# self.oscSender('/bodyLength', [packetContentLength])
# self.oscSender('/body', [body])
def detectFixedLengthEnd(self, flowKey, src, dst):
accumulatedBodyLength = len(self.flowDict[flowKey]['body'])
contentLength = self.flowDict[flowKey]['length']
if accumulatedBodyLength == contentLength:
self.doStop(src, dst)
def detectChunkedEnd(self, body, src, dst):
if '0\r\n\r\n' in body: # doesn't always work
self.doStop(src, dst)
def doStart(self, flowKey, body, src, dst, tcp, responseCode, encodingType):
host = self.hostDict[(src, dst)]['host']
path = self.hostDict[(src, dst)]['path']
destinationIP = dst[0]
sourceIP = src[0]
destinationPort = dst[1]
scaledDestinationPort = self.scale(destinationPort, 49152, 65535, 0, 1)
# no use to have the source Port as it will always be 80 (http)
self.oscSender('/start', [responseCode, host, path[0:20], destinationIP, sourceIP, destinationPort, encodingType])
def doStop(self, src, dst):
host = self.hostDict[(src, dst)]['host']
path = self.hostDict[(src, dst)]['path']
del self.hostDict[(src, dst)] # need to do this?
del self.flowDict[(src, dst)]
self.oscSender('/stop', [host, path])
def bodySearch(self, body, contentLength):
searchResults = [m.start() for m in re.finditer(self.searchTerm, body)]
mappedSearchResults = [float(item)/float(contentLength) for item in searchResults]
return mappedSearchResults
def oscSender(self, addr, params):
msg = OSCMessage()
msg.setAddress(addr)
if params is not None:
for param in params:
msg.append(param)
print "sending: " + str(msg) + " to: " + str(self.oscClient) # do not indent this line!
try:
self.oscClient.send(msg)
except OSCClientError:
# could explicitly try to detect errno 61 here
print "WARNING: cannot send to SuperCollider"
def scale(self, value, leftMin, leftMax, rightMin, rightMax):
leftSpan = leftMax - leftMin
rightSpan = rightMax - rightMin
valueScaled = float(value - leftMin) / float(leftSpan)
return rightMin + (valueScaled * rightSpan)
class DecoderThread(Thread):
def __init__(self, bridge, subnet, arptable):
# Open interface for capturing.
self.pcap = open_live(bridge.bridgename, 1500, 0, 100)
# Query the type of the link and instantiate a decoder accordingly.
datalink = self.pcap.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.bridge = bridge
self.subnet = subnet
self.arptable = arptable
self.running = True
Thread.__init__(self)
def run(self):
# Sniff ad infinitum.
# PacketHandler shall be invoked by pcap for every packet.
while self.running:
self.pcap.dispatch(1, self.packetHandler)
def stop(self):
self.running = False
time.sleep(0.1)
def packetHandler(self, hdr, data):
e = self.decoder.decode(data)
if e.get_ether_type() == impacket.eap.DOT1X_AUTHENTICATION:
eapol = e.child()
if eapol.get_packet_type() == eapol.EAP_PACKET:
eap = eapol.child()
eapr = eap.child()
# Only client sends responses with identity
if eap.get_code() == eap.RESPONSE and eapr.get_type(
) == eapr.IDENTITY:
self.subnet.clientmac = e.get_ether_shost()
elif e.get_ether_type() == impacket.ImpactPacket.IP.ethertype:
ip = e.child()
if isinstance(ip.child(), impacket.ImpactPacket.UDP):
udp = ip.child()
if isinstance(udp.child(), impacket.dhcp.BootpPacket):
bootp = udp.child()
if isinstance(bootp.child(), impacket.dhcp.DhcpPacket):
dhcp = bootp.child()
if dhcp.getOptionValue(
'message-type') == dhcp.DHCPDISCOVER:
self.subnet.clientmac = e.get_ether_shost()
elif dhcp.getOptionValue(
'message-type') == dhcp.DHCPREQUEST:
self.subnet.clientmac = e.get_ether_shost()
elif dhcp.getOptionValue(
'message-type') == dhcp.DHCPACK:
self.subnet.clientip = self.subnet.int2ip(
bootp["yiaddr"])
self.subnet.clientmac = e.get_ether_dhost()
self.subnet.gatewayip = self.subnet.int2ip(
dhcp.getOptionValue("router")[0])
self.subnet.gatewaymac = e.get_ether_shost()
self.subnet.subnetmask = self.subnet.ip2array(
self.subnet.int2ip(
dhcp.getOptionValue("subnet-mask")))
self.subnet.subnet = self.subnet.ip2array(
self.subnet.int2ip(
dhcp.getOptionValue("subnet-mask")
& bootp["yiaddr"]))
self.subnet.dhcp = True
elif dhcp.getOptionValue(
'message-type') == dhcp.DHCPOFFER:
self.subnet.clientip = self.subnet.int2ip(
bootp["yiaddr"])
self.subnet.clientmac = e.get_ether_dhost()
self.subnet.gatewayip = self.subnet.int2ip(
dhcp.getOptionValue("router")[0])
self.subnet.domain_name = dhcp.getOptionValue(
"domain name")[0]
self.subnet.dns_server = self.subnet.int2ip(
dhcp.getOptionValue("domain name server")[0])
self.subnet.gatewaymac = e.get_ether_shost()
self.subnet.subnetmask = self.subnet.ip2array(
self.subnet.int2ip(
dhcp.getOptionValue("subnet-mask")))
self.subnet.subnet = self.subnet.ip2array(
self.subnet.int2ip(
dhcp.getOptionValue("subnet-mask")
& bootp["yiaddr"]))
self.subnet.dhcp = True
else:
if not self.subnet.dhcp:
ttl = ip.get_ip_ttl()
# Uneven but not 1 or 255 ttl means it's probably coming from a router
if (ttl % 2) > 0 and ttl > 1 and ttl != 255:
self.subnet.gatewaymac = e.get_ether_shost()
self.subnet.clientmac = e.get_ether_dhost()
self.subnet.clientip = ip.get_ip_dst()
elif e.get_ether_type() == impacket.ImpactPacket.ARP.ethertype:
arp = e.child()
if not self.subnet.dhcp:
self.subnet.registeraddress(arp.get_ar_tpa())
self.subnet.registeraddress(arp.get_ar_spa())
if arp.get_op_name(arp.get_ar_op()) == "REPLY":
logging.debug("got arp reply")
self.arptable.registeraddress(arp.get_ar_spa(),
arp.as_hrd(arp.get_ar_sha()))
if arp.get_op_name(arp.get_ar_op()) == "REQUEST":
self.arptable.registeraddress(arp.get_ar_spa(),
arp.as_hrd(arp.get_ar_sha()))
class Pcap(object):
def __init__(self, promisc=True, buffer_size=None, read_timeout=100, show_packets=False):
self._pcap_t = None
self._packets = None
assert promisc in (True, False), "promisc must be either True or False"
self._promisc = promisc
self._buffer_size = buffer_size
self._read_timeout = read_timeout
assert show_packets in (True, False), "show_packets must be either True or False"
self._show_packets = show_packets
self._pcap_lock = threading.Lock()
try:
from impacket.ImpactDecoder import LinuxSLLDecoder
self._decoder = LinuxSLLDecoder()
except ImportError:
self._decoder = None
def _set_buffer(self, buffer_size):
w.pcap_set_buffer_size(self._pcap_t, buffer_size)
def _set_timeout(self, read_timeout):
w.pcap_set_timeout(self._pcap_t, read_timeout)
@property
def packets(self):
for p in iter(self._packets.get, None):
yield p
@property
def packet_count(self):
return self._packets.qsize()
@property
def activated(self):
return self._pcap_t is not None
@property
def snaplen(self):
if not self.activated:
raise PcapError(w.PCAP_ERROR_NOT_ACTIVATED)
return w.pcap_snapshot(self._pcap_t)
@snaplen.setter
def snaplen(self, snaplen):
if not self.activated:
raise PcapError(w.PCAP_ERROR_NOT_ACTIVATED)
return w.pcap_set_snaplen(self._pcap_t, snaplen) == 0
@property
def promisc(self):
return self._promisc
def _set_promisc(self, state):
w.pcap_set_promisc(self._pcap_t, state)
@property
def tstamp_types(self):
return [(val, w.pcap_tstamp_type_val_to_name(val), w.pcap_tstamp_type_val_to_description(val)) for val in w.pcap_list_tstamp_types(self._pcap_t)]
@property
def datalink(self):
dl = w.pcap_datalink(self._pcap_t)
for dl_type, dl_name, dl_description in self.datalinks:
if dl == dl_type:
return dl_name
return None
def set_datalink(self, dlt):
return w.pcap_set_datalink(self._pcap_t, dlt) == 0
@property
def datalinks(self):
if not self.activated:
raise PcapError(w.PCAP_ERROR_NOT_ACTIVATED)
return [(val, w.pcap_datalink_val_to_name(val), w.pcap_datalink_val_to_description(val)) for val in w.pcap_list_datalinks(self._pcap_t)]
def set_tstamp_type(self, tstamp_type):
return w.pcap_set_tstamp_type(self._pcap_t, tstamp_type) == 0
def _activate(self):
self._packets = Queue()
w.pcap_activate(self._pcap_t)
def _start(self):
self._activate()
self._start_loop()
def _start_loop(self):
thread.start_new_thread(self._loop, tuple())
def _loop(self):
user = str(id(self))
_pcap_user_mapping[user] = self
while True:
with self._pcap_lock:
if self.activated:
ret = w.pcap_dispatch(self._pcap_t, -1, _packet_handler, user)
if ret is None:
break
else:
break
del _pcap_user_mapping[user]
def close(self):
if self._pcap_t:
w.pcap_breakloop(self._pcap_t)
with self._pcap_lock:
if self._pcap_t:
w.pcap_close(self._pcap_t)
self._pcap_t = None
def _packet_handler(self, hdr, packet):
packet_dict = dict(
tv_sec=hdr.ts.tv_sec,
tv_usec=hdr.ts.tv_usec,
len=hdr.len,
caplen=hdr.caplen,
data=packet,
decoded=None
)
if self._decoder:
packet_dict['decoded'] = self._decoder.decode(packet)
if self._show_packets:
print packet_dict['decoded']
self._packets.put(packet_dict)
def open_dev(self, dev='any'):
"""Create and activate pcap on a device. If no `dev` is specified then
'any' i used.
"""
self._pcap_t = w.pcap_create(dev)
self._set_promisc(self._promisc)
if self._buffer_size:
self._set_buffer(self._buffer_size)
if self._read_timeout:
self._set_timeout(self._read_timeout)
self._start()
def open_file(self, filename):
"""Create and activate pcap with a file or filename."""
if isinstance(filename, basestring):
self._pcap_t = w.pcap_open_offline(filename)
else:
self._pcap_t = w.pcap_fopen_offline(filename)
self._start()
class DecoderThread(Thread):
protocols = ['DHCP', 'HTTP', 'dot1x', 'ARP', 'TTL']
def __init__(self, bridge, subnet, arptable):
# Open interface for capturing.
self.pcap = open_live(bridge.bridgename, 65536, 1, 100)
# Query the type of the link and instantiate a decoder accordingly.
datalink = self.pcap.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.bridge = bridge
self.subnet = subnet
self.arptable = arptable
self.protocols = args.discovery_protos or self.protocols
Thread.__init__(self)
def run(self):
self.running = True
# Reset the link
try:
cmd("mii-tool -R %s 2>/dev/null" %
' '.join(self.bridge.interfaces))
except:
pass
# Sniff ad infinitum.
# PacketHandler shall be invoked by pcap for every packet.
while self.running:
self.pcap.dispatch(1, self.packetHandler)
def stop(self):
self.running = False
time.sleep(0.1)
def packetHandler(self, hdr, data):
try:
e = self.decoder.decode(data)
except:
return
if e.get_ether_type() == impacket.ImpactPacket.ARP.ethertype:
arp = e.child()
if arp.get_op_name(arp.get_ar_op()) == "REPLY":
self.arptable.registeraddress(arp.get_ar_spa(),
arp.as_hrd(arp.get_ar_sha()))
if arp.get_op_name(arp.get_ar_op()) == "REQUEST":
self.arptable.registeraddress(arp.get_ar_spa(),
arp.as_hrd(arp.get_ar_sha()))
# Got both interface sides. No more discovery needed
if self.bridge.clientsiteint and self.bridge.switchsideint:
return
if 'dot1x' in self.protocols and not self.subnet.dhcp and \
e.get_ether_type() == impacket.eap.DOT1X_AUTHENTICATION:
eapol = e.child()
if eapol.get_packet_type() == eapol.EAP_PACKET:
eap = eapol.child()
eapr = eap.child()
# Only client sends responses with identity
if eap.get_code() == eap.RESPONSE and eapr.get_type(
) == eapr.IDENTITY:
self.subnet.clientmac = self.subnet.clientmac or e.get_ether_shost(
)
self.subnet.clientip = self.subnet.clientip or \
self.arptable.mac2ip(self.subnet.get_clientmac)
elif e.get_ether_type() == impacket.ImpactPacket.IP.ethertype:
ip = e.child()
if isinstance(ip.child(), impacket.ImpactPacket.UDP):
udp = ip.child()
if 'DHCP' in self.protocols:
if udp.get_uh_dport() in (
67, 68) and udp.get_uh_sport() in (67, 68):
bootp_decoder = BootpDecoder()
bootp = bootp_decoder.decode(udp.child().get_packet())
if isinstance(bootp.child(), impacket.dhcp.DhcpPacket):
dhcp = bootp.child()
if dhcp.getOptionValue(
'message-type') == dhcp.DHCPDISCOVER:
self.subnet.clientmac = e.get_ether_shost()
elif dhcp.getOptionValue(
'message-type') == dhcp.DHCPREQUEST:
self.subnet.clientmac = e.get_ether_shost()
elif dhcp.getOptionValue('message-type') == dhcp.DHCPACK or \
dhcp.getOptionValue('message-type') == dhcp.DHCPOFFER:
if not self.subnet.clientip:
self.subnet.clientip = self.subnet.int2ip(
bootp["yiaddr"])
self.subnet.gatewayip = self.subnet.int2ip(
dhcp.getOptionValue("router")[0])
self.subnet.gatewaymac = e.get_ether_shost()
self.subnet.subnetmask = self.subnet.ip2array(
self.subnet.int2ip(
dhcp.getOptionValue("subnet-mask")))
self.subnet.subnet = self.subnet.ip2array(
self.subnet.int2ip(
dhcp.getOptionValue("subnet-mask")
& bootp["yiaddr"]))
self.subnet.dnsip = self.subnet.int2ip(
dhcp.getOptionValue("domain-name-server")
[0])
self.subnet.dhcp = True
elif isinstance(ip.child(), impacket.ImpactPacket.TCP):
tcp = ip.child()
if 'HTTP' in self.protocols and \
re.search(r'[A-Z]+ [^ ] HTTP/1\.', tcp.get_data_as_string()):
self.subnet.gatewaymac = self.subnet.gatewaymac or e.get_ether_dhost(
)
print(self.subnet.get_gatewaymac())
self.subnet.gatewayip = self.subnet.gatewayip or \
self.arptable.mac2ip(self.subnet.get_gatewaymac())
self.subnet.clientmac = self.subnet.clientmac or e.get_ether_shost(
)
self.subnet.clientip = self.subnet.clientip or ip.get_ip_src(
)
elif 'TTL' in self.protocols and not self.subnet.dhcp:
ttl = ip.get_ip_ttl()
# Uneven but not 1 or 255 ttl means it's probably coming from a router
if (ttl % 2) > 0 and ttl > 1 and ttl != 255:
self.subnet.gatewaymac = self.subnet.gatewaymac or e.get_ether_shost(
)
self.subnet.gatewayip = self.subnet.gatewayip or \
self.arptable.mac2ip(self.subnet.get_gatewaymac())
self.subnet.clientmac = self.subnet.clientmac or e.get_ether_dhost(
)
self.subnet.clientip = self.subnet.clientip or ip.get_ip_dst(
)
elif 'ARP' in self.protocols and not self.subnet.dhcp and \
e.get_ether_type() == impacket.ImpactPacket.ARP.ethertype:
arp = e.child()
self.subnet.registeraddress(arp.get_ar_tpa())
self.subnet.registeraddress(arp.get_ar_spa())
class Decoder(object):
def __init__(self, pcapObj, filename=None):
# Query the type of the link and instantiate a decoder accordingly.
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.pcap = pcapObj
self.connections = {}
# added by yair
self.packet_count = 0
self.packet_list = []
self.filename = filename
self.dir = None
# a dictionary containing all TCP streams
self.streams = {}
def start(self):
# Sniff ad infinitum.
# PacketHandler shall be invoked by pcap for every packet.
self.pcap.loop(0, self.packetHandler)
def packetHandler(self, hdr, data):
"""Handles an incoming pcap packet. This method only knows how
to recognize TCP/IP connections.
Be sure that only TCP packets are passed onto this handler (or
fix the code to ignore the others).
Setting r"ip proto \tcp" as part of the pcap filter expression
suffices, and there shouldn't be any problem combining that with
other expressions.
"""
global flag_verbose
# Use the ImpactDecoder to turn the rawpacket into a hierarchy
# of ImpactPacket instances.
p = self.decoder.decode(data)
ip = p.child()
tcp = ip.child()
# Build a distinctive key for this pair of peers.
src = (ip.get_ip_src(), tcp.get_th_sport())
dst = (ip.get_ip_dst(), tcp.get_th_dport())
con = Connection(src, dst)
wtime = calc_wtime(wts=hdr.getts())
TCPts = None
for opt in tcp.get_options():
try:
TCPts = opt.get_ts()
break
except ImpactPacketException:
pass
self.packet_count += 1
packet = dPacket(wtime, ip.get_ip_dst(), tcp.get_th_sport(),
tcp.get_th_dport(), ip.get_ip_id(), TCPts,
self.packet_count)
self.packet_list.append(packet)
#add by yair - create dir for split files
if flag_csv:
split_dir_name = self.filename + '_TCPsessions'
newpath = os.path.join(os.getcwd(), split_dir_name)
self.dir = newpath
# If there isn't an entry associated yet with this connection,
# open a new pcapdumper and create an association.
self.connections.setdefault(con, [])
self.connections[con].append(packet)
print " bytes = the approximate maximum size of the little files"
print ""
if len(sys.argv) < 3:
showUsage()
sys.exit(1)
fileCount = 1
p = open_offline(sys.argv[1])
datalink = p.datalink()
if DLT_EN10MB == datalink:
decoder = EthDecoder()
elif DLT_LINUX_SLL == datalink:
decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
while 1:
try:
(hdr, data) = p.next()
filename = "%s_%d.cap" % (sys.argv[2], fileCount)
pktCount = 0
capSize = 0
d = p.dump_open(filename)
while capSize < int(sys.argv[3]):
pkt = decoder.decode(data)
try:
bytes = len(pkt.get_packet())
except:
class PacketLoop(Thread):
""" PacketLoop(Thread) Main Class """
def __init__(self, pcapy_object):
""" PacketLoop(Thread) Class Constructor """
datalink = pcapy_object.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
print "Datalink type not supported: " % datalink
exit()
self.pcap = pcapy_object
Thread.__init__(self)
self.stop = False
#----------------------------------------------------------------------
def run(self):
""" Thread Main Function """
while not self.stop:
self.pcap.dispatch(1, self.packet_handler)
#----------------------------------------------------------------------
def get_ips(self, decoded_data):
""" Returns src and dst ips in tuple format """
return (decoded_data.child().get_ip_src(), decoded_data.child().get_ip_dst())
#----------------------------------------------------------------------
def get_ports(self, decoded_data):
""" Returns src and dst ports in tuple format """
return (
decoded_data.child().child().get_th_sport(),
decoded_data.child().child().get_th_dport()
)
#----------------------------------------------------------------------
def get_raw_data(self, decoded_data):
""" Returns byte data """
#return decoded_data.child().child().child().get_buffer_as_string()
return decoded_data.child().child().child().get_packet()
#----------------------------------------------------------------------
def packet_handler(self, header, data):
print data
import sys
sys.exit(12)
"""
Packet Handler Function
Use the ImpactDecoder to turn the rawpacket into a human readable format
"""
decoded_data = self.decoder.decode(data)
src_ip, dst_ip = self.get_ips(decoded_data)
src_port, dst_port = self.get_ports(decoded_data)
raw_data = self.get_raw_data(decoded_data)
#print "[%s:%s] --> [%s:%s]" % (src_ip, src_port, dst_ip, dst_port)
print raw_data
if raw_data.startswith("HTTP"):
decode_raw = HttpResponseDecoder(raw_data)
decode_raw.parse()
print decode_raw
print decode_raw.body
self.stop = True
else:
decode_raw = HttpRequestDecoder(raw_data)
decode_raw.parse()
print decode_raw
class DecoderThread(Thread):
def __init__(self, pcapObj, queue):
# Query the type of the link and instantiate a decoder accordingly.
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.queue = queue
self.pcap = pcapObj
Thread.__init__(self)
def run(self):
# Sniff ad infinitum.
# PacketHandler shall be invoked by pcap for every packet.
self.pcap.loop(0, self.packetHandler)
def packetHandler(self, hdr, data):
# Use the ImpactDecoder to turn the rawpacket into a hierarchy
# of ImpactPacket instances, then send it to the Visualiser
# which drives the Holiday lights.
try:
p = self.decoder.decode(data)
except (Exception, KeyboardInterrupt) as e:
print e
return
try:
protocol = p.child().__class__.__name__
size = p.get_size()
src = False
if protocol == 'IP' or protocol == 'UDP':
src = p.child().get_ip_src()
dest = p.child().get_ip_dst()
elif protocol == 'IP6':
src = p.child().get_source_address()
dest = p.child().get_destination_address()
print "IP6", src, dest
src = False
if src:
l = size_to_length(size)
if src[0:2] == '10':
col = local_ip_to_rgb(src)
#col = ip_to_rgb(dest)
v = SPEED / l
i = 0
else:
if RETURN_SAME:
col = local_ip_to_rgb(src)
else:
col = ip_to_rgb(src)
v = -SPEED / l
i = -52
gradient = make_pulse(col, l)
#print gradient
self.queue.put(pulse.Pulse(i, v, gradient))
#print protocol, src, " -> ", dest, "Size ", size
except Exception as e:
print "Decoding failed"
print e
return
class SnifferThread(Thread):
"""
Main decoder/network sniffer class (running in separate thread).
"""
# initialization
#
def __init__(self, pcapObj):
""" Query the type of the link and instantiate a decoder accordingly. """
datalink = pcapObj.datalink()
if pcapy.DLT_EN10MB == datalink:
self.decoder = EthDecoder()
elif pcapy.DLT_LINUX_SLL == datalink:
self.decoder = LinuxSLLDecoder()
else:
raise Exception("Datalink type not supported: " % datalink)
self.pcap = pcapObj
self.buffer = [] # init internal buffer
self.quit = False # quit thread?
Thread.__init__(self)
def run(self):
""" Sniff ad infinitum.
PacketHandler shall be invoked by pcap for every packet.
When returning with error, decide """
while not self.quit:
try:
self.pcap.loop(0, self.__packetHandler)
except SystemExit: # raised by '__packetHandler' to force quit
pass
# is there a direct (simpler?) way to force return from waiting 'self.pcap.loop' ?!?
except: # generic error
#warnings.warn( "%s %s" % sys.exc_info()[0:2] )
#print "\n".join(inspect.getframeinfo(sys.exc_info()[2]).code_context)
#print "".join([ 'File "%s", line %i, in %s (%s)\n%s\n' % (f[1:4]+("\n".join(f[4]),)) for f in inspect.getinnerframes(sys.exc_info()[2]) ])
warnings.warn("\n".join(PyLib.tb_info()[2]))
sys.exc_clear()
def __packetHandler(self, hdr, data):
""" Use the ImpactDecoder to turn the rawpacket into a hierarchy
of ImpactPacket instances.
Then search for URLs in packet by regex and log them to list. """
if self.quit: raise SystemExit('capture on interface stoped.')
decoded_data = self.decoder.decode(data)
(src, dst, data) = self.__getHeaderInfo(decoded_data)
for item in regex_links.finditer(str(data)):
if not item: continue
#pos = item.start()
link = item.groups()[0]
#self.buffer.append( (link,) )
self.buffer.append((
link,
src,
dst,
)) # append to internal buffer
# thanks to http://d.hatena.ne.jp/shoe16i/mobile?date=20090203§ion=p1
def __getHeaderInfo(self, decoded_data):
""" Extract the header info completely. """
ip = decoded_data.child()
tcp = ip.child()
#src = (ip.get_ip_src(), tcp.get_th_sport())
try:
src = ip.get_ip_src()
except:
src = '?'
#dst = (ip.get_ip_dst(), tcp.get_th_dport())
try:
dst = ip.get_ip_dst()
except:
dst = '?'
#data = tcp.get_data_as_string()
data = tcp.get_packet()
return (src, dst, data)
