def managed_trace(in_uri):
trace = plt.trace(in_uri)
trace.start()
try:
yield trace
finally:
trace.close()
def test_uri(uri, tag=''):
t = plt.trace(uri)
t.start()
nip = n = 0
for pkt in t:
n += 1
test_println("n = %d" % n, tag+get_tag("n:"+str(n)))
ipf = natkit.IPflow(pkt)
if not ipf:
test_println("probably not an IP packet", tag+get_tag("n:"+str(n)))
continue
nip += 1
test_println("%5d: %d %3d %5d %5d %s %s" % (n, # v6
ipf.version, ipf.proto, ipf.src_port, ipf.dst_port,
ipf.src_prefix, ipf.dst_prefix), tag+get_tag("n:"+str(n)))
fwd = ipf.fwd_key
test_print("fwd =", tag+get_tag("n:"+str(n)))
for b in fwd.encode(encoding='cp437'):
test_print_hex(b)
rev = ipf.rev_key
test_println('')
test_print("rev =", tag+get_tag("n:"+str(n)))
for b in rev.encode(encoding='cp437'):
test_print_hex(b)
test_println('')
if nip == 4:
break
t.close()
def __init__(self,
lturi,
chains=None,
idle_timeout=30,
expiry_timeout=5,
aggregate=False):
"""
Create an Observer.
:param chains: Array of Observer chain classes
:see also: :ref:`Observer Documentation <observer>`
"""
# Only import this when needed
import plt as libtrace
# Control
self._irq = None
self._irq_fired = False
self._aggregate = aggregate
# Libtrace initialization
self._trace = libtrace.trace(lturi) # pylint: disable=no-member
self._trace.start()
self._pkt = libtrace.packet() # pylint: disable=no-member
# Chains of functions to evaluate
chains = chains if chains is not None else []
self._chains = [chain() for chain in chains]
# Packet timer and bintables
self._ptq = 0 # current packet timer, quantized
self._idle_bins = {} # map bin number to set of fids
self._expiry_bins = {} # map bin number to set of fids
self._idle_timeout = idle_timeout
self._expiry_timeout = expiry_timeout
self._bin_quantum = 1
#self._tq = [] # packet timer queue (heap)
# Flow tables
self._active = {}
self._expiring = {}
self._ignored = set()
# Emitter queue
self._emitted = collections.deque()
# Statistics and logging
self._logger = logging.getLogger("observer")
self._ct_pkt = 0
self._ct_nonip = 0
self._ct_shortkey = 0
self._ct_ignored = 0
self._ct_flow = 0
def get_example_trace(fn):
cwd = os.getcwd()
basename = os.path.basename(cwd)
if re.match(r'python-libtrace', basename):
full_fn = 'pcapfile:' + cwd + '/doc/examples/' + fn
else:
full_fn = 'pcapfile:' + cwd + '/' + fn
print "fullfn = {0}\n" . format(full_fn)
t = plt.trace(full_fn)
t.start()
return t
def test_uri(uri):
t = plt.trace(uri)
t.start()
nip = n = 0
for pkt in t:
n += 1
print "n = %4d" % n,
ipf = natkit.IPflow(pkt)
if not ipf:
print
continue
nip += 1
print " %d %3d %5d->%5d %s->%s" % (
ipf.version, ipf.proto, ipf.src_port, ipf.dst_port,
ipf.src_prefix, ipf.dst_prefix)
fwd = ipf.fwd_key
#print "fwd = %s" % fwd
v = test_dict.get(fwd)
if v:
v.fwd += 1
else:
rev = ipf.rev_key
#print "rev = %s" % rev
v =test_dict.get(rev)
if v:
v.rev += 1
else:
test_dict[fwd] = flow(ipf, n)
#fwd = ipf.fwd_key
#test_dict[fwd] = flow(ipf, n)
#rev = ipf.rev_key
#test_dict[rev] = flow(ipf, n+1000)
if nip == 10:
break
t.close()
print
sk = sorted(test_dict)
for dk in sk:
#print "dk = >%s<, val[k] = %d" % (dk, test_dict[dk])
val = test_dict[dk]
f = val.ipf
print " %3d: %d+%d; %d %d %d->%d %s->%s" % (
val.first_n, val.fwd, val.rev,
f.version, f.proto, f.src_port, f.dst_port,
f.src_prefix, f.dst_prefix)
def test_uri(uri):
t = plt.trace(uri)
t.start()
nip = n = 0
for pkt in t:
n += 1
print "n = %4d" % n,
ipf = natkit.IPflow(pkt)
if not ipf:
print
continue
nip += 1
print " %d %3d %5d->%5d %s->%s" % (ipf.version, ipf.proto,
ipf.src_port, ipf.dst_port,
ipf.src_prefix, ipf.dst_prefix)
fwd = ipf.fwd_key
#print "fwd = %s" % fwd
v = test_dict.get(fwd)
if v:
v.fwd += 1
else:
rev = ipf.rev_key
#print "rev = %s" % rev
v = test_dict.get(rev)
if v:
v.rev += 1
else:
test_dict[fwd] = flow(ipf, n)
#fwd = ipf.fwd_key
#test_dict[fwd] = flow(ipf, n)
#rev = ipf.rev_key
#test_dict[rev] = flow(ipf, n+1000)
if nip == 10:
break
t.close()
print
sk = sorted(test_dict)
for dk in sk:
#print "dk = >%s<, val[k] = %d" % (dk, test_dict[dk])
val = test_dict[dk]
f = val.ipf
print " %3d: %d+%d; %d %d %d->%d %s->%s" % (
val.first_n, val.fwd, val.rev, f.version, f.proto, f.src_port,
f.dst_port, f.src_prefix, f.dst_prefix)
def test_uri(uri, tag=''):
t = plt.trace(uri)
t.start()
nip6 = nip = n = 0
for pkt in t:
n += 1
if not (pkt.ip or pkt.ip6):
continue
try:
ipf = fh.flow(pkt)
except:
test_println("%4d: probably not an IP packet" % n,
tag + get_tag("n:" + str(n)))
continue
if not ipf.is_inward:
print_flow(n, ipf, tag + get_tag("n:" + str(n)))
else:
if pkt.ip:
nip += 1
#if nip <= 4:
print_flow(n, ipf, tag + get_tag("n:" + str(n)))
elif pkt.ip6:
nip6 += 1
#if nip6 <= 4:
print_flow(n, ipf, tag + get_tag("n:" + str(n)))
fwd = ipf.fwd_key
test_print("fwd =", tag + get_tag("n:" + str(n)))
for b in fwd:
test_print(" %02x" % b)
test_println('')
hk = ipf.home_key
test_print('', tag + get_tag("n:" + str(n)))
test_print("hom =")
for b in hk:
test_print(" %02x" % b)
test_println('')
#if n == 480:
# break
t.close()
def test_uri(uri):
t = plt.trace(uri)
t.start()
nip6 = nip = n = 0
for pkt in t:
n += 1
if not (pkt.ip or pkt.ip6):
continue
#try:
# ipf = fh.flow(pkt)
#except:
# print "%4d: probably not an IP packet" % n
# continue
ipf = fh.flow(pkt)
#print "n = %d, ipf = %s" % (n, ipf)
if not ipf.is_inward:
print_flow(n, ipf)
else:
if pkt.ip:
nip += 1
#if nip <= 4:
print_flow(n, ipf)
elif pkt.ip6:
nip6 += 1
#if nip6 <= 4:
print_flow(n, ipf)
fwd = ipf.fwd_key
print "fwd =",
for b in fwd:
print " %02x" % ord(b),
hk = ipf.home_key
print "\nhom =",
for b in hk:
print " %02x" % ord(b),
print
#if n == 4: # 480:
# break
t.close()
def test_uri(uri, tag=''):
t = plt.trace(uri)
t.start()
nip = n = 0
for pkt in t:
n += 1
test_println("n = %d" % n, tag + get_tag("n:" + str(n)))
try:
ipf = natkit.IPflow(pkt)
except:
test_println("probably not an IP packet",
tag + get_tag("n:" + str(n)))
continue
nip += 1
test_println(
"%5d: %d %3d %5d %5d %s %s" % (
n, # v6
ipf.version,
ipf.proto,
ipf.src_port,
ipf.dst_port,
ipf.src_prefix,
ipf.dst_prefix),
tag + get_tag("n:" + str(n)))
fwd = ipf.fwd_key
test_print("fwd =", tag + get_tag("n:" + str(n)))
for b in fwd:
test_print(" %02x" % b)
rev = ipf.rev_key
test_println('')
test_print("rev =", tag + get_tag("n:" + str(n)))
for b in rev:
test_print(" %02x" % b)
test_println('')
if nip == 4:
break
t.close()
def test_uri(uri):
t = plt.trace(uri)
t.start()
nip6 = nip = n = 0
for pkt in t:
n += 1
if not (pkt.ip or pkt.ip6):
continue
try:
ipf = fh.flow(pkt)
except:
print("%4d: probably not an IP packet" % n)
continue
if not ipf.is_inward:
print_flow(n, ipf)
else:
if pkt.ip:
nip += 1
#if nip <= 4:
print_flow(n, ipf)
elif pkt.ip6:
nip6 += 1
#if nip6 <= 4:
print_flow(n, ipf)
fwd = ipf.fwd_key
print("fwd =", end=' ')
for b in fwd:
print(" %02x" % ord(b), end=' ')
hk = ipf.home_key
print("\nhom =", end=' ')
for b in hk:
print(" %02x" % ord(b), end=' ')
print()
#if n == 480:
# break
t.close()
def bridgemulticast(interface):
bridgesocket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
bridgesocket.connect(bridgehost)
print("capturing on {}".format(interface))
trace = plt.trace('bpf:{}'.format(interface))
#capturefilter = 'multicast and host 239.255.42.42 and port 5004'
capturefilter = 'udp and port 5004'
capfilter = plt.filter(capturefilter)
trace.conf_filter(capfilter)
trace.conf_promisc(True)
trace.start()
try:
for pkt in trace:
hdr = pkt.udp
if not hdr:
continue
data = pkt.udp_payload.data
print(type(data))
if not data:
continue
if len(data) < 1000:
continue
try:
s = bridgesocket.send(data)
print('sent ', s)
except:
pass
except KeyboardInterrupt:
trace.close()
sys.exit()
def test_uri(uri):
t = plt.trace(uri)
t.start()
nip = n = 0
for pkt in t:
n += 1
print "n = %d" % n
try:
ipf = natkit.IPflow(pkt)
except:
print "probably not an IP packet"
continue
nip += 1
print "%5d: %d %3d %5d %5d %s %s" % (
n, # v6
ipf.version,
ipf.proto,
ipf.src_port,
ipf.dst_port,
ipf.src_prefix,
ipf.dst_prefix)
fwd = ipf.fwd_key
print "fwd =",
for b in fwd:
print " %02x" % ord(b),
rev = ipf.rev_key
print "\nrev =",
for b in rev:
print " %02x" % ord(b),
print
if nip == 4:
break
t.close()
def test_uri(uri, tag=''):
t = plt.trace(uri)
t.start()
nip6 = nip = n = 0
for pkt in t:
n += 1
if not (pkt.ip or pkt.ip6):
continue
ipf = fh.flow(pkt)
if not ipf.is_inward:
print_flow(n, ipf, tag+get_tag("n:"+str(n)))
else:
if pkt.ip:
nip += 1
#if nip <= 4:
print_flow(n, ipf, tag+get_tag("n:"+str(n)))
elif pkt.ip6:
nip6 += 1
#if nip6 <= 4:
print_flow(n, ipf, tag+get_tag("n:"+str(n)))
fwd = ipf.fwd_key
test_print("fwd =", tag+get_tag("n:"+str(n)))
for b in fwd.encode(encoding='cp437'):
test_print_hex(b)
test_println('')
hk = ipf.home_key
test_print("hom =", tag+get_tag("n:"+str(n)))
for b in hk.encode(encoding='cp437'):
test_print_hex(b)
test_println('')
t.close()
import plt # Also imports IPprefix and datetime
import sys # argv, exit
in_uri = sys.argv[1] # Program name is argv[0]
out_uri = sys.argv[2]
n_records = sys.argv[3]
if not n_records or int(n_records) <= 0:
print "Number of records to copy not specified <<<"
exit()
else:
n_records = int(n_records)
print "copying first %d records from %s to %s ..." % (
n_records, in_uri, out_uri)
t = plt.trace(in_uri)
t.start()
ot = plt.output_trace(out_uri)
ot.start_output()
n = 0
for pkt in t:
n += 1
ot.write_packet(pkt)
if n == n_records:
break
ot.close_output(); t.close()
#!/usr/bin/env python
# 1156, Thu 8 Jun 2017 (NZDT)
# test-pldns-tcp.py: Demonstrate Ldns objects from tcp
# Copyright (C) 2017, Nevil Brownlee, U Auckland
import plt
import pldns
from plt_testing import *
t = plt.trace('pcapfile:dns_valid_response_tcp.pcap')
t.start()
n = 0
margin = ' ' * 7
for pkt in t:
n += 1 # Wireshark uses 1-org packet numbers
ip = pkt.ip
if not ip:
continue # Not IP
if ip.frag_offset != 0:
continue # Non-first fragment
tcp = pkt.tcp
if not tcp:
continue # Not TCP
if not (tcp.src_port == 53 or tcp.dst_port == 53):
continue
payload = tcp.payload
if not payload:
continue
# python copy-first-n.py pcapfile:anon-v4.pcap pcapfile:first-n.pcap 30
import plt # Also imports IPprefix and datetime
import sys # argv, exit
from plt_testing import *
in_uri = 'icmp-sample.pcap'
out_uri = 'pcapfile:icmp-sample-out.pcap'
n_records = 10
test_println(
"copying first %d records from %s to %s ..." %
(n_records, in_uri, out_uri), get_tag())
t = plt.trace(in_uri)
t.start()
ot = plt.output_trace(out_uri)
ot.start_output()
n = 0
for pkt in t:
n += 1
ot.write_packet(pkt)
if n == n_records:
break
if n != n_records:
def test_uri(uri, tag=''):
t = plt.trace(uri)
t.start()
nip = n = 0
for pkt in t:
n += 1
test_println("n = %d" % n, tag + get_tag("n:" + str(n)))
ipf = natkit.IPflow(pkt)
if not ipf:
test_println(" ", tag + get_tag())
continue
nip += 1
test_println(
"%5d: %d %3d %5d %5d %s %s" % (
n, # v6
ipf.version,
ipf.proto,
ipf.src_port,
ipf.dst_port,
ipf.src_prefix,
ipf.dst_prefix),
tag + get_tag("n:" + str(n)))
fwd = ipf.fwd_key
test_print("fwd =", tag + get_tag("n:" + str(n)))
for b in fwd:
test_print(" %02x" % b)
rev = ipf.rev_key
test_println('')
test_print("rev =", tag + get_tag("n:" + str(n)))
for b in rev:
test_print(" %02x" % b)
test_println('')
v = test_dict.get(fwd)
if v:
v.fwd += 1
else:
rev = ipf.rev_key
v = test_dict.get(rev)
if v:
v.rev += 1
else:
test_dict[fwd] = flow(ipf, n)
if nip == 6:
break
t.close()
test_println('')
sk = sorted(test_dict)
for dk in sk:
#print "dk = >%s<, val[k] = %d" % (dk, test_dict[dk])
val = test_dict[dk]
f = val.ipf
test_println(
" %3d: %d+%d; %d %d %d->%d %s->%s" %
(val.first_n, val.fwd, val.rev, f.version, f.proto, f.src_port,
f.dst_port, f.src_prefix, f.dst_prefix),
tag + get_tag("n:" + str(n)))
def __init__(self, lturi,
new_flow_chain=[],
ip4_chain=[],
ip6_chain=[],
icmp4_chain=[],
icmp6_chain=[],
tcp_chain=[],
udp_chain=[],
l4_chain=[],
idle_timeout=30,
expiry_timeout=5):
"""
Create an Observer.
:param new_flow_chain: Array of functions to initialise new flows.
:type new_flow_chain: array(function)
:param ip4_chain: Array of functions to pass IPv4 headers to.
:type ip4_chain: array(function)
:param ip6_chain: Array of functions to pass IPv6 headers to.
:type ip6_chain: array(function)
:param icmp4_chain: Array of functions to pass IPv4 headers containing
ICMPv4 headers to.
:type icmp4_chain: array(function)
:param icmp6_chain: Array of functions to pass IPv6 headers containing
ICMPv6 headers to.
:type icmp6_chain: array(function)
:param tcp_chain: Array of functions to pass TCP headers to.
:param tcp_chain: Array of functions to pass TCP headers to.
:type tcp_chain: array(function)
:param udp_chain: Array of functions to pass UDP headers to.
:type udp_chain: array(function)
:param l4_chain: Array of functions to pass other layer 4 headers to.
:type l4_chain: array(function)
:see also: :ref:`Observer Documentation <observer>`
"""
# Only import this when needed
import plt as libtrace
# Control
self._irq = None
self._irq_fired = False
# Libtrace initialization
self._trace = libtrace.trace(lturi) # pylint: disable=no-member
self._trace.start()
self._pkt = libtrace.packet() # pylint: disable=no-member
# Chains of functions to evaluate
self._new_flow_chain = new_flow_chain
self._ip4_chain = ip4_chain
self._ip6_chain = ip6_chain
self._icmp4_chain = icmp4_chain
self._icmp6_chain = icmp6_chain
self._tcp_chain = tcp_chain
self._udp_chain = udp_chain
self._l4_chain = l4_chain
# Packet timer and bintables
self._ptq = 0 # current packet timer, quantized
self._idle_bins = {} # map bin number to set of fids
self._expiry_bins = {} # map bin number to set of fids
self._idle_timeout = idle_timeout
self._expiry_timeout = expiry_timeout
self._bin_quantum = 1
#self._tq = [] # packet timer queue (heap)
# Flow tables
self._active = {}
self._expiring = {}
self._ignored = set()
# Emitter queue
self._emitted = collections.deque()
# Statistics and logging
self._logger = logging.getLogger("observer")
self._ct_pkt = 0
self._ct_nonip = 0
self._ct_shortkey = 0
self._ct_ignored = 0
self._ct_flow = 0
with open(full_fn) as file:
print "File opened OK"
file.close()
except IOError as e:
print "Unable to open file" #Does not exist OR no read permissions
trace_format = "pcapfile"
#trace_format = "erf"
uri = trace_format + ':' + full_fn
print ">> uri = %s" % uri
flt = plt.filter('vlan 1051 and tcp')
print "flt = %s" % flt
t = plt.trace(uri)
t.conf_filter(flt)
t.conf_snaplen(48)
t.start()
print "+++ started"
t.pause()
print "+++ paused"
t.start()
print "+++ started again"
#out_fn = base + '/' + "pypy/pylt/plt/test-out-zlib.pcap"
out_fn = base + '/' + "pypy/pylt/plt/test-out-none.pcap"
out_uri = trace_format + ':' + out_fn
print ">> out_uri = %s" % out_uri
out_t = plt.output_trace(out_uri)
#!/usr/bin/env python
# 1818, Sat 5 Jul 14 (NZST)
# test-pldns.py: Demonstrate Ldns objects
# Copyright (C) 2014, Nevil Brownlee, U Auckland
import plt
import pldns
test_dir = '../../test/v2-test-cases'
t = plt.trace('pcapfile:' + test_dir + '/dns-test.pcap')
t.start()
n = 0
margin = ' ' * 7
for pkt in t:
n += 1 # Wireshark uses 1-org packet numbers
ip = pkt.ip
if not ip:
continue # Not IP
if ip.frag_offset != 0:
continue # Non-first fragment
udp = pkt.udp
if not udp:
continue # Not UDP
ldns_obj = pldns.ldns(udp.payload)
print "%5d: %s -> %s" % (n, udp.src_prefix, udp.dst_prefix)
if not ldns_obj.is_ok():
#!/usr/bin/env python
# 1156, Thu 8 Jun 2017 (NZDT)
# test-pldns-tcp.py: Demonstrate Ldns objects from tcp
# Copyright (C) 2017, Nevil Brownlee, U Auckland
import plt
import pldns
from plt_testing import *
t = plt.trace('pcapfile:dns_valid_response_tcp.pcap')
t.start()
n = 0; margin = ' '*7
for pkt in t:
n += 1 # Wireshark uses 1-org packet numbers
ip = pkt.ip
if not ip:
continue # Not IP
if ip.frag_offset != 0:
continue # Non-first fragment
tcp = pkt.tcp
if not tcp:
continue # Not TCP
if not (tcp.src_port == 53 or tcp.dst_port == 53):
continue
payload = tcp.payload
if not payload:
continue
ldns_obj = pldns.ldns(payload)
def main():
signal.signal(signal.SIGINT, signal_handler)
args = deal_with_arguments()
# Set up our storage.
try:
flows = FlowStorage(filename=args.flow_db_name,
persistant_storage=args.storage)
dests = DestStorage(filename=args.dest_db_name,
persistant_storage=args.storage)
except Exception as e:
print("Problem setting up databases:\n\t%s" % e)
exit()
# Try opening our trace.
try:
t = plt.trace(args.input)
except Exception as e:
print("Trouble opening trace URI/device:\n\t%s" % e)
exit()
# Try setting up our filter if given one.
try:
if args.filter != None or args.target != None:
if args.filter != None and args.target != None:
args.filter = args.filter + " and "
elif args.filter == None:
args.filter = ""
if args.target != None:
args.filter = args.filter + "dst "
if '/' in args.target:
args.filter = args.filter + "net "
args.filter = args.filter + args.target
f = plt.filter(args.filter)
print("Applying filter \"%s\"" % args.filter)
t.conf_filter(f)
except Exception as e:
print("Trouble applying bpf filter: \'%s\'\n\t%s" % (args.filter, e))
exit()
print("Press Ctrl+C to exit.")
# Try reading.
try:
t.start()
except Exception as e:
print(e)
exit()
# And we're off - loop for as long as we get packets (or ^C)
packet_count = 0
non_ipv4_packets = 0
non_ip_packets = 0
non_tcp_packets = 0
last_time_check_pkt_ts = 0
current_time = int(time.time())
do_stats_time = current_time + args.interval
do_updates_time = current_time + 15
last_packet_count = 0
last_ts = -2
current_ts = -1
print("Packets processed:\t"),
for pkt in t:
packet_count = packet_count + 1
last_packet_count = last_packet_count + 1
last_ts = current_ts
current_ts = pkt.seconds
if last_ts > (current_ts + .5):
print("PROBLEM: timestamps out of order: Last ts: %f this ts: %f" %
(last_ts, current_ts))
exit()
print("%012d\b\b\b\b\b\b\b\b\b\b\b\b" % packet_count),
# If we've gone through an interval's worth of packets, check the actual time
# we may be going through packets *much* faster than real-time if we're
# reading from a trace, but this keeps us from constantly checking the time
# to determine when we update/print stats.
if current_ts - last_time_check_pkt_ts > 3 or last_packet_count > 100:
current_time = int(time.time())
last_time_check_pkt_ts = current_ts
if do_stats_time < current_time:
print("\nDo stats")
dests.update_dest_info(flows, current_ts)
do_stats_time = current_time + args.interval
do_update_time = current_time + 60
print("Packets processed:\t"),
elif do_updates_time < current_time or last_packet_count > 100:
print("\nUpdating tables %d" % last_packet_count)
last_packet_count = 0
dests.update_dest_info(flows, current_ts, do_stats=False)
do_updates_time = current_time + 60
print("Packets processed:\t"),
# IP layer
ip = pkt.ip
if not ip:
non_ip_packets = non_ip_packets + 1
continue
# IPv4
if ip.version != 4:
non_ipv4_packets = non_ipv4_packets + 1
continue
# TCP is al we care about right now.
tcp = pkt.tcp
if not tcp:
non_tcp_packets = non_tcp_packets + 1
continue
# Get what we're using for dictionary keys.
pkt_src = str(ip.src_prefix)
pkt_dst = str(ip.dst_prefix)
pkt_sport = str(tcp.src_port)
pkt_dport = str(tcp.dst_port)
# Not perfect - we don't check for certain combinations (ie combinations that don't make sense).
event = OTHER
if tcp.syn_flag:
if not tcp.ack_flag:
event = SYN
else:
event = SYN_ACK
elif tcp.fin_flag:
event = FIN
elif tcp.rst_flag:
event = RST
elif tcp.ack_flag or tcp.urg_flag or tcp.psh_flag:
event = ACK_AND_DATA
else:
print("Unknown flags!")
# Ready to store.
flows.add_tcp_flow_event(current_ts, pkt_src, pkt_sport, pkt_dst,
pkt_dport, event)
print("\nDone\n")
dests.update_dest_info(flows, current_ts + DESTSTAT_TIMEOUT)
flows.close()
dests.close()
# 1123, Tue 30 Jan 2018 (NZDT)
#
# test-sctp.py: Test SCTP handling in plt
#
# Copyright (C) 2018, Nevil Brownlee, U Auckland | WAND
from plt_testing import *
import plt
tcp_fn = "sctp-demo.pcap" # Data file name
t = plt.trace("pcapfile:"+tcp_fn)
t.start() # Start t
n = 0
for pkt in t: # Get next packet
n += 1 # Count it
sctp = pkt.sctp
if not sctp:
continue
s = "%4d: src_port %u, dst_port %d, vf tag %08x, checksum %08x" % (
n, sctp.src_port, sctp.dst_port, sctp.verification_tag, sctp.checksum)
test_println(s, get_tag())
cho = sctp.chunks
for cx,ch in enumerate(cho): ###sctp.chunks):
s = "%4d chunk %d: type %d, flags %02x length %d bytes OK %s " % (
n, cx, ch.type, ch.flags, ch.length, ch.is_ok)
test_println(s, get_tag())
s = " "*9 + "bytes:"
def test_uri(uri, tag=''):
test_dict = {}
t = plt.trace(uri)
t.start()
nip = n = 0
for pkt in t:
n += 1
test_println("n = %d" % n, tag+get_tag("n:"+str(n)))
ipf = natkit.IPflow(pkt)
if not ipf:
test_println(" ", tag+get_tag())
continue
nip += 1
test_println("%5d: %d %3d %5d %5d %s %s" % (n, # v6
ipf.version, ipf.proto, ipf.src_port, ipf.dst_port,
ipf.src_prefix, ipf.dst_prefix), tag+get_tag("n:"+str(n)))
fwd = ipf.fwd_key
test_print("fwd =", tag+get_tag("n:"+str(n)))
for b in fwd.encode(encoding='cp437'):
test_print_hex(b)
test_println('')
rev = ipf.rev_key
test_println('')
for b in rev.encode(encoding='cp437'):
test_print_hex(b)
test_println('')
v = test_dict.get(fwd)
if v:
v.fwd += 1
else:
rev = ipf.rev_key
v =test_dict.get(rev)
if v:
v.rev += 1
else:
test_dict[fwd] = flow(ipf, n)
if nip == 6:
break
t.close()
test_println('')
sk = sorted(test_dict)
tot_pkts = 0
for dk in sk:
#print "dk = >%s<, val[k] = %d" % (dk, test_dict[dk])
val = test_dict[dk]
f = val.ipf
test_println(" %3d: %d+%d; %d %d %d->%d %s->%s" % (
val.first_n, val.fwd, val.rev,
f.version, f.proto, f.src_port, f.dst_port,
f.src_prefix, f.dst_prefix), tag+get_tag("n:"+str(n)))
tot_pkts += val.fwd+val.rev
test_println("%s: n = %d, nip = %d, tot_pkts = %d, OK = %s" % \
(uri, n, nip, tot_pkts, tot_pkts == nip))
test_println("")
#!/usr/bin/env python
# 1818, Sat 5 Jul 14 (NZST)
# test-pldns.py: Demonstrate Ldns objects
# Copyright (C) 2015, Nevil Brownlee, U Auckland
import plt
import pldns
from plt_testing import *
t = plt.trace('pcapfile:dns-test.pcap')
t.start()
n = 0; margin = ' '*7
for pkt in t:
n += 1 # Wireshark uses 1-org packet numbers
ip = pkt.ip
if not ip:
continue # Not IP
if ip.frag_offset != 0:
continue # Non-first fragment
udp = pkt.udp
if not udp:
continue # Not UDP
ldns_obj = pldns.ldns(udp.payload)
test_println("%5d: %s -> %s" % (n, udp.src_prefix, udp.dst_prefix), get_tag())
if not ldns_obj.is_ok():
test_println("%sCouldn't make ldns_obj, status = <%s>" % (
def main():
signal.signal(signal.SIGINT, signal_handler)
args = deal_with_arguments()
packets = {}
Bytes = {}
for proto in (TCP, UDP, ICMP):
packets[proto] = 0
Bytes[proto] = 0
print("Press Ctrl+C to exit.")
print("Packets processed:\t")
# Set up our storage.
try:
outputfile = open(args.db_name, 'w')
tcp_flows = FlowStorage(filename=args.db_name)
udp_flows = FlowStorage(filename=args.db_name)
icmp_flows = FlowStorage(filename=args.db_name)
dests = DestStorage(filename=args.db_name)
except Exception as e:
print("Problem setting up databases:\n\t%s" % e)
exit()
# Try opening our trace.
if ("nfdump:" in args.input):
records = search_file(args.input[7:])
parse_nfdump(records, packets, Bytes, args.interval, tcp_flows,
udp_flows, icmp_flows)
elif ("flow-tools:" in args.input):
records = flowtools.FlowSet(args.input[11:])
parse_flowtools(records, packets, Bytes, args.interval, tcp_flows,
udp_flows, icmp_flows)
else:
try:
t = plt.trace(args.input)
except Exception as e:
print("Trouble opening trace URI/device:\n\t%s" % e)
exit()
# Try setting up our filter if given one.
try:
if args.filter != None or args.target != None:
if args.filter != None and args.target != None:
args.filter = args.filter + " and "
elif args.filter == None:
args.filter = ""
if args.target != None:
args.filter = args.filter + "dst "
if '/' in args.target:
args.filter = args.filter + "net "
args.filter = args.filter + args.target
f = plt.filter(args.filter)
print("Applying filter \"%s\"" % args.filter)
t.conf_filter(f)
except Exception as e:
print("Trouble applying bpf filter: \'%s\'\n\t%s" %
(args.filter, e))
exit()
try:
t.start()
except Exception as e:
print(e)
exit()
parse_pcap(t, packets, Bytes, args.interval, tcp_flows, udp_flows,
icmp_flows)
print("\n************ OVERALL STATS ******************\n")
print(
"TCP packets\t%s\tBytes\t%s\nUDP packets\t%s\tBytes\t%s\nICMP packets\t%s\tBytes\t%s\n"
% (packets[TCP], Bytes[TCP], packets[UDP], Bytes[UDP], packets[ICMP],
Bytes[ICMP]))
print >> outputfile, "ALL %s %s %s %s %s %s" % (packets[TCP], packets[UDP],
packets[ICMP], Bytes[TCP],
Bytes[UDP], Bytes[ICMP])
dests.print_stats(tcp_flows, 'TCP', outputfile)
dests.print_stats(udp_flows, 'UDP', outputfile)
dests.print_stats(icmp_flows, 'ICMP', outputfile)
outputfile.close()
full_fn = base + '/' + fn
print "%s: isfile %s" % (full_fn, os.path.isfile(full_fn))
#try:
# with open(full_fn) as file:
# print "File opened OK"
# file.close()
#except IOError as e:
# print "Unable to open file" #Does not exist OR no read permissions
trace_format = "pcapfile"
#trace_format = "erf"
uri = trace_format + ':' + full_fn
print ">> uri = %s" % uri
t = plt.trace(uri)
t.start()
test_dict = {}
td_2 = {}
def print_first(s):
for x in range(16):
if x%8 == 0:
print "",
print "%02x" % s[x],
def print_last(s, rem):
x = (rem-8)/8*8
while x < rem:
if x%8 == 0:
tcp_fn = "anon-v4.pcap"
def test_option(n):
xn = tcp.option(n)
if isinstance(xn, bool):
print((" opt %d: > %s <" % (n, xn)))
else:
oline = " opt %d: >" % n
for c in xn:
oline += " %02x" % c
print((oline + " <"))
t = plt.trace("pcapfile:" + tcp_fn)
t.start()
n = 0
for pkt in t:
n += 1
tcp = pkt.tcp
if not tcp:
continue
if tcp.doff == 5: # No TCP options
continue
print(("pkt %d ---" % n))
xod = tcp.options_data
oline = " "
for c in xod:
