def test_open_good_file(self): import os input_filename = tempfile.mktemp() f = open(input_filename, "wb") f.write(struct.pack("IHHIIII", 0xa1b2c3d4, 2, 4, 0, 0, 65535, 1)) f.close() reader = pure_pcapy.open_offline(input_filename) self.assertTrue(isinstance(reader, pure_pcapy.Reader)) os.unlink(input_filename)
def listIPs(infpath): result=[] linkdecoder=None ipdecoder=ImpactDecoder.IPDecoder() tcpdecoder=ImpactDecoder.TCPDecoder() gredecoder=gre.GREDecoder() def getTCP(plink): if plink.get_ether_type() == ImpactPacket.IP.ethertype: pip=ipdecoder.decode(plink.get_data_as_string()) if pip.get_ip_p() == ImpactPacket.TCP.protocol: ptcp=tcpdecoder.decode(pip.get_data_as_string()) return ptcp elif pip.get_ip_p() == gre.GRE.protocol: ptcp=getTCP(gredecoder.decode(pip.get_data_as_string())) return ptcp return None def f(h,rawp): plink=linkdecoder.decode(rawp) ptcp=getTCP(plink) if ptcp: if ptcp.get_th_dport() == 1863 or ptcp.get_th_sport() == 1863: load=ptcp.get_data_as_string() process(load,h) def process(load,h): if load: if load.count('4vPI')>0 or load.count('IPv4')>0: ls=load.split('\r\n') ffrom='' ip='' for l in ls: if l.startswith('From: '): ffrom=l.split(':')[2].split(';')[0].rstrip('>').lstrip(' ') else: ips='' if l.count('4vPI')>0 and l.count('Addrs'[::-1])>0: ips=l.split(':',1)[1][::-1].split(':')[0].split(' ') if l.count('IPv4')>0 and l.count('Addrs')>0: ips=l.split(':',1)[1].split(':')[0].split(' ') if ffrom and ips: for ip in ips: ip=ip.strip(' ') if ip and not (ip.startswith('192.168.') or ip.startswith('127.') or ip.startswith('10.') ): k=ip+'\t'+ffrom.strip(' ') t=time.localtime(h.ts[0]+h.ts[1]*0.000001) ts=time.strftime('%Y-%m-%d %X %Z',t) owner='' try: owner=whois.whois(ip) except: pass result.append(k+'\t'+ts+'\t'+owner) def g(h,p): try: f(h,p) except KeyboardInterrupt: sys.exit(1) except: print sys.exc_info() pass r=pure_pcapy.open_offline(infpath) datalink=r.datalink() if datalink == pure_pcapy.DLT_LINUX_SLL: linkdecoder=ImpactDecoder.LinuxSLLDecoder() elif datalink == pure_pcapy.DLT_EN10MB: linkdecoder=ImpactDecoder.EthDecoder() else: raise Exception("Datalink type not supported: %i"%datalink) r.dispatch(-1,g) return result
l3 = l2.child() proto = 'TCP' src_ip = l2.get_ip_src() dst_ip = l2.get_ip_dst() src_port = 0 dst_port = 0 if isinstance(l3, UDP): proto = 'UDP' dst_port = l3.get_uh_sport() src_port = l3.get_uh_dport() reader = pcapy.open_offline('../LFS Client-Server 0.6E.pcap') decoder = EthDecoder() next = reader.next() data = '' while next and next[0] <> None: print ".", data += grab_tcp(decoder, next) next = reader.next() print "Done parsing pcap. Got TCP data. Attempting to splt packets." size = len(data) offset = 0
def pcapdiff(self): try: self.pcap_remote = pcapy.open_offline(self.arguments.pcap_file2) except: self.rtxtctrl.WriteText( "Error opening file. Please ensure the packet capture is in .pcap format" ) self.rtxtctrl.Newline() try: self.pcap_local = pcapy.open_offline(self.arguments.pcap_file) except: self.rtxtctrl.WriteText( "Error opening file. Please ensure the packet capture is in .pcap format" ) self.rtxtctrl.Newline() local_packets = list() remote_packets = list() local_tpackets = list() remote_tpackets = list() missingpaks = list() tdata = list() yes_out_of_sync = 0 zero_pak_error = 0 self.rtxtctrl.WriteText("Source File: %s\n" % (self.arguments.pcap_file)) self.rtxtctrl.WriteText("Destination File: %s\n" % (self.arguments.pcap_file2)) self.rtxtctrl.WriteText("Analyzing traffic between % s and %s\n" % (self.arguments.ip_local.strip(), self.arguments.ip_remote.strip())) # if self.Time_tpcat == "yes": # self.rtxtctrl.Newline() # StartTimeTimestamp = time.strftime("%H:%M:%S", time.localtime()) # self.rtxtctrl.WriteText("Start Time %s" % (StartTimeTimestamp)) # self.rtxtctrl.Newline() self.rtxtctrl.Newline() self.rtxtctrl.Newline() self.rtxtctrl.Newline() next = {} next['local'] = self.get_packet(self.pcap_local, 1) #1 means ignore ip addresses next['remote'] = self.get_packet(self.pcap_remote, 1) ######################### ##### Remote PACKET CAPTURE###### ######################### # if self.Time_tpcat == "yes": # self.rtxtctrl.Newline() # RemoteTimestamp = time.strftime("%H:%M:%S", time.localtime()) # self.rtxtctrl.WriteText("Starting the processing Remote capture") while next['remote'] != 0: if next['remote'] == 0: break next['remote'] = self.get_packet(self.pcap_remote) if self.arguments.debug == 'debug': try: dpak = 'next[remote] = ', next[ 'remote'] # print the whole packet except: dpak = "couldn't print the whole packet" self.debugfile.append(dpak) self.debugfile.append("\n") self.debugfile.append("\n") self.debugfile.append("\n") try: # If the header matches the part we are interested in. if next['remote']['ip_src'] == self.arguments.ip_local and next['remote']['ip_dest'] == self.arguments.ip_remote or \ next['remote']['ip_src'] == self.arguments.ip_remote and next['remote'][ 'ip_dest'] == self.arguments.ip_local: try: datapacket2 = next['remote']['ip_src'], next['remote'][ 'ip_dest'], next['remote']['ip_ident'] if self.arguments.debug == 'debug': drpak = "Data Packet Remote : ", datapacket2 self.debugfile.append(drpak) self.debugfile.append("\n") self.debugfile.append("\n") remote_packets.append(datapacket2) except: pass if self.ignore_timestamps == 1: # This portion is if you want to check latency. The clocks must be correct or it will cause issues. try: timepacket2 = next['remote']['ip_src'], next[ 'remote']['ip_dest'], next['remote'][ 'ip_ident'], next['remote'][ 'timestamp'], next['remote'][ 'ip_flags'] remote_tpackets.append( timepacket2 ) # and we add it to our packet list if self.arguments.debug == 'debug': dtrpak = "Data tPacket remote: ", timepacket2 self.debugfile.append(dtrpak) self.debugfile.append("\n") self.debugfile.append("\n") except: pass except: pass # if self.Time_tpcat == "yes": # # self.rtxtctrl.WriteText("Completed Remote Capture") # self.rtxtctrl.Newline() # RemoteTimestamp2 = time.strftime("%H:%M:%S", time.localtime()) # # self.rtxtctrl.WriteText(RemoteTimestamp2) # # self.rtxtctrl.Newline() # edited_RemoteTimestamp = RemoteTimestamp.replace(":", "") # edited_RemoteTimestamp2 = RemoteTimestamp2.replace(":", "") # delta = (int(edited_RemoteTimestamp2) - int(edited_RemoteTimestamp)) # self.rtxtctrl.WriteText("Completed Remote Capture - Process Time: %s" % (str(delta))) # # self.rtxtctrl.WriteText(str(delta)) # self.rtxtctrl.Newline() # self.rtxtctrl.Newline() ######################### ###//Remote PACKET CAPTURE//###### ######################### ######################### ##### LOCAL PACKET CAPTURE###### ######################### # if self.Time_tpcat == "yes": # self.rtxtctrl.WriteText("Starting the processing Local capture") # LocalTimestamp = time.strftime("%H:%M:%S", time.localtime()) # # self.rtxtctrl.WriteText(LocalTimestamp) while next[ 'local'] != 0: # Look through every packet in the local file. We get a 0 if there is no more pacekts to go through. next['local'] = self.get_packet( self.pcap_local, 1) # We now open up the next packet if next['local'] == 0: break if self.arguments.debug == 'debug': try: dpak = 'next[local] = ', next[ 'local'] # print the whole packet except: dpak = "couldn't print the whole packet" self.debugfile.append(dpak) self.debugfile.append("\n") self.debugfile.append("\n") self.debugfile.append("\n") if self.arguments.ignore_timestamps == 1: # This portion is if you want to check latency. The clocks must be correct or it will cause issues. try: # Here we build our datapak timepacket = next['local']['ip_src'], next['local']['ip_dest'], next['local']['ip_ident'], \ next['local']['timestamp'], next['local']['ip_flags'] local_tpackets.append( timepacket) # and we add it to our packet list if self.arguments.debug == 'debug': dltpak = "Data tPacket Local: ", timepacket self.debugfile.append(dltpak) self.debugfile.append("\n") self.debugfile.append("\n") self.debugfile.append("\n") except: pass try: if next['local']['ip_src'] == self.arguments.ip_local and next['local']['ip_dest'] == self.arguments.ip_remote or \ next['local']['ip_src'] == self.arguments.ip_remote and next['local'][ 'ip_dest'] == self.arguments.ip_local: datapacket = next['local']['ip_src'], next['local'][ 'ip_dest'], next['local']['ip_ident'] local_packets.append( datapacket) # and we add it to our packet list except: pass ################################# ################################# ################################# ################################# # if self.Time_tpcat == "yes": # # self.rtxtctrl.WriteText("Completed Local Capture") # LocalTimestamp2 = time.strftime("%H:%M:%S", time.localtime()) # # self.rtxtctrl.WriteText(LocalTimestamp2) # self.rtxtctrl.Newline() # edited_LocalTimestamp = LocalTimestamp.replace(":", "") # edited_LocalTimestamp2 = LocalTimestamp2.replace(":", "") # delta = (int(edited_LocalTimestamp2) - int(edited_LocalTimestamp)) # self.rtxtctrl.WriteText("Completed Local Capture - Process Time: %s" % (str(delta))) # # self.rtxtctrl.WriteText(str(delta)) # self.rtxtctrl.Newline() # self.rtxtctrl.Newline() # A dummy check for Matt. If either side reports 0 matching packets Error out. It's pretty pointless to continue. if len(local_packets) == 0 or len(remote_packets) == 0: zero_pak_error = 1 self.rtxtctrl.WriteText( "ERROR: %s packets matched on local side and %s packets matched on remote side. Please check your IP filters" % (len(local_packets), len(remote_packets))) self.rtxtctrl.Newline() self.rtxtctrl.Newline() # Here we sync the two packet captures. Basically Take a look at the two captures and find the first matching packet. Then we analyze the data using that as our starting point. # This will *hopefully* weed out false positives in regards to the captures being started at slightly different times if self.arguments.out_of_sync == 1: for syncpak in local_packets: if not syncpak in remote_packets: dsypak = syncpak, "was not found on the remote side" self.debugfile.append(dsypak) self.debugfile.append("\n") missingpaks.append(syncpak) yes_out_of_sync = 1 if syncpak in remote_packets: dspak = "starting packet is", syncpak self.debugfile.append(dspak) break # if self.Time_tpcat == "yes": # self.rtxtctrl.WriteText("Analyzing the two packet captures...") # self.rtxtctrl.Newline() # Local_to_RemoteTimestamp = time.strftime("%H:%M:%S", time.localtime()) # # self.rtxtctrl.WriteText(Local_to_RemoteTimestamp) # self.rtxtctrl.Newline() # Using set, we're going to put it in a format set understands.. setted_local_packets = set(local_packets) setted_remote_packets = set(remote_packets) if self.arguments.debug == "debug": self.debugfile.append("\n") self.debugfile.append("\n") self.debugfile.append("\n") self.debugfile.append("\n") self.debugfile.append("\n") self.debugfile.append("\n") self.debugfile.append("\n") self.debugfile.append("\n") self.debugfile.append("LOCAL PACKET LIST:") self.debugfile.append(setted_local_packets) self.debugfile.append("\n") self.debugfile.append("\n") self.debugfile.append("\n") self.debugfile.append("\n") self.debugfile.append("\n") self.debugfile.append("\n") self.debugfile.append("\n") self.debugfile.append("REMOTE PACKET LIST:") self.debugfile.append(setted_remote_packets) # if the packet captures appear out of sync total_mpaks = 0 if yes_out_of_sync == 1: self.rtxtctrl.WriteText( "-Warning, packet captures appear out of sync. Cleaning things up for you..-" ) self.rtxtctrl.Newline() for mpak in missingpaks: dmpak = "missing packet", mpak self.debugfile.append(dmpak) self.debugfile.append("\n") setted_local_packets.discard(mpak) total_mpaks = total_mpaks + 1 self.rtxtctrl.WriteText( "Removed %s packets to sync the two captures" % (total_mpaks)) self.rtxtctrl.Newline() # Do a quick check, do these two already match? stare_and_compare = setted_local_packets <= setted_remote_packets if stare_and_compare == True and zero_pak_error == 0: self.rtxtctrl.WriteText( "Packet Captures Match. Terminating..Man that was easy!") self.rtxtctrl.Newline() self.rtxtctrl.Newline() self.rtxtctrl.Newline() else: differences = setted_local_packets ^ setted_remote_packets for datapak in differences: if not datapak in remote_packets: self.total['problems'] += 1 src, dst, ipid = datapak self.rtxtctrl.BeginBold() self.rtxtctrl.WriteText("Packet Dropped - Source:") self.rtxtctrl.EndBold() self.rtxtctrl.WriteText(" %s " % (src)) self.rtxtctrl.BeginBold() self.rtxtctrl.WriteText(" Destination: ") self.rtxtctrl.EndBold() self.rtxtctrl.WriteText(" %s " % (dst)) self.rtxtctrl.BeginBold() self.rtxtctrl.WriteText(" IPID: ") self.rtxtctrl.EndBold() self.rtxtctrl.WriteText(" %s " % (ipid)) self.rtxtctrl.Newline() if not datapak in local_packets: self.total['problems'] += 1 src, dst, ipid = datapak self.rtxtctrl.BeginBold() self.rtxtctrl.WriteText("Packet Forged - Source:") self.rtxtctrl.EndBold() self.rtxtctrl.WriteText(" %s " % (src)) self.rtxtctrl.BeginBold() self.rtxtctrl.WriteText(" Destination: ") self.rtxtctrl.EndBold() self.rtxtctrl.WriteText(" %s " % (dst)) self.rtxtctrl.BeginBold() self.rtxtctrl.WriteText(" IPID: ") self.rtxtctrl.EndBold() self.rtxtctrl.WriteText(" %s " % (ipid)) self.rtxtctrl.Newline() self.rtxtctrl.Newline() self.rtxtctrl.WriteText( "Total number of problematic packets : %s\n" % self.total['problems']) # if self.Time_tpcat == "yes": # Local_to_RemoteTimestamp2 = time.strftime("%H:%M:%S", time.localtime()) # # self.rtxtctrl.WriteText(LocalTimestamp2) # # self.rtxtctrl.Newline() # edited_Local_to_RemoteTimestamp = Local_to_RemoteTimestamp.replace(":", "") # edited_Local_to_RemoteTimestamp2 = Local_to_RemoteTimestamp2.replace(":", "") # delta = (int(edited_Local_to_RemoteTimestamp2) - int(edited_Local_to_RemoteTimestamp)) # self.rtxtctrl.WriteText("Completed Analyzing of all packets - Process Time: %s" % (str(delta))) ################################# ################################# ################################# ################################# ################################# # Kinda ugly, but it works.. if self.arguments.ignore_timestamps == 1: self.rtxtctrl.Newline() self.rtxtctrl.Newline() self.rtxtctrl.WriteText( "Calculating latency between the two packet captures:") self.rtxtctrl.Newline() self.rtxtctrl.Newline() for l_tdatapak in local_tpackets: # For each data packet in the local packet capture ip_src, ip_dest, ipid, timestamp, ip_flags = l_tdatapak # unpack the data to search for the ipheader l_ipheader = (ip_src, ip_dest, ipid, ip_flags ) # Rebuild the packet # print l_ipheader # x = l_ipheader in remote_tpackets # print x # if ipheader in remote_packets: # Search the remote side. Did it come through? If it did, lets compare timestamps for r_tdatapak in remote_tpackets: ip_src, ip_dest, ipid, timestamp, ip_flags = r_tdatapak # unpack the data to search for the ipheader r_ipheader = (ip_src, ip_dest, ipid, ip_flags) if r_ipheader == l_ipheader: # print "Match found - ", r_ipheader, l_ipheader src, dst, ipid, timestamp, ip_flags = l_tdatapak rsrc, rdst, ripid, rtimestamp, rip_flags = r_tdatapak tdelta = float(rtimestamp) - float(timestamp) tdata.append(tdelta) # self.rtxtctrl.WriteText( "IPID: %s Packet Type: %s Time Delta(Latency): %s \n" %(ipid,ip_flags, tdelta)) self.rtxtctrl.BeginBold() self.rtxtctrl.WriteText("IPID:") self.rtxtctrl.EndBold() self.rtxtctrl.WriteText(" %s " % (ipid)) self.rtxtctrl.BeginBold() self.rtxtctrl.WriteText("Packet Type:") self.rtxtctrl.EndBold() self.rtxtctrl.WriteText(" %s " % (ip_flags)) self.rtxtctrl.BeginBold() self.rtxtctrl.WriteText("Time Delta (Latency):") self.rtxtctrl.EndBold() self.rtxtctrl.WriteText(" %s " % (tdelta)) self.rtxtctrl.Newline() # self.rtxtctrl.WriteText( "Source:%s Destination:%s IPID: %s TimeStamp: %s \n" %(rsrc,rdst,ripid, rtimestamp)) # if self.arguments.debug== 'debug': # print tdatapak, "Was found" if self.arguments.ignore_timestamps == 1: self.rtxtctrl.Newline() total_tdata = sum(tdata) num_tdata = len(tdata) avg_tdata = total_tdata / num_tdata hi_tdata = max(tdata) lo_tdata = min(tdata) self.rtxtctrl.BeginBold() self.rtxtctrl.WriteText("Average Latency Seen:") self.rtxtctrl.EndBold() self.rtxtctrl.WriteText(" %s \n" % (tdelta)) self.rtxtctrl.BeginBold() self.rtxtctrl.WriteText("Max Latency Seen:") self.rtxtctrl.EndBold() self.rtxtctrl.WriteText(" %s \n" % (hi_tdata)) self.rtxtctrl.BeginBold() self.rtxtctrl.WriteText("Min Latency Seen:") self.rtxtctrl.EndBold() self.rtxtctrl.WriteText(" %s \n" % (lo_tdata)) self.rtxtctrl.Newline() self.rtxtctrl.Newline() # if self.Time_tpcat == "yes": # EndTimeTimestamp = time.strftime("%H:%M:%S", time.localtime()) # # self.rtxtctrl.WriteText(LocalTimestamp2) # self.rtxtctrl.Newline() # self.rtxtctrl.Newline() # edited_EndTimeTimestamp = EndTimeTimestamp.replace(":", "") # edited_StartTimeTimestamp = StartTimeTimestamp.replace(":", "") # delta = (int(edited_EndTimeTimestamp) - int(edited_StartTimeTimestamp)) # self.rtxtctrl.WriteText("Total Process Time: %s" % (str(delta))) self.rtxtctrl.Newline() self.rtxtctrl.Newline() self.rtxtctrl.WriteText( "Number of Packets in the Source Capture : %s\n" % (len(local_packets))) self.rtxtctrl.WriteText( "Number of Packets in the Destination Capture : %s\n" % (len(remote_packets))) if self.arguments.debug == "debug": sfile = self.rtxtctrl.GetValue() sys.stderr.write(sfile)