def main(self):
columns = self.options.columns.split(',')
pcap = PcapFile(self.options.pcap_path)
data = pcap.query(columns)
if self.options.join == 'INNER':
data = [row for row in data if None not in row]
if not data:
print('No rows found matching your input')
max_rows = int(self.options.max_rows)
data_out = data[:max_rows]
Formatter.print_table(data_out, headers=columns)
def main(self):
columns = self.options.columns.split(',')
pcap = PcapFile(self.options.pcap_path)
data = pcap.query(columns)
if self.options.join == 'INNER':
data = [row for row in data if None not in row]
if not data:
print('No rows found matching your input')
max_rows = int(self.options.max_rows)
data_out = data[:max_rows]
Formatter.print_table(data_out, headers=columns)
def run(self):
criteria = self.job.criteria
table = self.table
columns = table.get_columns(synthetic=False)
pcapfilename = get_pcap_file(criteria)
pcapfile = PcapFile(pcapfilename)
fieldnames = []
basecolnames = [] # list of colummns
# dict by field name of the base (or first) column to use this field
fields = {}
for tc in columns:
tc_options = tc.options
if tc_options.field in fields.keys():
# Asking for the same field name twice doesn't work, but
# is useful when aggregating and choosing a different operation
# like "min", or "max". Will populate these columns later
continue
fields[tc_options.field] = tc.name
fieldnames.append(tc_options.field)
basecolnames.append(tc.name)
if criteria.entire_pcap:
starttime = None
endtime = None
else:
starttime = criteria.starttime
endtime = criteria.endtime
data = pcapfile.query(fieldnames,
starttime=starttime,
endtime=endtime,
filterexpr=criteria.wireshark_filterexpr,
use_tshark_fields=True)
# Can be list of 0 elements or None
if not data:
self.data = None
return True
df = pandas.DataFrame(data, columns=basecolnames)
# At this point we have a dataframe with the one column for each
# unique field (the first column to reference the field)
if table.rows > 0:
df = df[:table.rows]
logger.info("Data returned (first 3 rows...):\n%s", df[:3])
# Convert the data into the right format
for tc in columns:
if tc.name not in basecolnames:
continue
tc_options = tc.options
if tc.datatype == "time":
df[tc.name] = pandas.DatetimeIndex(df[tc.name])
colnames = [col.name for col in columns]
self.data = df.ix[:, colnames].values.tolist()
return True
def run(self):
criteria = self.job.criteria
table = self.table
columns = table.get_columns(synthetic=False)
pcapfilename = get_pcap_file(criteria)
pcapfile = PcapFile(pcapfilename)
fieldnames = []
basecolnames = [] # list of colummns
# dict by field name of the base (or first) column to use this field
fields = {}
for tc in columns:
tc_options = tc.options
if tc_options.field in fields.keys():
# Asking for the same field name twice doesn't work, but
# is useful when aggregating and choosing a different operation
# like "min", or "max". Will populate these columns later
continue
fields[tc_options.field] = tc.name
fieldnames.append(tc_options.field)
basecolnames.append(tc.name)
if criteria.entire_pcap:
starttime = None
endtime = None
else:
starttime = criteria.starttime
endtime = criteria.endtime
data = pcapfile.query(
fieldnames,
starttime=starttime,
endtime=endtime,
filterexpr=criteria.wireshark_filterexpr,
use_tshark_fields=True)
# Can be list of 0 elements or None
if not data:
self.data = None
return True
df = pandas.DataFrame(data, columns=basecolnames)
# At this point we have a dataframe with the one column for each
# unique field (the first column to reference the field)
if table.rows > 0:
df = df[:table.rows]
logger.info("Data returned (first 3 rows...):\n%s", df[:3])
# Convert the data into the right format
for tc in columns:
if tc.name not in basecolnames:
continue
tc_options = tc.options
if tc.datatype == "time":
df[tc.name] = pandas.DatetimeIndex(df[tc.name])
colnames = [col.name for col in columns]
self.data = df.ix[:, colnames].values.tolist()
return True
def gen_data_frame(path_str):
pcap = PcapFile(path_str)
#print '========='
#print repr(pcap.info())
#print '========='
pcap.info()
pdf = pcap.query(
[
# 'frame.time_epoch',
'frame.time_delta',
# 'frame.pkt_len',
# 'frame.len',
# 'frame.cap_len',
# 'frame.marked',
'ip.src',
'ip.dst',
'ip.len',
'ip.flags',
# 'ip.flags.rb',
# 'ip.flags.df',
# 'ip.flags.mf',
# 'ip.frag_offset', # Generates unexpected behaviour in steelscript-wireshark
'ip.ttl',
# 'ip.proto',
# 'ip.checksum_good',
'tcp.srcport',
'tcp.dstport',
'tcp.len',
# 'tcp.nxtseq',
# 'tcp.hdr_len',
# 'tcp.flags.cwr',
# 'tcp.flags.urg',
# 'tcp.flags.push',
# 'tcp.flags.syn',
# 'tcp.window_size',
# 'tcp.checksum',
# 'tcp.checksum_good',
# 'tcp.checksum_bad',
# 'udp.length',
# 'udp.checksum_coverage',
# 'udp.checksum',
# 'udp.checksum_good',
# 'udp.checksum_bad'
],
#starttime = pcap.starttime,
as_dataframe=True)
"""
pdf = pcap.query([
'frame.time_delta',
'ip.src',
'ip.dst',
'ip.len',
'tcp.srcport',
'tcp.dstport',
'tcp.len',
],
starttime = pcap.starttime,
as_dataframe=True)
"""
print('=======')
print('pdf len: ') + repr(len(pdf))
return pdf
