def handleTCP(self, event, data, datalen):
"""Decode an IPPROTO_TCP packet header, and log the payload."""
datalen -= 0x14
tcpHeader = Struct.Group(None,
Struct.UInt16BEHex("source"),
Struct.UInt16BEHex("dest"),
Struct.UInt32BE("seq"),
Struct.UInt32BE("ack_seq"),
Struct.UInt16BEHex("flags"),
Struct.UInt16BE("window"),
Struct.UInt16BEHex("checksum"),
Struct.UInt16BEHex("urg_ptr"))
data = tcpHeader.decode(data)
event.pushDecoded("iPhone TCP [%s -> %s] len=0x%04x" % (
self.portNumbers[tcpHeader.source],
self.portNumbers[tcpHeader.dest],
datalen,
))
event.appendDecoded("\nTCP Header:\n%s" % str(tcpHeader))
event.appendDecoded("\nTCP Payload:\n%s" % Types.hexDump(data))
# Look for a protocol-specific handler
for port in tcpHeader.source, tcpHeader.dest:
fn = getattr(self, "port_%s" % self.portNumbers[port], None)
if fn:
fn(event, data, datalen)
class SCSICommand:
"""Decodes a SCSI command block"""
_opcodes = Struct.EnumDict({
0x00: 'TEST_UNIT_READY',
0x01: 'REZERO_UNIT',
0x03: 'REQUEST_SENSE',
0x04: 'FORMAT_UNIT',
0x05: 'READ_BLOCKLIMITS',
0x07: 'REASSIGN_BLOCKS',
0x07: 'INIT_ELEMENT_STATUS',
0x08: 'READ(6)',
0x0a: 'WRITE(6)',
0x0a: 'PRINT',
0x0b: 'SEEK(6)',
0x0b: 'SLEW_AND_PRINT',
0x0f: 'READ_REVERSE',
0x10: 'WRITE_FILEMARKS',
0x10: 'SYNC_BUFFER',
0x11: 'SPACE',
0x12: 'INQUIRY',
0x14: 'RECOVER_BUFFERED',
0x15: 'MODE_SELECT',
0x16: 'RESERVE_UNIT',
0x17: 'RELEASE_UNIT',
0x18: 'COPY',
0x19: 'ERASE',
0x1a: 'MODE_SENSE',
0x1b: 'START_UNIT',
0x1b: 'SCAN',
0x1b: 'STOP_PRINT',
0x1c: 'RECV_DIAGNOSTIC',
0x1d: 'SEND_DIAGNOSTIC',
0x1e: 'MEDIUM_REMOVAL',
0x23: 'READ_FORMAT_CAPACITIES',
0x24: 'SET_WINDOW',
0x25: 'GET_WINDOW',
0x25: 'READ_CAPACITY',
0x28: 'READ(10)',
0x29: 'READ_GENERATION',
0x2a: 'WRITE(10)',
0x2b: 'SEEK(10)',
0x2b: 'POSITION_TO_ELEMENT',
0x2d: 'READ_UPDATED_BLOCK',
0x2e: 'WRITE_VERIFY',
0x2f: 'VERIFY',
0x30: 'SEARCH_DATA_HIGH',
0x31: 'SEARCH_DATA_EQUAL',
0x32: 'SEARCH_DATA_LOW',
0x33: 'SET_LIMITS',
0x34: 'PREFETCH',
0x34: 'READ_POSITION',
0x35: 'SYNC_CACHE',
0x36: 'LOCKUNLOCK_CACHE',
0x37: 'READ_DEFECT_DATA',
0x38: 'MEDIUM_SCAN',
0x39: 'COMPARE',
0x3a: 'COPY_VERIFY',
0x3b: 'WRITE_BUFFER',
0x3c: 'READ_BUFFER',
0x3d: 'UPDATE_BLOCK',
0x3e: 'READ_LONG',
0x3f: 'WRITE_LONG',
0x40: 'CHANGE_DEF',
0x41: 'WRITE_SAME',
0x42: 'READ_SUBCHANNEL',
0x43: 'READ_TOC',
0x44: 'READ_HEADER',
0x45: 'PLAY_AUDIO(10)',
0x46: 'GET_CONFIGURATION',
0x47: 'PLAY_AUDIO_MSF',
0x48: 'PLAY_AUDIO_TRACK',
0x49: 'PLAY_AUDIO_RELATIVE',
0x4a: 'GET_EVENT_STATUS_NOTIFICATION',
0x4b: 'PAUSE',
0x4c: 'LOG_SELECT',
0x4d: 'LOG_SENSE',
0x4e: 'STOP_PLAY',
0x51: 'READ_DISC_INFO',
0x52: 'READ_TRACK_INFO',
0x53: 'RESERVE_TRACK',
0x54: 'SEND_OPC_INFORMATION',
0x55: 'MODE_SELECT(10)',
0x56: 'RESERVE_UNIT(10)',
0x57: 'RELEASE_UNIT(10)',
0x5a: 'MODE_SENSE(10)',
0x5b: 'CLOSE_SESSION',
0x5c: 'READ_BUFFER_CAPACITY',
0x5d: 'SEND_CUE_SHEET',
0x5e: 'PERSISTENT_RESERVE_IN',
0x5f: 'PERSISTENT_RESERVE_OUT',
0x88: 'READ(16)',
0x8a: 'WRITE(16)',
0x9e: 'READ_CAPACITY(16)',
0xa0: 'REPORT_LUNS',
0xa1: 'BLANK',
0xa3: 'MAINTENANCE_IN',
0xa4: 'MAINTENANCE_OUT',
0xa3: 'SEND_KEY',
0xa4: 'REPORT_KEY',
0xa5: 'MOVE_MEDIUM',
0xa5: 'PLAY_AUDIO(12)',
0xa6: 'EXCHANGE_MEDIUM',
0xa6: 'LOADCD',
0xa8: 'READ(12)',
0xa9: 'PLAY_TRACK_RELATIVE',
0xaa: 'WRITE(12)',
0xac: 'ERASE(12)',
0xac: 'GET_PERFORMANCE',
0xad: 'READ_DVD_STRUCTURE',
0xae: 'WRITE_VERIFY(12)',
0xaf: 'VERIFY(12)',
0xb0: 'SEARCH_DATA_HIGH(12)',
0xb1: 'SEARCH_DATA_EQUAL(12)',
0xb2: 'SEARCH_DATA_LOW(12)',
0xb3: 'SET_LIMITS(12)',
0xb5: 'REQUEST_VOLUME_ELEMENT_ADDR',
0xb6: 'SEND_VOLUME_TAG',
0xb6: 'SET_STREAMING',
0xb7: 'READ_DEFECT_DATA(12)',
0xb8: 'READ_ELEMENT_STATUS',
0xb8: 'SELECT_CDROM_SPEED',
0xb9: 'READ_CD_MSF',
0xba: 'AUDIO_SCAN',
0xbb: 'SET_CDROM_SPEED',
0xbc: 'SEND_CDROM_XA_DATA',
0xbc: 'PLAY_CD',
0xbd: 'MECH_STATUS',
0xbe: 'READ_CD',
0xbf: 'SEND_DVD_STRUCTURE',
})
# For every command we want to decode parameters for, this includes
# a struct definition, and a format string that defines a useful
# summary of the parameters. The entire struct is included after
# the summary line.
_structs = {
# 'INQUIRY': None, # FIXME: We should decode this. SCSI-2, page 104 (8.2.5)
'READ(6)': (
"0x%(length)02x blocks at 0x%(lba)04x",
lambda: (
Struct.UInt8('lun'), # FIXME: lun is actually a bitfield
Struct.UInt16BE('lba'),
Struct.UInt8('length'),
Struct.UInt8('control'))),
'READ(10)': (
"0x%(length)04x blocks at 0x%(lba)08x",
lambda: (
Struct.UInt8('lun'), # FIXME: lun is actually a bitfield
Struct.UInt32BE('lba'),
Struct.UInt8('reserved_1'),
Struct.UInt16BE('length'),
Struct.UInt8('control'))),
'WRITE(6)': (
"0x%(length)02x blocks at 0x%(lba)04x",
lambda: (
Struct.UInt8('lun'), # FIXME: lun is actually a bitfield
Struct.UInt16BE('lba'),
Struct.UInt8('length'),
Struct.UInt8('control'))),
'WRITE(10)': (
"0x%(length)04x blocks at 0x%(lba)08x",
lambda: (
Struct.UInt8('lun'), # FIXME: lun is actually a bitfield
Struct.UInt32BE('lba'),
Struct.UInt8('reserved_1'),
Struct.UInt16BE('length'),
Struct.UInt8('control'))),
}
def __init__(self, cdb):
self.header = Struct.Group(None, Struct.UInt8("opcode"))
params = self.header.decode(cdb)
self.name = self._opcodes[self.header.opcode]
if self.name in self._structs:
fmt, children = self._structs[self.name]
self.params = Struct.Group(None, *children())
self.params.decode(params)
self.summary = fmt % self.params.__dict__
else:
self.params = None
self.summary = ''
def __str__(self):
return "%s %s" % (self.name, self.summary)