def merge_cap_files(pcap_file_list, out_filename, delete_src=False): out_pkts = [] if not all([os.path.exists(f) for f in pcap_file_list]): print "failed to merge cap file list...\nnot all files exist\n" return # read all packets to a list for src in pcap_file_list: f = open(src, 'r') reader = pcap.Reader(f) pkts = reader.readpkts() out_pkts += pkts f.close() if delete_src: os.unlink(src) # sort by the timestamp out_pkts = sorted(out_pkts, key=itemgetter(0)) out = open(out_filename, 'w') out_writer = pcap.Writer(out) for ts, pkt in out_pkts: out_writer.writepkt(pkt, ts) out.close()
def execute(self): capture = open(self.inputFile) output = open(self.outputFile, "w") reader = PppPacketReader(capture) writer = pcap.Writer(output) state = PppStateManager(self.nthash) count = 0 for packet in reader: decryptedPacket = state.addPacket(packet) if decryptedPacket: writer.writepkt(decryptedPacket) count += 1 print "Wrote %d packets." % count
def create(self, path=None): """ Initialize App """ # pylint: disable=attribute-defined-outside-init if path: try: self.pcap = pcap.Writer(open(path, "wb")) _LOG.info("Pcap Start. %s", path) except OSError as ex: _LOG.exception(ex) else: self.pcap = None _LOG.info("Pcap diabled.")
class ether_hdr(ctypes.Structure): _fields_ = [('h_dest',ctypes.c_ubyte*6), ('h_source',ctypes.c_ubyte*6), ('h_proto',ctypes.c_ushort)] pfd = select.poll() READ_ONLY = select.POLLIN | select.POLLERR pfd.register(sock,READ_ONLY) i = 0 # bdesc = block_desc.from_buffer_copy(mm) TP_STATUS_USER = 1 << 0 TP_STATUS_KERNEL = 0 fpcap = open("./tmp.pcap",'wb') fwrite = dpcap.Writer(fpcap) def display(bdesc:object,length:int): pkt_nums = bdesc.num_pkts tmp = bdesc.offset_to_first_pkt + length th3 = tpacket3_hdr.from_buffer(mm,tmp) for i in range(pkt_nums): eth = ether_hdr.from_buffer(mm,tmp+th3.tp_mac) one = socket.ntohs(eth.h_proto) print(eth.h_dest[0],eth.h_dest[1],eth.h_dest[2],eth.h_dest[3],eth.h_dest[4],eth.h_dest[5]) print(eth.h_source[0],eth.h_source[1],eth.h_source[2],eth.h_source[3],eth.h_source[4],eth.h_source[5]) pkt_tmp = mm[tmp+th3.tp_mac:tmp+th3.tp_mac+th3.tp_snaplen] fwrite.writepkt(pkt_tmp) print(one,0x0800) tmp = tmp + th3.tp_next_offset th3 = tpacket3_hdr.from_buffer(mm,tmp)
def _filter_pcap(self, output_pcap): """Using a provided file with XML flow summaries, create a new PCAP file with the flows in the XML file. :param output_pcap: Path for the new PCAP file. """ try: print("Opening file: {0}".format(self._pcap)) f = open(self._pcap) raw_pcap = pcap.Reader(f) pckt_num = 0 for ts, buf in raw_pcap: pckt_num += 1 if not pckt_num % 1000: # Print every thousandth packets, just to monitor # progress. print("\tProcessing packet #{0}".format(pckt_num)) # Loop through packets in PCAP file eth = ethernet.Ethernet(buf) if eth.type != ETH_TYPE_IP: # We are only interested in IP packets continue ip = eth.data ip_src = socket.inet_ntop(socket.AF_INET, ip.src) ip_dst = socket.inet_ntop(socket.AF_INET, ip.dst) ip_proto = ip.p match = False for flow in self._raw_data: # Does this packet match a flow in the raw data? if ((ip_src == flow["source"] and ip_dst == flow["destination"]) or (ip_src == flow["destination"] and ip_dst == flow["source"])): if ip_proto == IP_PROTO_TCP and flow[ "protocolName"] == "tcp_ip": tcp = ip.data if self._check_port_num(tcp.sport, tcp.dport, flow["sourcePort"], flow["destinationPort"]): if self._check_timestamp( ts, flow["startDateTime"], flow["stopDateTime"]): # We have found a match, stop looping match = True break elif ip_proto == IP_PROTO_UDP and flow[ "protocolName"] == "udp_ip": udp = ip.data if self._check_port_num(udp.sport, udp.dport, flow["sourcePort"], flow["destinationPort"]): if self._check_timestamp( ts, flow["startDateTime"], flow["stopDateTime"]): # We have found a match, stop looping match = True break elif ip_proto == IP_PROTO_ICMP and flow[ "protocolName"] == "icmp_ip": if self._check_timestamp(ts, flow["startDateTime"], flow["stopDateTime"]): # We have found a match, stop looping break match = True elif ip_proto == IP_PROTO_IGMP and flow[ "protocolName"] == "igmp": if self._check_timestamp(ts, flow["startDateTime"], flow["stopDateTime"]): # We have found a match, stop looping match = True break if match: # The packet matches the flow. Append the packet data # to the new PCAP file and move onto the next packet. try: print( "\tWrting packet to file: {0}".format(output_pcap)) f_out = open(output_pcap, "ab") pcap_out = pcap.Writer(f_out) pcap_out.writepkt(buf, ts=ts) except: exc_type, exc_value, exc_traceback = sys.exc_info() print("ERROR writing to file: {0}.\n\t" "Exception: {1}, {2}, {3}".format( output_pcap, exc_type, exc_value, exc_traceback)) sys.exit(1) finally: f_out.close except: exc_type, exc_value, exc_traceback = sys.exc_info() print("ERROR reading from file: {0}.\n\tException: {1}, " "{2}, {3}".format(self._pcap, exc_type, exc_value, exc_traceback)) sys.exit(1) finally: f.close()