def _bind_someip_layers():
bind_top_down(UDP, SOMEIP, sport=30490, dport=30490)
for i in range(15):
bind_bottom_up(UDP, SOMEIP, sport=30490 + i)
bind_bottom_up(TCP, SOMEIP, sport=30490 + i)
bind_bottom_up(UDP, SOMEIP, dport=30490 + i)
bind_bottom_up(TCP, SOMEIP, dport=30490 + i)
def register_cln_protocol(nlpid, cln_protocol_class):
if nlpid is None or cln_protocol_class is None:
return
chk = _cln_protocols.get(nlpid, None)
if chk is not None and chk != cln_protocol_class:
raise ValueError("different protocol already registered!")
_cln_protocols[nlpid] = cln_protocol_class
bind_top_down(LLC, cln_protocol_class, dsap=0xfe, ssap=0xfe, ctrl=3)
def register_cln_protocol(nlpid, cln_protocol_class):
if nlpid is None or cln_protocol_class is None:
return
chk = _cln_protocols.get(nlpid, None)
if chk is not None and chk != cln_protocol_class:
raise ValueError("different protocol already registered!")
_cln_protocols[nlpid] = cln_protocol_class
bind_top_down(LLC, cln_protocol_class, dsap=0xfe, ssap=0xfe, ctrl=3)
def _bind_someip_layers():
# arnd: this is required to bind SOME/IP-SD
bind_top_down(UDP, SOMEIP, sport=30490, dport=30490)
for i in range(15):
bind_bottom_up(UDP, SOMEIP, sport=30490 + i)
bind_bottom_up(TCP, SOMEIP, sport=30490 + i)
bind_bottom_up(UDP, SOMEIP, dport=30490 + i)
bind_bottom_up(TCP, SOMEIP, dport=30490 + i)
# arnd: this is required to bind SOME/IP
for i in range(15):
bind_bottom_up(UDP, SOMEIP, sport=30509 + i)
bind_bottom_up(TCP, SOMEIP, sport=30509 + i)
bind_bottom_up(UDP, SOMEIP, dport=30509 + i)
bind_bottom_up(TCP, SOMEIP, dport=30509 + i)
class USBpcapTransferInterrupt(Packet):
name = "USBpcap Transfer Interrupt"
fields_desc = [
LEIntField("startFrame", 0),
LEIntField("numberOfPackets", 0),
LEIntField("errorCount", 0)
]
class USBpcapTransferControl(Packet):
name = "USBpcap Transfer Control"
fields_desc = [ByteField("stage", 0)]
bind_top_down(USBpcap, USBpcapTransferIsochronous, transfer=0)
bind_top_down(USBpcap, USBpcapTransferInterrupt, transfer=1)
bind_top_down(USBpcap, USBpcapTransferControl, transfer=2)
conf.l2types.register(DLT_USBPCAP, USBpcap)
def _extcap_call(prog, args, keyword, values):
"""Function used to call a program using the extcap format,
then parse the results"""
p = subprocess.Popen([prog] + args,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
data, err = p.communicate()
if p.returncode != 0:
raise OSError("%s returned with error code %s: %s" %
ByteEnumField("CancelFromSenderReason", 15, _ltp_cancel_reasons),
lambda x: x.flags == 12),
ConditionalField(
ByteEnumField("CancelFromReceiverReason", 15, _ltp_cancel_reasons),
lambda x: x.flags == 14),
#
# Cancellation Acknowldgements
#
ConditionalField(SDNV2("CancelAckToBlockSender", 0),
lambda x: x.flags == 13),
ConditionalField(SDNV2("CancelAckToBlockReceiver", 0),
lambda x: x.flags == 15),
#
# Finally, trailing extensions
#
PacketListField("TrailerExtensions", [],
LTPex,
count_from=lambda x: x.TrailerExtensionCount
) # noqa: E501
]
def mysummary(self):
return self.sprintf("LTP %SessionNumber%"), [UDP]
bind_top_down(UDP, LTP, sport=1113)
bind_top_down(UDP, LTP, dport=1113)
bind_top_down(UDP, LTP, sport=2113)
bind_top_down(UDP, LTP, dport=2113)
bind_layers(UDP, LTP, sport=1113, dport=1113)
ByteEnumField("nlpid", 0x00, network_layer_protocol_ids),
PacketField("rawdata", None, conf.raw_layer)
]
def _create_cln_pdu(s, **kwargs):
pdu_cls = conf.raw_layer
if len(s) >= 1:
nlpid = orb(s[0])
pdu_cls = _cln_protocols.get(nlpid, _GenericClnsPdu)
return pdu_cls(s, **kwargs)
@conf.commands.register
def register_cln_protocol(nlpid, cln_protocol_class):
if nlpid is None or cln_protocol_class is None:
return
chk = _cln_protocols.get(nlpid, None)
if chk is not None and chk != cln_protocol_class:
raise ValueError("different protocol already registered!")
_cln_protocols[nlpid] = cln_protocol_class
bind_top_down(LLC, cln_protocol_class, dsap=0xfe, ssap=0xfe, ctrl=3)
bind_top_down(LLC, _GenericClnsPdu, dsap=0xfe, ssap=0xfe, ctrl=3)
bind_bottom_up(LLC, _create_cln_pdu, dsap=0xfe, ssap=0xfe, ctrl=3)
0x85: "Session Keepalive"
}),
BitField("RESERVED", 0x00, 7),
BitField("LENGTH", None, 17)
]
def post_build(self, pkt, pay):
if self.LENGTH is None:
length = len(pay) & (2**18 - 1)
pkt = pkt[:1] + struct.pack("!I", length)[1:]
return pkt + pay
bind_bottom_up(UDP, NBNSHeader, dport=137)
bind_bottom_up(UDP, NBNSHeader, sport=137)
bind_top_down(UDP, NBNSHeader, sport=137, dport=137)
bind_layers(UDP, NBTDatagram, dport=138)
bind_bottom_up(TCP, NBTSession, dport=445)
bind_bottom_up(TCP, NBTSession, sport=445)
bind_bottom_up(TCP, NBTSession, dport=139)
bind_bottom_up(TCP, NBTSession, sport=139)
bind_layers(TCP, NBTSession, dport=139, sport=139)
class NBNS_am(AnsweringMachine):
function_name = "netbios_announce"
filter = "udp port 137"
sniff_options = {"store": 0, "L2socket": conf.L3socket}
ByteEnumField("nlpid", 0x00, network_layer_protocol_ids),
PacketField("rawdata", None, conf.raw_layer)
]
def _create_cln_pdu(s, **kwargs):
pdu_cls = conf.raw_layer
if len(s) >= 1:
nlpid = struct.unpack("!B", s[0])[0]
pdu_cls = _cln_protocols.get(nlpid, _GenericClnsPdu)
return pdu_cls(s, **kwargs)
@conf.commands.register
def register_cln_protocol(nlpid, cln_protocol_class):
if nlpid is None or cln_protocol_class is None:
return
chk = _cln_protocols.get(nlpid, None)
if chk is not None and chk != cln_protocol_class:
raise ValueError("different protocol already registered!")
_cln_protocols[nlpid] = cln_protocol_class
bind_top_down(LLC, cln_protocol_class, dsap=0xfe, ssap=0xfe, ctrl=3)
bind_top_down(LLC, _GenericClnsPdu, dsap=0xfe, ssap=0xfe, ctrl=3)
bind_bottom_up(LLC, _create_cln_pdu, dsap=0xfe, ssap=0xfe, ctrl=3)
),
PacketListField(
"NegociateContexts", [],
SMB2_Negociate_Context,
count_from=lambda pkt: pkt.NegociateCount
),
]
bind_layers(SMB2_Preauth_Integrity_Capabilities, conf.padding_layer)
bind_layers(SMB2_Encryption_Capabilities, conf.padding_layer)
bind_layers(SMB2_Compression_Capabilities, conf.padding_layer)
bind_layers(SMB2_Netname_Negociate_Context_ID, conf.padding_layer)
bind_top_down(
SMB2_Header,
SMB2_Negociate_Protocol_Request_Header,
Command=0x0000,
Flags=0
)
bind_top_down(
SMB2_Header,
SMB2_Negociate_Protocol_Response_Header,
Command=0x0000,
Flags=2 ** 24 # SMB2_FLAGS_SERVER_TO_REDIR
)
bind_layers(
SMB2_Negociate_Context,
SMB2_Preauth_Integrity_Capabilities,
ContextType=0x0001
)
bind_layers(
SMB2_Negociate_Context,
# Cancellation Requests
#
ConditionalField(ByteEnumField("CancelFromSenderReason",
15, _ltp_cancel_reasons),
lambda x: x.flags == 12),
ConditionalField(ByteEnumField("CancelFromReceiverReason",
15, _ltp_cancel_reasons),
lambda x: x.flags == 14),
#
# Cancellation Acknowldgements
#
ConditionalField(SDNV2("CancelAckToBlockSender", 0),
lambda x: x.flags == 13),
ConditionalField(SDNV2("CancelAckToBlockReceiver", 0),
lambda x: x.flags == 15),
#
# Finally, trailing extensions
#
PacketListField("TrailerExtensions", [], LTPex, count_from=lambda x: x.TrailerExtensionCount) # noqa: E501
]
def mysummary(self):
return self.sprintf("LTP %SessionNumber%"), [UDP]
bind_top_down(UDP, LTP, sport=1113)
bind_top_down(UDP, LTP, dport=1113)
bind_top_down(UDP, LTP, sport=2113)
bind_top_down(UDP, LTP, dport=2113)
bind_layers(UDP, LTP, sport=1113, dport=1113)
BitField("IE", 1, 12000), ]
# Bind GTP-C
bind_bottom_up(UDP, GTPHeader, dport=2123)
bind_bottom_up(UDP, GTPHeader, sport=2123)
bind_layers(UDP, GTPHeader, dport=2123, sport=2123)
bind_layers(GTPHeader, GTPEchoRequest, gtp_type=1, S=1)
bind_layers(GTPHeader, GTPEchoResponse, gtp_type=2, S=1)
bind_layers(GTPHeader, GTPCreatePDPContextRequest, gtp_type=16)
bind_layers(GTPHeader, GTPCreatePDPContextResponse, gtp_type=17)
bind_layers(GTPHeader, GTPUpdatePDPContextRequest, gtp_type=18)
bind_layers(GTPHeader, GTPUpdatePDPContextResponse, gtp_type=19)
bind_layers(GTPHeader, GTPDeletePDPContextRequest, gtp_type=20)
bind_layers(GTPHeader, GTPDeletePDPContextResponse, gtp_type=21)
bind_layers(GTPHeader, GTPPDUNotificationRequest, gtp_type=27)
bind_layers(GTPHeader, GTPSupportedExtensionHeadersNotification, gtp_type=31, S=1) # noqa: E501
bind_layers(GTPHeader, GTP_UDPPort_ExtensionHeader, next_ex=64, E=1)
bind_layers(GTPHeader, GTP_PDCP_PDU_ExtensionHeader, next_ex=192, E=1)
# Bind GTP-U
bind_bottom_up(UDP, GTP_U_Header, dport=2152)
bind_bottom_up(UDP, GTP_U_Header, sport=2152)
bind_layers(UDP, GTP_U_Header, dport=2152, sport=2152)
bind_layers(GTP_U_Header, GTPErrorIndication, gtp_type=26, S=1)
bind_layers(GTP_U_Header, GTPPDUSessionContainer,
gtp_type=255, E=1, next_ex=0x85)
bind_top_down(GTP_U_Header, IP, gtp_type=255)
bind_top_down(GTP_U_Header, IPv6, gtp_type=255)
bind_top_down(GTP_U_Header, PPP, gtp_type=255)
0: OFPTHello,
# 1: OFPTError,
2: OFPTEchoRequest,
3: OFPTEchoReply,
4: OFPTVendor,
5: OFPTFeaturesRequest,
6: OFPTFeaturesReply,
7: OFPTGetConfigRequest,
8: OFPTGetConfigReply,
9: OFPTSetConfig,
10: OFPTPacketIn,
11: OFPTFlowRemoved,
12: OFPTPortStatus,
13: OFPTPacketOut,
14: OFPTFlowMod,
15: OFPTPortMod,
# 16: OFPTStatsRequest,
# 17: OFPTStatsReply,
18: OFPTBarrierRequest,
19: OFPTBarrierReply,
20: OFPTQueueGetConfigRequest,
21: OFPTQueueGetConfigReply
}
bind_bottom_up(TCP, OpenFlow, dport=6653)
bind_bottom_up(TCP, OpenFlow, sport=6653)
bind_bottom_up(TCP, OpenFlow, dport=6633)
bind_bottom_up(TCP, OpenFlow, sport=6633)
bind_top_down(TCP, _ofp_header, sport=6653, dport=6653)
self.entry_array = entry_list
else:
self.entry_array = [entry_list]
def set_optionArray(self, option_list):
if isinstance(option_list, list):
self.option_array = option_list
else:
self.option_array = [option_list]
bind_top_down(SOMEIP, SD,
srv_id=SD.SOMEIP_MSGID_SRVID,
sub_id=SD.SOMEIP_MSGID_SUBID,
client_id=SD.SOMEIP_CLIENT_ID,
session_id=SD.SOMEIP_MINIMUM_SESSION_ID,
event_id=SD.SOMEIP_MSGID_EVENTID,
proto_ver=SD.SOMEIP_PROTO_VER,
iface_ver=SD.SOMEIP_IFACE_VER,
msg_type=SD.SOMEIP_MSG_TYPE,
retcode=SD.SOMEIP_RETCODE)
bind_bottom_up(SOMEIP, SD,
srv_id=SD.SOMEIP_MSGID_SRVID,
sub_id=SD.SOMEIP_MSGID_SUBID,
client_id=SD.SOMEIP_CLIENT_ID,
event_id=SD.SOMEIP_MSGID_EVENTID,
proto_ver=SD.SOMEIP_PROTO_VER,
iface_ver=SD.SOMEIP_IFACE_VER,
msg_type=SD.SOMEIP_MSG_TYPE,
retcode=SD.SOMEIP_RETCODE)
ShortUploadPositiveResponse,
ChecksumPositiveResponse,
CalPagePositiveResponse,
PagProcessorInfoPositiveResponse,
PageInfoPositiveResponse,
SegmentModePositiveResponse,
DAQListModePositiveResponse,
StartStopDAQListPositiveResponse,
DAQClockListPositiveResponse,
ReadDAQPositiveResponse,
DAQProcessorInfoPositiveResponse,
DAQResolutionInfoPositiveResponse,
DAQListInfoPositiveResponse,
DAQEventInfoPositiveResponse,
ProgramStartPositiveResponse,
PgmProcessorPositiveResponse,
SectorInfoPositiveResponse]
for cls in positive_response_classes:
bind_top_down(CTOResponse, cls, packet_code=0xFF)
bind_layers(CTOResponse, NegativeResponse, packet_code=0xFE)
# Asynchronous Event/request messages from the slave
bind_layers(CTOResponse, EvPacket, packet_code=0xFD)
bind_layers(CTOResponse, ServPacket, packet_code=0xFC)
bind_bottom_up(XCPOnCAN, CTOResponse)
bind_bottom_up(XCPOnUDP, CTOResponse)
bind_bottom_up(XCPOnTCP, CTOResponse)
def mysummary(self):
if self.flags.G:
return self.sprintf("VXLAN (vni=%VXLAN.vni% gpid=%VXLAN.gpid%)")
else:
return self.sprintf("VXLAN (vni=%VXLAN.vni%)")
bind_layers(UDP, VXLAN, dport=4789) # RFC standard vxlan port
bind_layers(UDP, VXLAN, dport=4790) # RFC standard vxlan-gpe port
bind_layers(UDP, VXLAN, dport=6633) # New IANA assigned port for use with NSH
bind_layers(UDP, VXLAN, dport=8472) # Linux implementation port
bind_layers(UDP, VXLAN, dport=48879) # Cisco ACI
bind_layers(UDP, VXLAN, sport=4789)
bind_layers(UDP, VXLAN, sport=4790)
bind_layers(UDP, VXLAN, sport=6633)
bind_layers(UDP, VXLAN, sport=8472)
# By default, set both ports to the RFC standard
bind_layers(UDP, VXLAN, sport=4789, dport=4789)
# Dissection
bind_bottom_up(VXLAN, Ether, NextProtocol=0)
bind_bottom_up(VXLAN, IP, NextProtocol=1)
bind_bottom_up(VXLAN, IPv6, NextProtocol=2)
bind_bottom_up(VXLAN, Ether, NextProtocol=3)
bind_bottom_up(VXLAN, Ether, NextProtocol=None)
# Build
bind_top_down(VXLAN, Ether, flags=12, NextProtocol=0)
bind_top_down(VXLAN, IP, flags=12, NextProtocol=1)
bind_top_down(VXLAN, IPv6, flags=12, NextProtocol=2)
bind_top_down(VXLAN, Ether, flags=12, NextProtocol=3)
# IPField("IdentData","127.0.0.1"),
StrLenField("load", "", length_from=lambda x: x.length - 8),
]
class ISAKMP_payload_Hash(ISAKMP_payload):
name = "ISAKMP Hash"
bind_bottom_up(UDP, ISAKMP, dport=500)
bind_bottom_up(UDP, ISAKMP, sport=500)
bind_layers(UDP, ISAKMP, dport=500, sport=500)
# Add building bindings
# (Dissection bindings are located in ISAKMP_class.guess_payload_class)
bind_top_down(ISAKMP_class, ISAKMP_payload, next_payload=0)
bind_top_down(ISAKMP_class, ISAKMP_payload_SA, next_payload=1)
bind_top_down(ISAKMP_class, ISAKMP_payload_Proposal, next_payload=2)
bind_top_down(ISAKMP_class, ISAKMP_payload_Transform, next_payload=3)
bind_top_down(ISAKMP_class, ISAKMP_payload_KE, next_payload=4)
bind_top_down(ISAKMP_class, ISAKMP_payload_ID, next_payload=5)
# bind_top_down(ISAKMP_class, ISAKMP_payload_CERT, next_payload=6)
# bind_top_down(ISAKMP_class, ISAKMP_payload_CR, next_payload=7)
bind_top_down(ISAKMP_class, ISAKMP_payload_Hash, next_payload=8)
# bind_top_down(ISAKMP_class, ISAKMP_payload_SIG, next_payload=9)
bind_top_down(ISAKMP_class, ISAKMP_payload_Nonce, next_payload=10)
# bind_top_down(ISAKMP_class, ISAKMP_payload_Notification, next_payload=11)
# bind_top_down(ISAKMP_class, ISAKMP_payload_Delete, next_payload=12)
bind_top_down(ISAKMP_class, ISAKMP_payload_VendorID, next_payload=13)
return new_packet
def sixlowpan_defragment(packet_list):
results = {}
for p in packet_list:
cls = None
if LoWPANFragmentationFirst in p:
cls = LoWPANFragmentationFirst
elif LoWPANFragmentationSubsequent in p:
cls = LoWPANFragmentationSubsequent
if cls:
tag = p[cls].datagramTag
results[tag] = results.get(tag, b"") + p[cls].payload.load # noqa: E501
return {tag: SixLoWPAN(x) for tag, x in results.items()}
############
# Bindings #
############
bind_layers(LoWPAN_HC1, IPv6)
bind_top_down(LoWPAN_IPHC, LoWPAN_NHC, nh=1)
bind_layers(LoWPANFragmentationFirst, SixLoWPAN)
bind_layers(LoWPANMesh, SixLoWPAN)
bind_layers(LoWPANBroadcast, SixLoWPAN)
bind_layers(Ether, SixLoWPAN, type=0xA0ED)
LEShortEnumField("", 0x0, SMB_DIALECTS),
count_from=lambda pkt: pkt.DialectCount),
# Field only exists if Dialects contains 0x0311
# Each negotiate context must be 8-byte aligned
ConditionalField(
FieldListField("NegotiateContexts", [],
ReversePadField(
PacketField("Context", None,
SMB2_Negotiate_Context), 8),
count_from=lambda pkt: pkt.NegotiateCount),
lambda x: 0x0311 in x.Dialects),
]
bind_top_down(SMB2_Header,
SMB2_Negotiate_Protocol_Request,
Command=0x0000,
Flags=0)
# sect 2.2.3.1.1
class SMB2_Preauth_Integrity_Capabilities(Packet):
name = "SMB2 Preauth Integrity Capabilities"
fields_desc = [
# According to the spec, this field value must be greater than 0
# (cf Section 2.2.3.1.1 of MS-SMB2.pdf)
FieldLenField("HashAlgorithmCount",
1,
fmt="<H",
count_of="HashAlgorithms"),
FieldLenField("SaltLength", 0, fmt="<H", length_of="Salt"),
"""Implements guess_payload_class to identify MPLS packets with internal Ethernet header""" # If bottom of stack is zero, the next layer is MPLS for sure. if self.s == 0: return MPLS # If checksum is ok, then we have a correct IP header after MPLS labels. elif checksum(payload[:20]) == 0: return IP # If checksum is nok, then we (almost) certainly have an Ethernet header after MPLS. else: return Ether bind_layers(Ether, MPLS, type = 0x8847) bind_bottom_up (Ether, MPLS, type = 0x8848) bind_layers(Dot1Q, MPLS, type = 0x8847) bind_bottom_up(Dot1Q, MPLS, type = 0x8848) bind_top_down(MPLS, MPLS, s = 0) ## Redefine IP summary ############################################################################ def ip_summary(self): """ Redefined summary for IP header. It's same as defined in scapy, but also request to output Dot1Q header. """ s = '%s > %s' % ( self.src, self.dst ) if self.frag: s += ", frag %i" % (self.frag) if self.tos: s += ", dscp %i" % (self.tos >> 2) return s, [Ether, Dot3, Dot1Q, MPLS] IP.mysummary = ip_summary
name = "USBpcap Transfer Interrupt"
fields_desc = [
LEIntField("startFrame", 0),
LEIntField("numberOfPackets", 0),
LEIntField("errorCount", 0)
]
class USBpcapTransferControl(Packet):
name = "USBpcap Transfer Control"
fields_desc = [
ByteField("stage", 0)
]
bind_top_down(USBpcap, USBpcapTransferIsochronous, transfer=0)
bind_top_down(USBpcap, USBpcapTransferInterrupt, transfer=1)
bind_top_down(USBpcap, USBpcapTransferControl, transfer=2)
conf.l2types.register(DLT_USBPCAP, USBpcap)
def _extcap_call(prog, args, keyword, values):
"""Function used to call a program using the extcap format,
then parse the results"""
p = subprocess.Popen(
[prog] + args,
stdout=subprocess.PIPE, stderr=subprocess.PIPE
)
data, err = p.communicate()
if p.returncode != 0:
BitField("ext_iv", 0, 1), # => LE = reversed order
BitField("res1", 0, 5), #
ByteField("PN2", 0),
ByteField("PN3", 0),
ByteField("PN4", 0),
ByteField("PN5", 0),
# data
StrField("data", None),
]
class Dot11Ack(Packet):
name = "802.11 Ack packet"
bind_top_down(RadioTap, Dot11FCS, present=2, Flags=16)
bind_layers(
PrismHeader,
Dot11,
)
bind_layers(Dot11, LLC, type=2)
bind_layers(
Dot11QoS,
LLC,
)
bind_layers(Dot11, Dot11AssoReq, subtype=0, type=0)
bind_layers(Dot11, Dot11AssoResp, subtype=1, type=0)
bind_layers(Dot11, Dot11ReassoReq, subtype=2, type=0)
bind_layers(Dot11, Dot11ReassoResp, subtype=3, type=0)
bind_layers(Dot11, Dot11ProbeReq, subtype=4, type=0)
LEShortField("ServerTimeZone", 0x3c),
ByteField("ChallengeLength", 0), # aka EncryptionKeyLength
LEFieldLenField("ByteCount",
None,
length_of="DomainName",
adjust=lambda pkt, x: x + len(pkt.Challenge)),
StrLenField(
"Challenge",
b"", # aka EncryptionKey
length_from=lambda pkt: pkt.ChallengeLength),
StrNullField("DomainName", "WORKGROUP")
]
bind_top_down(SMB_Header,
SMBNegotiate_Response_NoSecurity,
Command=0x72,
Flags=0x80)
# SMB sect 2.2.4.5.2.1
class SMBNegotiate_Response_Extended_Security(_SMBNegotiate_Response):
name = "SMB Negotiate Extended Security Response (SMB)"
WordCount = 0x11
fields_desc = SMBNegotiate_Response_NoSecurity.fields_desc[:12] + [
LEFieldLenField("ByteCount",
None,
length_of="SecurityBlob",
adjust=lambda _, x: x + 16),
UUIDField("GUID", None, uuid_fmt=UUIDField.FORMAT_LE),
PacketLenField("SecurityBlob",
