def _bind_someip_layers(): bind_top_down(UDP, SOMEIP, sport=30490, dport=30490) for i in range(15): bind_bottom_up(UDP, SOMEIP, sport=30490 + i) bind_bottom_up(TCP, SOMEIP, sport=30490 + i) bind_bottom_up(UDP, SOMEIP, dport=30490 + i) bind_bottom_up(TCP, SOMEIP, dport=30490 + i)
def register_cln_protocol(nlpid, cln_protocol_class): if nlpid is None or cln_protocol_class is None: return chk = _cln_protocols.get(nlpid, None) if chk is not None and chk != cln_protocol_class: raise ValueError("different protocol already registered!") _cln_protocols[nlpid] = cln_protocol_class bind_top_down(LLC, cln_protocol_class, dsap=0xfe, ssap=0xfe, ctrl=3)
def _bind_someip_layers(): # arnd: this is required to bind SOME/IP-SD bind_top_down(UDP, SOMEIP, sport=30490, dport=30490) for i in range(15): bind_bottom_up(UDP, SOMEIP, sport=30490 + i) bind_bottom_up(TCP, SOMEIP, sport=30490 + i) bind_bottom_up(UDP, SOMEIP, dport=30490 + i) bind_bottom_up(TCP, SOMEIP, dport=30490 + i) # arnd: this is required to bind SOME/IP for i in range(15): bind_bottom_up(UDP, SOMEIP, sport=30509 + i) bind_bottom_up(TCP, SOMEIP, sport=30509 + i) bind_bottom_up(UDP, SOMEIP, dport=30509 + i) bind_bottom_up(TCP, SOMEIP, dport=30509 + i)
class USBpcapTransferInterrupt(Packet): name = "USBpcap Transfer Interrupt" fields_desc = [ LEIntField("startFrame", 0), LEIntField("numberOfPackets", 0), LEIntField("errorCount", 0) ] class USBpcapTransferControl(Packet): name = "USBpcap Transfer Control" fields_desc = [ByteField("stage", 0)] bind_top_down(USBpcap, USBpcapTransferIsochronous, transfer=0) bind_top_down(USBpcap, USBpcapTransferInterrupt, transfer=1) bind_top_down(USBpcap, USBpcapTransferControl, transfer=2) conf.l2types.register(DLT_USBPCAP, USBpcap) def _extcap_call(prog, args, keyword, values): """Function used to call a program using the extcap format, then parse the results""" p = subprocess.Popen([prog] + args, stdout=subprocess.PIPE, stderr=subprocess.PIPE) data, err = p.communicate() if p.returncode != 0: raise OSError("%s returned with error code %s: %s" %
ByteEnumField("CancelFromSenderReason", 15, _ltp_cancel_reasons), lambda x: x.flags == 12), ConditionalField( ByteEnumField("CancelFromReceiverReason", 15, _ltp_cancel_reasons), lambda x: x.flags == 14), # # Cancellation Acknowldgements # ConditionalField(SDNV2("CancelAckToBlockSender", 0), lambda x: x.flags == 13), ConditionalField(SDNV2("CancelAckToBlockReceiver", 0), lambda x: x.flags == 15), # # Finally, trailing extensions # PacketListField("TrailerExtensions", [], LTPex, count_from=lambda x: x.TrailerExtensionCount ) # noqa: E501 ] def mysummary(self): return self.sprintf("LTP %SessionNumber%"), [UDP] bind_top_down(UDP, LTP, sport=1113) bind_top_down(UDP, LTP, dport=1113) bind_top_down(UDP, LTP, sport=2113) bind_top_down(UDP, LTP, dport=2113) bind_layers(UDP, LTP, sport=1113, dport=1113)
ByteEnumField("nlpid", 0x00, network_layer_protocol_ids), PacketField("rawdata", None, conf.raw_layer) ] def _create_cln_pdu(s, **kwargs): pdu_cls = conf.raw_layer if len(s) >= 1: nlpid = orb(s[0]) pdu_cls = _cln_protocols.get(nlpid, _GenericClnsPdu) return pdu_cls(s, **kwargs) @conf.commands.register def register_cln_protocol(nlpid, cln_protocol_class): if nlpid is None or cln_protocol_class is None: return chk = _cln_protocols.get(nlpid, None) if chk is not None and chk != cln_protocol_class: raise ValueError("different protocol already registered!") _cln_protocols[nlpid] = cln_protocol_class bind_top_down(LLC, cln_protocol_class, dsap=0xfe, ssap=0xfe, ctrl=3) bind_top_down(LLC, _GenericClnsPdu, dsap=0xfe, ssap=0xfe, ctrl=3) bind_bottom_up(LLC, _create_cln_pdu, dsap=0xfe, ssap=0xfe, ctrl=3)
0x85: "Session Keepalive" }), BitField("RESERVED", 0x00, 7), BitField("LENGTH", None, 17) ] def post_build(self, pkt, pay): if self.LENGTH is None: length = len(pay) & (2**18 - 1) pkt = pkt[:1] + struct.pack("!I", length)[1:] return pkt + pay bind_bottom_up(UDP, NBNSHeader, dport=137) bind_bottom_up(UDP, NBNSHeader, sport=137) bind_top_down(UDP, NBNSHeader, sport=137, dport=137) bind_layers(UDP, NBTDatagram, dport=138) bind_bottom_up(TCP, NBTSession, dport=445) bind_bottom_up(TCP, NBTSession, sport=445) bind_bottom_up(TCP, NBTSession, dport=139) bind_bottom_up(TCP, NBTSession, sport=139) bind_layers(TCP, NBTSession, dport=139, sport=139) class NBNS_am(AnsweringMachine): function_name = "netbios_announce" filter = "udp port 137" sniff_options = {"store": 0, "L2socket": conf.L3socket}
ByteEnumField("nlpid", 0x00, network_layer_protocol_ids), PacketField("rawdata", None, conf.raw_layer) ] def _create_cln_pdu(s, **kwargs): pdu_cls = conf.raw_layer if len(s) >= 1: nlpid = struct.unpack("!B", s[0])[0] pdu_cls = _cln_protocols.get(nlpid, _GenericClnsPdu) return pdu_cls(s, **kwargs) @conf.commands.register def register_cln_protocol(nlpid, cln_protocol_class): if nlpid is None or cln_protocol_class is None: return chk = _cln_protocols.get(nlpid, None) if chk is not None and chk != cln_protocol_class: raise ValueError("different protocol already registered!") _cln_protocols[nlpid] = cln_protocol_class bind_top_down(LLC, cln_protocol_class, dsap=0xfe, ssap=0xfe, ctrl=3) bind_top_down(LLC, _GenericClnsPdu, dsap=0xfe, ssap=0xfe, ctrl=3) bind_bottom_up(LLC, _create_cln_pdu, dsap=0xfe, ssap=0xfe, ctrl=3)
), PacketListField( "NegociateContexts", [], SMB2_Negociate_Context, count_from=lambda pkt: pkt.NegociateCount ), ] bind_layers(SMB2_Preauth_Integrity_Capabilities, conf.padding_layer) bind_layers(SMB2_Encryption_Capabilities, conf.padding_layer) bind_layers(SMB2_Compression_Capabilities, conf.padding_layer) bind_layers(SMB2_Netname_Negociate_Context_ID, conf.padding_layer) bind_top_down( SMB2_Header, SMB2_Negociate_Protocol_Request_Header, Command=0x0000, Flags=0 ) bind_top_down( SMB2_Header, SMB2_Negociate_Protocol_Response_Header, Command=0x0000, Flags=2 ** 24 # SMB2_FLAGS_SERVER_TO_REDIR ) bind_layers( SMB2_Negociate_Context, SMB2_Preauth_Integrity_Capabilities, ContextType=0x0001 ) bind_layers( SMB2_Negociate_Context,
# Cancellation Requests # ConditionalField(ByteEnumField("CancelFromSenderReason", 15, _ltp_cancel_reasons), lambda x: x.flags == 12), ConditionalField(ByteEnumField("CancelFromReceiverReason", 15, _ltp_cancel_reasons), lambda x: x.flags == 14), # # Cancellation Acknowldgements # ConditionalField(SDNV2("CancelAckToBlockSender", 0), lambda x: x.flags == 13), ConditionalField(SDNV2("CancelAckToBlockReceiver", 0), lambda x: x.flags == 15), # # Finally, trailing extensions # PacketListField("TrailerExtensions", [], LTPex, count_from=lambda x: x.TrailerExtensionCount) # noqa: E501 ] def mysummary(self): return self.sprintf("LTP %SessionNumber%"), [UDP] bind_top_down(UDP, LTP, sport=1113) bind_top_down(UDP, LTP, dport=1113) bind_top_down(UDP, LTP, sport=2113) bind_top_down(UDP, LTP, dport=2113) bind_layers(UDP, LTP, sport=1113, dport=1113)
BitField("IE", 1, 12000), ] # Bind GTP-C bind_bottom_up(UDP, GTPHeader, dport=2123) bind_bottom_up(UDP, GTPHeader, sport=2123) bind_layers(UDP, GTPHeader, dport=2123, sport=2123) bind_layers(GTPHeader, GTPEchoRequest, gtp_type=1, S=1) bind_layers(GTPHeader, GTPEchoResponse, gtp_type=2, S=1) bind_layers(GTPHeader, GTPCreatePDPContextRequest, gtp_type=16) bind_layers(GTPHeader, GTPCreatePDPContextResponse, gtp_type=17) bind_layers(GTPHeader, GTPUpdatePDPContextRequest, gtp_type=18) bind_layers(GTPHeader, GTPUpdatePDPContextResponse, gtp_type=19) bind_layers(GTPHeader, GTPDeletePDPContextRequest, gtp_type=20) bind_layers(GTPHeader, GTPDeletePDPContextResponse, gtp_type=21) bind_layers(GTPHeader, GTPPDUNotificationRequest, gtp_type=27) bind_layers(GTPHeader, GTPSupportedExtensionHeadersNotification, gtp_type=31, S=1) # noqa: E501 bind_layers(GTPHeader, GTP_UDPPort_ExtensionHeader, next_ex=64, E=1) bind_layers(GTPHeader, GTP_PDCP_PDU_ExtensionHeader, next_ex=192, E=1) # Bind GTP-U bind_bottom_up(UDP, GTP_U_Header, dport=2152) bind_bottom_up(UDP, GTP_U_Header, sport=2152) bind_layers(UDP, GTP_U_Header, dport=2152, sport=2152) bind_layers(GTP_U_Header, GTPErrorIndication, gtp_type=26, S=1) bind_layers(GTP_U_Header, GTPPDUSessionContainer, gtp_type=255, E=1, next_ex=0x85) bind_top_down(GTP_U_Header, IP, gtp_type=255) bind_top_down(GTP_U_Header, IPv6, gtp_type=255) bind_top_down(GTP_U_Header, PPP, gtp_type=255)
0: OFPTHello, # 1: OFPTError, 2: OFPTEchoRequest, 3: OFPTEchoReply, 4: OFPTVendor, 5: OFPTFeaturesRequest, 6: OFPTFeaturesReply, 7: OFPTGetConfigRequest, 8: OFPTGetConfigReply, 9: OFPTSetConfig, 10: OFPTPacketIn, 11: OFPTFlowRemoved, 12: OFPTPortStatus, 13: OFPTPacketOut, 14: OFPTFlowMod, 15: OFPTPortMod, # 16: OFPTStatsRequest, # 17: OFPTStatsReply, 18: OFPTBarrierRequest, 19: OFPTBarrierReply, 20: OFPTQueueGetConfigRequest, 21: OFPTQueueGetConfigReply } bind_bottom_up(TCP, OpenFlow, dport=6653) bind_bottom_up(TCP, OpenFlow, sport=6653) bind_bottom_up(TCP, OpenFlow, dport=6633) bind_bottom_up(TCP, OpenFlow, sport=6633) bind_top_down(TCP, _ofp_header, sport=6653, dport=6653)
self.entry_array = entry_list else: self.entry_array = [entry_list] def set_optionArray(self, option_list): if isinstance(option_list, list): self.option_array = option_list else: self.option_array = [option_list] bind_top_down(SOMEIP, SD, srv_id=SD.SOMEIP_MSGID_SRVID, sub_id=SD.SOMEIP_MSGID_SUBID, client_id=SD.SOMEIP_CLIENT_ID, session_id=SD.SOMEIP_MINIMUM_SESSION_ID, event_id=SD.SOMEIP_MSGID_EVENTID, proto_ver=SD.SOMEIP_PROTO_VER, iface_ver=SD.SOMEIP_IFACE_VER, msg_type=SD.SOMEIP_MSG_TYPE, retcode=SD.SOMEIP_RETCODE) bind_bottom_up(SOMEIP, SD, srv_id=SD.SOMEIP_MSGID_SRVID, sub_id=SD.SOMEIP_MSGID_SUBID, client_id=SD.SOMEIP_CLIENT_ID, event_id=SD.SOMEIP_MSGID_EVENTID, proto_ver=SD.SOMEIP_PROTO_VER, iface_ver=SD.SOMEIP_IFACE_VER, msg_type=SD.SOMEIP_MSG_TYPE, retcode=SD.SOMEIP_RETCODE)
ShortUploadPositiveResponse, ChecksumPositiveResponse, CalPagePositiveResponse, PagProcessorInfoPositiveResponse, PageInfoPositiveResponse, SegmentModePositiveResponse, DAQListModePositiveResponse, StartStopDAQListPositiveResponse, DAQClockListPositiveResponse, ReadDAQPositiveResponse, DAQProcessorInfoPositiveResponse, DAQResolutionInfoPositiveResponse, DAQListInfoPositiveResponse, DAQEventInfoPositiveResponse, ProgramStartPositiveResponse, PgmProcessorPositiveResponse, SectorInfoPositiveResponse] for cls in positive_response_classes: bind_top_down(CTOResponse, cls, packet_code=0xFF) bind_layers(CTOResponse, NegativeResponse, packet_code=0xFE) # Asynchronous Event/request messages from the slave bind_layers(CTOResponse, EvPacket, packet_code=0xFD) bind_layers(CTOResponse, ServPacket, packet_code=0xFC) bind_bottom_up(XCPOnCAN, CTOResponse) bind_bottom_up(XCPOnUDP, CTOResponse) bind_bottom_up(XCPOnTCP, CTOResponse)
def mysummary(self): if self.flags.G: return self.sprintf("VXLAN (vni=%VXLAN.vni% gpid=%VXLAN.gpid%)") else: return self.sprintf("VXLAN (vni=%VXLAN.vni%)") bind_layers(UDP, VXLAN, dport=4789) # RFC standard vxlan port bind_layers(UDP, VXLAN, dport=4790) # RFC standard vxlan-gpe port bind_layers(UDP, VXLAN, dport=6633) # New IANA assigned port for use with NSH bind_layers(UDP, VXLAN, dport=8472) # Linux implementation port bind_layers(UDP, VXLAN, dport=48879) # Cisco ACI bind_layers(UDP, VXLAN, sport=4789) bind_layers(UDP, VXLAN, sport=4790) bind_layers(UDP, VXLAN, sport=6633) bind_layers(UDP, VXLAN, sport=8472) # By default, set both ports to the RFC standard bind_layers(UDP, VXLAN, sport=4789, dport=4789) # Dissection bind_bottom_up(VXLAN, Ether, NextProtocol=0) bind_bottom_up(VXLAN, IP, NextProtocol=1) bind_bottom_up(VXLAN, IPv6, NextProtocol=2) bind_bottom_up(VXLAN, Ether, NextProtocol=3) bind_bottom_up(VXLAN, Ether, NextProtocol=None) # Build bind_top_down(VXLAN, Ether, flags=12, NextProtocol=0) bind_top_down(VXLAN, IP, flags=12, NextProtocol=1) bind_top_down(VXLAN, IPv6, flags=12, NextProtocol=2) bind_top_down(VXLAN, Ether, flags=12, NextProtocol=3)
# IPField("IdentData","127.0.0.1"), StrLenField("load", "", length_from=lambda x: x.length - 8), ] class ISAKMP_payload_Hash(ISAKMP_payload): name = "ISAKMP Hash" bind_bottom_up(UDP, ISAKMP, dport=500) bind_bottom_up(UDP, ISAKMP, sport=500) bind_layers(UDP, ISAKMP, dport=500, sport=500) # Add building bindings # (Dissection bindings are located in ISAKMP_class.guess_payload_class) bind_top_down(ISAKMP_class, ISAKMP_payload, next_payload=0) bind_top_down(ISAKMP_class, ISAKMP_payload_SA, next_payload=1) bind_top_down(ISAKMP_class, ISAKMP_payload_Proposal, next_payload=2) bind_top_down(ISAKMP_class, ISAKMP_payload_Transform, next_payload=3) bind_top_down(ISAKMP_class, ISAKMP_payload_KE, next_payload=4) bind_top_down(ISAKMP_class, ISAKMP_payload_ID, next_payload=5) # bind_top_down(ISAKMP_class, ISAKMP_payload_CERT, next_payload=6) # bind_top_down(ISAKMP_class, ISAKMP_payload_CR, next_payload=7) bind_top_down(ISAKMP_class, ISAKMP_payload_Hash, next_payload=8) # bind_top_down(ISAKMP_class, ISAKMP_payload_SIG, next_payload=9) bind_top_down(ISAKMP_class, ISAKMP_payload_Nonce, next_payload=10) # bind_top_down(ISAKMP_class, ISAKMP_payload_Notification, next_payload=11) # bind_top_down(ISAKMP_class, ISAKMP_payload_Delete, next_payload=12) bind_top_down(ISAKMP_class, ISAKMP_payload_VendorID, next_payload=13)
return new_packet def sixlowpan_defragment(packet_list): results = {} for p in packet_list: cls = None if LoWPANFragmentationFirst in p: cls = LoWPANFragmentationFirst elif LoWPANFragmentationSubsequent in p: cls = LoWPANFragmentationSubsequent if cls: tag = p[cls].datagramTag results[tag] = results.get(tag, b"") + p[cls].payload.load # noqa: E501 return {tag: SixLoWPAN(x) for tag, x in results.items()} ############ # Bindings # ############ bind_layers(LoWPAN_HC1, IPv6) bind_top_down(LoWPAN_IPHC, LoWPAN_NHC, nh=1) bind_layers(LoWPANFragmentationFirst, SixLoWPAN) bind_layers(LoWPANMesh, SixLoWPAN) bind_layers(LoWPANBroadcast, SixLoWPAN) bind_layers(Ether, SixLoWPAN, type=0xA0ED)
LEShortEnumField("", 0x0, SMB_DIALECTS), count_from=lambda pkt: pkt.DialectCount), # Field only exists if Dialects contains 0x0311 # Each negotiate context must be 8-byte aligned ConditionalField( FieldListField("NegotiateContexts", [], ReversePadField( PacketField("Context", None, SMB2_Negotiate_Context), 8), count_from=lambda pkt: pkt.NegotiateCount), lambda x: 0x0311 in x.Dialects), ] bind_top_down(SMB2_Header, SMB2_Negotiate_Protocol_Request, Command=0x0000, Flags=0) # sect 2.2.3.1.1 class SMB2_Preauth_Integrity_Capabilities(Packet): name = "SMB2 Preauth Integrity Capabilities" fields_desc = [ # According to the spec, this field value must be greater than 0 # (cf Section 2.2.3.1.1 of MS-SMB2.pdf) FieldLenField("HashAlgorithmCount", 1, fmt="<H", count_of="HashAlgorithms"), FieldLenField("SaltLength", 0, fmt="<H", length_of="Salt"),
"""Implements guess_payload_class to identify MPLS packets with internal Ethernet header""" # If bottom of stack is zero, the next layer is MPLS for sure. if self.s == 0: return MPLS # If checksum is ok, then we have a correct IP header after MPLS labels. elif checksum(payload[:20]) == 0: return IP # If checksum is nok, then we (almost) certainly have an Ethernet header after MPLS. else: return Ether bind_layers(Ether, MPLS, type = 0x8847) bind_bottom_up (Ether, MPLS, type = 0x8848) bind_layers(Dot1Q, MPLS, type = 0x8847) bind_bottom_up(Dot1Q, MPLS, type = 0x8848) bind_top_down(MPLS, MPLS, s = 0) ## Redefine IP summary ############################################################################ def ip_summary(self): """ Redefined summary for IP header. It's same as defined in scapy, but also request to output Dot1Q header. """ s = '%s > %s' % ( self.src, self.dst ) if self.frag: s += ", frag %i" % (self.frag) if self.tos: s += ", dscp %i" % (self.tos >> 2) return s, [Ether, Dot3, Dot1Q, MPLS] IP.mysummary = ip_summary
name = "USBpcap Transfer Interrupt" fields_desc = [ LEIntField("startFrame", 0), LEIntField("numberOfPackets", 0), LEIntField("errorCount", 0) ] class USBpcapTransferControl(Packet): name = "USBpcap Transfer Control" fields_desc = [ ByteField("stage", 0) ] bind_top_down(USBpcap, USBpcapTransferIsochronous, transfer=0) bind_top_down(USBpcap, USBpcapTransferInterrupt, transfer=1) bind_top_down(USBpcap, USBpcapTransferControl, transfer=2) conf.l2types.register(DLT_USBPCAP, USBpcap) def _extcap_call(prog, args, keyword, values): """Function used to call a program using the extcap format, then parse the results""" p = subprocess.Popen( [prog] + args, stdout=subprocess.PIPE, stderr=subprocess.PIPE ) data, err = p.communicate() if p.returncode != 0:
BitField("ext_iv", 0, 1), # => LE = reversed order BitField("res1", 0, 5), # ByteField("PN2", 0), ByteField("PN3", 0), ByteField("PN4", 0), ByteField("PN5", 0), # data StrField("data", None), ] class Dot11Ack(Packet): name = "802.11 Ack packet" bind_top_down(RadioTap, Dot11FCS, present=2, Flags=16) bind_layers( PrismHeader, Dot11, ) bind_layers(Dot11, LLC, type=2) bind_layers( Dot11QoS, LLC, ) bind_layers(Dot11, Dot11AssoReq, subtype=0, type=0) bind_layers(Dot11, Dot11AssoResp, subtype=1, type=0) bind_layers(Dot11, Dot11ReassoReq, subtype=2, type=0) bind_layers(Dot11, Dot11ReassoResp, subtype=3, type=0) bind_layers(Dot11, Dot11ProbeReq, subtype=4, type=0)
LEShortField("ServerTimeZone", 0x3c), ByteField("ChallengeLength", 0), # aka EncryptionKeyLength LEFieldLenField("ByteCount", None, length_of="DomainName", adjust=lambda pkt, x: x + len(pkt.Challenge)), StrLenField( "Challenge", b"", # aka EncryptionKey length_from=lambda pkt: pkt.ChallengeLength), StrNullField("DomainName", "WORKGROUP") ] bind_top_down(SMB_Header, SMBNegotiate_Response_NoSecurity, Command=0x72, Flags=0x80) # SMB sect 2.2.4.5.2.1 class SMBNegotiate_Response_Extended_Security(_SMBNegotiate_Response): name = "SMB Negotiate Extended Security Response (SMB)" WordCount = 0x11 fields_desc = SMBNegotiate_Response_NoSecurity.fields_desc[:12] + [ LEFieldLenField("ByteCount", None, length_of="SecurityBlob", adjust=lambda _, x: x + 16), UUIDField("GUID", None, uuid_fmt=UUIDField.FORMAT_LE), PacketLenField("SecurityBlob",