示例#1
0
    def parse_pcap_w_awk_cmd(self, pcap_txt, awkcmd):
        """parse_pcap_w_awk_cmd():
              Run AWK on the specified .txt file that was generated by running a parse_pcap on a 
              capture and piping the output to thext file generated.
              """
        # cat the pcap-test file generated from parse_pcap()
        cmd = "cat " + pcap_txt + " " + awkcmd

        # Run awk
        log("RUNNING AWK COMMAND ON TSHARK PARSE : " + cmd)
        output = self.local_shell.run(cmd, 0)

        # Return the list of dictionaries
        return output
示例#2
0
    def parse_pcap_w_preferred_config(self, pcap, option, filters, fields, addcmd):

        # Construct the tshark command with the specified filters
        cmd = "tshark -r " + pcap + " " + option + " " + filters

        if fields != "":
            cmd = cmd + " -T fields "
            # Add in the requested fields
            for field in fields:
                cmd += " -e " + field

        if addcmd != "":
            cmd = cmd + " " + addcmd

        log("RUNNING TSHARK CMD : " + cmd)

        # Python seems to have an issue capturing lots of output (in this case from tshark) so redirect to a file then read in the file
        # We can't use the -w <outfile> option of tshark because -w means write the raw binary (filtered) data to the file.  We need text
        cmd = cmd + " > __tshark.log"

        # Run tshark
        output = self.local_shell.run(cmd, 0)

        # Read in the redirected file
        datafile = open("__tshark.log", "r")
        content = datafile.read()
        datafile.close

        # Translate the content into a list of dictionaries
        info = []
        lines = content.split("\n")
        i = 0
        for line in lines:
            # log(str(i) + "\t" + line)
            line = line.split("\t")
            values = {}
            j = 0
            for value in line:
                values[fields[j]] = value
                j += 1
            i += 1
            info.append(values)

        # Return the list of dictionaries
        return info
示例#3
0
    def stop(self):
        """stop():
              DESRCIPTION: Stop each of the tcpdump started by start() and retrieve the pcaps
              The pcap filenames may be referenced by:
                 packet_capture.server_pcap      (the server pcap of all ports       / all interfaces)
                 packet_capture.client_lo_pcap   (the client pcap of the local       / the loopback interface)
                 packet_capture.client_eth_pcap  (the client pcap of all intf        / all interfaces)
                 """
        # Stop each of the tcpdumps we have started and retrieve the pcap file
        for info in self.pcaps:
            shell = info[0]
            tcpdump = info[1]
            pcap = info[2]
            shell.stop(tcpdump)

            # Retrieve the pcaps
            log("Retreiving packet capture:  " + pcap)
            shell.get_file(pcap)

        self.pcaps = []
示例#4
0
    def parse_pcap_w_specific_opt(self, pcap, option, filters, fields, addcmd):

        # Construct the tshark command with the specified filters
        cmd = "tshark -r " + pcap + " " + option + " " + filters

        if fields != "":
            cmd = cmd + " -T fields "
            # Add in the requested fields
            for field in fields:
                cmd += " -e " + field

        if addcmd != "":
            cmd = cmd + " " + addcmd

        log("RUNNING TSHARK CMD : " + cmd)

        # Run tshark
        output = self.local_shell.run(cmd, 0)

        # Return the list of dictionaries
        return output
示例#5
0
    def run_tcpdump(self, shell, prefix, intf, port):
        """run_tcpdump(shell, prefix, intf, port)
              Start a tcpdump using the specified shell object
                 shell  - a shell object which has been created for the local or remote system
                          You may run multiple simultaneous tcpdumps using the same shell
                 prefix - an arbitrary string which will be used to construct the pcap filename
                 intf   - the interface to monitor (like eth0) or you may specify 'all' for all interfaces.
                 port   - the port to monitor (like 7077) or you may specify 'all' for all ports.
              The pcap filename will be:  <prefix>.<ip>:<port>.<intf>.pcap
              """

        # The output pcap name will be like tcp.172.15.34.23.eth0.7077.pcap
        pcap = prefix + '.' + shell.ip + ':' + port + '.' + intf + '.pcap'

        # Get rid of the previous local and remote versions so we don't confuse ourselves with an old pcap
        os.system('rm -f ' + pcap)
        shell.run('rm -f ' + pcap)

        # Set up the tcpdump command based on options
        cmd = 'sudo tcpdump -B 131072 -tt -s 0 -w ' + pcap

        if intf == "all":
            cmd = cmd + " -i any"
        else:
            cmd = cmd + " -i " + intf

        if not port == 'all':
            cmd = cmd + " port " + port

        # Launch tcpdump on the remote system
        log("Packet Capture started on " + shell.ip + "   " + cmd)
        tcpdump = shell.launch(cmd)

        # Remember the tcpdumps we have launched and the associated pcap name
        self.pcaps.append([shell, tcpdump, pcap])

        return pcap
示例#6
0
    def run_tcpdump(self, shell, prefix, intf, port):
        """run_tcpdump(shell, prefix, intf, port)
              Start a tcpdump using the specified shell object
                 shell  - a shell object which has been created for the local or remote system
                          You may run multiple simultaneous tcpdumps using the same shell
                 prefix - an arbitrary string which will be used to construct the pcap filename
                 intf   - the interface to monitor (like eth0) or you may specify 'all' for all interfaces.
                 port   - the port to monitor (like 7077) or you may specify 'all' for all ports.
              The pcap filename will be:  <prefix>.<ip>:<port>.<intf>.pcap
              """

        # The output pcap name will be like tcp.172.15.34.23.eth0.7077.pcap
        pcap = prefix + "." + shell.ip + ":" + port + "." + intf + ".pcap"

        # Get rid of the previous local and remote versions so we don't confuse ourselves with an old pcap
        os.system("rm -f " + pcap)
        shell.run("rm -f " + pcap)

        # Set up the tcpdump command based on options
        cmd = "sudo tcpdump -B 131072 -tt -s 0 -w " + pcap

        if intf == "all":
            cmd = cmd + " -i any"
        else:
            cmd = cmd + " -i " + intf

        if not port == "all":
            cmd = cmd + " port " + port

        # Launch tcpdump on the remote system
        log("Packet Capture started on " + shell.ip + "   " + cmd)
        tcpdump = shell.launch(cmd)

        # Remember the tcpdumps we have launched and the associated pcap name
        self.pcaps.append([shell, tcpdump, pcap])

        return pcap
示例#7
0
    def start(self, prefix, options={}):
        """start(prefix, options):
              Start tcpdumps as indicated by options
              The pcap filenames will be:  <prefix>.<ip>:<port>.<intf>.pcap
                 prefix - unique identifier for the pcap
                 options - CAPTURE option for collection of server starts
                 """

        self.prefix = prefix

        # server only
        if options == "" or utilities.getKey(options, "CAPTURE",
                                             "") == "server":
            self.server_pcap = self.run_tcpdump(
                self.server_shell, "server_" + prefix, "all",
                str(utilities.getKey(options, "CAPTURE_PORT", "all")))

        # client only all interfaces
        if options == "" or utilities.getKey(options, "CAPTURE",
                                             "") == "client":
            self.client_eth_pcap = self.run_tcpdump(
                self.client_shell, "client_" + prefix, "all",
                str(utilities.getKey(options, "CAPTURE_PORT", "all")))

        # client only localhost
        if options == "" or utilities.getKey(options, "CAPTURE",
                                             "") == "client_loc":
            self.client_lo_pcap = self.run_tcpdump(self.client_shell,
                                                   "client_" + prefix, "lo",
                                                   "all")

        # this is the garbage pail catch on all for the client
        if utilities.getKey(options, "CAPTURE", "") == "cli_all":
            self.client_all_pcap = self.run_tcpdump(
                self.client_shell, "client_" + prefix, "all",
                str(utilities.getKey(options, "CAPTURE_PORT", "all")))
            self.client_lo_pcap = self.run_tcpdump(
                self.client_shell, "client_" + prefix, "lo",
                str(utilities.getKey(options, "CAPTURE_PORT", "all")))

        # Server and Client (upload). Note: tcpdump.stop is order of start based, for upload we want the server to start first
        if options == "" or utilities.getKey(options, "CAPTURE",
                                             "") == "up_srvcli":
            # check and see if a specific ethernet intf (in this case we want the upload intf) was passed in,
            # can be eth, p<n>p<n> (ex: p1p1) or a em prefixed then it becomes a specific directed tcpdump
            if 'eth' in utilities.getKey(
                    options, "SERVETH", "") or "p" in utilities.getKey(
                        options, "SERVETH", "") or "em" in utilities.getKey(
                            options, "SERVETH", ""):
                # it is make it part of the dumpline
                self.server_pcap = self.run_tcpdump(
                    self.server_shell, "server_" + prefix,
                    str(utilities.getKey(options, "SERVETH", "")),
                    str(utilities.getKey(options, "CAPTURE_PORT", "all")))
            else:
                # generic all intf
                self.server_pcap = self.run_tcpdump(
                    self.server_shell, "server_" + prefix, "all",
                    str(utilities.getKey(options, "CAPTURE_PORT", "all")))

            # start the client tcpdump
            self.client_eth_pcap = self.run_tcpdump(
                self.client_shell, "client_" + prefix, "all",
                str(utilities.getKey(options, "CAPTURE_PORT", "all")))
            return

        # Client and Server (download). Note: tcpdump.stop is order of start based, for download we want the client to start first
        if options == "" or utilities.getKey(options, "CAPTURE",
                                             "") == "dn_clisrv":

            # start the client tcpdump
            self.client_eth_pcap = self.run_tcpdump(
                self.client_shell, "client_" + prefix, "all",
                str(utilities.getKey(options, "CAPTURE_PORT", "all")))

            # check and see if a specific ethernet intf (in this case we want the dnload intf) was passed in,
            # can be eth, p<n>p<n> (ex: p1p1) or a em prefixed then it becomes a specific directed tcpdump
            if 'eth' in utilities.getKey(
                    options, "SERVETH", "") or "p" in utilities.getKey(
                        options, "SERVETH", "") or "em" in utilities.getKey(
                            options, "SERVETH", ""):
                self.server_pcap = self.run_tcpdump(
                    self.server_shell, "server_" + prefix,
                    str(utilities.getKey(options, "SERVETH", "")),
                    str(utilities.getKey(options, "CAPTURE_PORT", "all")))
            else:
                # generic all intf
                self.server_pcap = self.run_tcpdump(
                    self.client_shell, "server_" + prefix, "all",
                    str(utilities.getKey(options, "CAPTURE_PORT", "all")))
            return

        # this will take a list of directed client interfaces ( data and control ) as well as local incase there is multile on the clioent sderver
        if 'eth' in utilities.getKey(
                options, "CAPTURE", "") or "p" in utilities.getKey(
                    options, "CAPTURE", "") or "em" in utilities.getKey(
                        options, "CAPTURE", ""):
            log("OUTPUT : " + str(utilities.getKey(options, "CAPTURE", "")))
            temp = utilities.getKey(options, "CAPTURE", "")
            intf_list = temp.split("-")
            self.client_data_pcap = self.run_tcpdump(self.client_shell,
                                                     "client_" + prefix,
                                                     intf_list[0], "all")
            self.client_ctrl_pcap = self.run_tcpdump(self.client_shell,
                                                     "client_" + prefix,
                                                     intf_list[1], "all")
            self.client_lo_pcap = self.run_tcpdump(
                self.client_shell, "client_" + prefix, "lo",
                str(utilities.getKey(options, "CAPTURE_PORT", "all")))

        # this is the default.. just catch all client server
        if "ClientServer" in utilities.getKey(options, "CAPTURE", ""):
            self.server_pcap = self.run_tcpdump(
                self.server_shell, "server_" + prefix, "all",
                str(utilities.getKey(options, "CAPTURE_PORT", "all")))
            self.client_pcap = self.run_tcpdump(
                self.client_shell, "client_" + prefix, "all",
                str(utilities.getKey(options, "CAPTURE_PORT", "all")))
示例#8
0
    def start(self, prefix, options={}):
        """start(prefix, options):
              Start tcpdumps as indicated by options
              The pcap filenames will be:  <prefix>.<ip>:<port>.<intf>.pcap
                 prefix - unique identifier for the pcap
                 options - CAPTURE option for collection of server starts
                 """

        self.prefix = prefix

        # server only
        if options == "" or utilities.getKey(options, "CAPTURE", "") == "server":
            self.server_pcap = self.run_tcpdump(
                self.server_shell, "server_" + prefix, "all", str(utilities.getKey(options, "CAPTURE_PORT", "all"))
            )

        # client only all interfaces
        if options == "" or utilities.getKey(options, "CAPTURE", "") == "client":
            self.client_eth_pcap = self.run_tcpdump(
                self.client_shell, "client_" + prefix, "all", str(utilities.getKey(options, "CAPTURE_PORT", "all"))
            )

        # client only localhost
        if options == "" or utilities.getKey(options, "CAPTURE", "") == "client_loc":
            self.client_lo_pcap = self.run_tcpdump(self.client_shell, "client_" + prefix, "lo", "all")

        # this is the garbage pail catch on all for the client
        if utilities.getKey(options, "CAPTURE", "") == "cli_all":
            self.client_all_pcap = self.run_tcpdump(
                self.client_shell, "client_" + prefix, "all", str(utilities.getKey(options, "CAPTURE_PORT", "all"))
            )
            self.client_lo_pcap = self.run_tcpdump(
                self.client_shell, "client_" + prefix, "lo", str(utilities.getKey(options, "CAPTURE_PORT", "all"))
            )

        # Server and Client (upload). Note: tcpdump.stop is order of start based, for upload we want the server to start first
        if options == "" or utilities.getKey(options, "CAPTURE", "") == "up_srvcli":
            # check and see if a specific ethernet intf (in this case we want the upload intf) was passed in,
            # can be eth, p<n>p<n> (ex: p1p1) or a em prefixed then it becomes a specific directed tcpdump
            if (
                "eth" in utilities.getKey(options, "SERVETH", "")
                or "p" in utilities.getKey(options, "SERVETH", "")
                or "em" in utilities.getKey(options, "SERVETH", "")
            ):
                # it is make it part of the dumpline
                self.server_pcap = self.run_tcpdump(
                    self.server_shell,
                    "server_" + prefix,
                    str(utilities.getKey(options, "SERVETH", "")),
                    str(utilities.getKey(options, "CAPTURE_PORT", "all")),
                )
            else:
                # generic all intf
                self.server_pcap = self.run_tcpdump(
                    self.server_shell, "server_" + prefix, "all", str(utilities.getKey(options, "CAPTURE_PORT", "all"))
                )

            # start the client tcpdump
            self.client_eth_pcap = self.run_tcpdump(
                self.client_shell, "client_" + prefix, "all", str(utilities.getKey(options, "CAPTURE_PORT", "all"))
            )
            return

        # Client and Server (download). Note: tcpdump.stop is order of start based, for download we want the client to start first
        if options == "" or utilities.getKey(options, "CAPTURE", "") == "dn_clisrv":

            # start the client tcpdump
            self.client_eth_pcap = self.run_tcpdump(
                self.client_shell, "client_" + prefix, "all", str(utilities.getKey(options, "CAPTURE_PORT", "all"))
            )

            # check and see if a specific ethernet intf (in this case we want the dnload intf) was passed in,
            # can be eth, p<n>p<n> (ex: p1p1) or a em prefixed then it becomes a specific directed tcpdump
            if (
                "eth" in utilities.getKey(options, "SERVETH", "")
                or "p" in utilities.getKey(options, "SERVETH", "")
                or "em" in utilities.getKey(options, "SERVETH", "")
            ):
                self.server_pcap = self.run_tcpdump(
                    self.server_shell,
                    "server_" + prefix,
                    str(utilities.getKey(options, "SERVETH", "")),
                    str(utilities.getKey(options, "CAPTURE_PORT", "all")),
                )
            else:
                # generic all intf
                self.server_pcap = self.run_tcpdump(
                    self.client_shell, "server_" + prefix, "all", str(utilities.getKey(options, "CAPTURE_PORT", "all"))
                )
            return

        # this will take a list of directed client interfaces ( data and control ) as well as local incase there is multile on the clioent sderver
        if (
            "eth" in utilities.getKey(options, "CAPTURE", "")
            or "p" in utilities.getKey(options, "CAPTURE", "")
            or "em" in utilities.getKey(options, "CAPTURE", "")
        ):
            log("OUTPUT : " + str(utilities.getKey(options, "CAPTURE", "")))
            temp = utilities.getKey(options, "CAPTURE", "")
            intf_list = temp.split("-")
            self.client_data_pcap = self.run_tcpdump(self.client_shell, "client_" + prefix, intf_list[0], "all")
            self.client_ctrl_pcap = self.run_tcpdump(self.client_shell, "client_" + prefix, intf_list[1], "all")
            self.client_lo_pcap = self.run_tcpdump(
                self.client_shell, "client_" + prefix, "lo", str(utilities.getKey(options, "CAPTURE_PORT", "all"))
            )

        # this is the default.. just catch all client server
        if "ClientServer" in utilities.getKey(options, "CAPTURE", ""):
            self.server_pcap = self.run_tcpdump(
                self.server_shell, "server_" + prefix, "all", str(utilities.getKey(options, "CAPTURE_PORT", "all"))
            )
            self.client_pcap = self.run_tcpdump(
                self.client_shell, "client_" + prefix, "all", str(utilities.getKey(options, "CAPTURE_PORT", "all"))
            )