Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
def get_flowid(pkt):
try:
eth = dpkt.ethernet.Ethernet(pkt)
if eth.type != dpkt.ethernet.ETH_TYPE_IP:
return None
ip = eth.data
if ip.p != dpkt.ip.IP_PROTO_TCP and ip.p != dpkt.ip.IP_PROTO_UDP:
return None
tcp = ip.data
flowid = {'sip': socket.inet_ntoa(ip.src), 'sport': tcp.sport,
'dip': socket.inet_ntoa(ip.dst), 'dport': tcp.dport}
return flowid
except:
return None
binascii.hexlify(ether.dst), '8021Q packet')
stream_object.protocol_data = '8021Q packet'
elif ether.type == dpkt.ethernet.ETH_TYPE_IPX:
stream_object = Stream(
packet_values, ether.data, binascii.hexlify(ether.src),
binascii.hexlify(ether.dst), 'IPX')
stream_object.protocol_data = 'IPX'
elif ether.type == dpkt.ethernet.ETH_TYPE_PPP:
stream_object = Stream(
packet_values, ether.data, binascii.hexlify(ether.src),
binascii.hexlify(ether.dst), 'PPP')
stream_object.protocol_data = 'PPP'
elif ether.type == dpkt.ethernet.ETH_TYPE_MPLS:
stream_object = Stream(
packet_values, ether.data, binascii.hexlify(ether.src),
binascii.hexlify(ether.dst), 'MPLS')
stream_object.protocol_data = 'MPLS'
elif ether.type == dpkt.ethernet.ETH_TYPE_MPLS_MCAST:
stream_object = Stream(
packet_values, ether.data, binascii.hexlify(ether.src),
binascii.hexlify(ether.dst), 'MPLS')
stream_object.protocol_data = 'MPLS MCAST'
elif ether.type == dpkt.ethernet.ETH_TYPE_PPPoE_DISC:
stream_object = Stream(
packet_values, ether.data, binascii.hexlify(ether.src),
binascii.hexlify(ether.dst), 'PPOE')
stream_object.protocol_data = 'PPoE Disc packet'
def _unpack_data(self, buf):
if self.type == ethernet.ETH_TYPE_8021Q:
self.tag, self.type = struct.unpack('>HH', buf[:4])
buf = buf[4:]
elif self.type == ethernet.ETH_TYPE_MPLS or \
self.type == ethernet.ETH_TYPE_MPLS_MCAST:
# XXX - skip labels
for i in range(24):
if struct.unpack('>I', buf[i:i+4])[0] & 0x0100: # MPLS_STACK_BOTTOM
break
self.type = ethernet.ETH_TYPE_IP
buf = buf[(i + 1) * 4:]
try:
self.data = self._typesw[self.type](buf)
setattr(self, self.data.__class__.__name__.lower(), self.data)
except (KeyError, dpkt.UnpackError):
self.data = buf
def parse_pcap(filename):
streams = dict() # Connections with current buffer
with open(filename, "rb") as f:
pcap = dpkt.pcap.Reader(f)
for ts, buf in pcap:
eth = dpkt.ethernet.Ethernet(buf)
if eth.type != dpkt.ethernet.ETH_TYPE_IP:
continue
ip = eth.data
if not isinstance(ip, dpkt.ip.IP):
try:
ip = dpkt.ip.IP(ip)
except:
continue
if ip.p != dpkt.ip.IP_PROTO_TCP:
continue
tcp = ip.data
if not isinstance(tcp, dpkt.tcp.TCP):
try:
tcp = dpkt.tcp.TCP(tcp)
except:
continue
def IPHandler(self, addr, ip, ts, pkttype=None, **kw):
self.decodedbytes += len(ip.data)
self.count += 1
# if we are passed in IP data vs layer-2 frames, we need to encapsulate
# them
self.dump(dpkt.ethernet.Ethernet(data=str(ip), pkttype=type), ts=ts)
def gather_statistics(cap,serverAddr):
counters = defaultdict(int)
known_extensions = set()
count_extensions = set()
pkt_count = 0
for ts, buf in cap:
pkt_count += 1
eth = dpkt.ethernet.Ethernet(buf)
#print 'pkt: %d' % (pkt_count)
if not isinstance(eth.data, dpkt.ip.IP):
continue
ip = eth.data
if not isinstance(ip.data, dpkt.tcp.TCP):
continue
# TODO: consider doing TCP streams, so multi-packet things can be parsed right... "meh"
tcp = ip.data
if tcp.dport != 443 and tcp.sport != 443:
continue
if socket.gethostbyname(serverAddr) != socket.inet_ntoa(ip.src):
continue
if len(tcp.data) <= 0:
continue
def _tcp_iterator(pc):
for ts, pkt in pc:
try:
eth = dpkt.ethernet.Ethernet(pkt)
except dpkt.dpkt.NeedData:
continue
if eth.type == dpkt.ethernet.ETH_TYPE_IP:
ip = eth.data
if ip.p == dpkt.ip.IP_PROTO_TCP:
tcp = ip.data
yield (ip.src, tcp.sport, ip.dst, tcp.dport, tcp.data)
else:
pass
# Not TCP packets
else:
pass
# Not ether packets
return
def decode_tcp(pcap):
"""This function decodes a packet capture file f and breaks it up into tcp connections"""
print "counter\tsrc prt\tdst prt\tflags"
packet_cntr = 0
connection_table = {} # the keys of the table are the connection ID strings: source IP,
# source port, destination IP, destination port. The values are a tuple which is the
# sequence number and a string which is the assembled stream
for ts, buf in pcap:
packet_cntr += 1
eth = dpkt.ethernet.Ethernet(buf)
# Also, this changes a little bit with IPv6. To tell the difference between IPv4 and IPv6, you have to look
# at the ethertype field, which is given by http://www.iana.org/assignments/ethernet-numbers. IPv4 is 0x800 or 2048
# and IPv6 is 0x86DD or 34525
# This is simplistic - IPv4 packets can be fragmented. Also, this only works for IPv4. IPv6 has a different Ethertype
if eth.type == dpkt.ethernet.ETH_TYPE_IP :
ip = eth.data
if ip.v != 4 :
raise ValueError, "In packet %d, the ether type is IPv4 but the IP version number is %d not 4" % (
packet_cntr, ip.v )
# Deal with IP fragmentation here
elif eth.type == dpkt.ethernet.ETH_TYPE_IP6 :
ip = eth.data
if ip.v != 6 :
raise ValueError, "In packet %d, the ether type is IPv6 but the IP version number is %d not 6" % (
packet_cntr, ip.v )
# IPv6 packets don't fragment
else :
print "packet %d is neither IPv4 nor IPv6" % packet_cntr
continue # Not going to deal with anything other than IP
if ip.p == dpkt.ip.IP_PROTO_TCP :
tcp = ip.data
@gen.coroutine
def on_read(self, src, header, data):
try:
pkt = dpkt.ethernet.Ethernet(data)
except dpkt.NeedData:
yield self.passthru(src, header, data)
return
header = {
"eth_dst": self.pretty_mac(pkt.dst),
"eth_src": self.pretty_mac(pkt.src),
"eth_type": pkt.type,
}
self.seen_macs[src].add(header["eth_src"])
yield self.bubble(src, header, pkt.data)
def tcp_stream(pcapfile):
connection = {}
frame_counter = 0
for ts, buf in dpkt.pcap.Reader(open(pcapfile)):
frame_counter += 1
try:
eth = dpkt.ethernet.Ethernet(buf)
except:
continue
ip = eth.data
if eth.type != dpkt.ethernet.ETH_TYPE_IP:
continue
if ip.p != dpkt.ip.IP_PROTO_TCP:
continue
tcp = ip.data
if tcp.data == '':
continue
tuple_key = (ip.src, tcp.sport, ip.dst, tcp.dport)
reverse_key = (ip.dst, tcp.dport, ip.src, tcp.sport)
if (tuple_key and reverse_key) not in connection.keys():
connection.setdefault(tuple_key, {tcp.seq: tcp.data})
else:
connection[reverse_key][tcp.seq] = tcp.data
return connection