-
Notifications
You must be signed in to change notification settings - Fork 18
/
split-pcap.py
executable file
·212 lines (187 loc) · 7.92 KB
/
split-pcap.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
#!/usr/bin/python
# split-pcap.py begins on the previous line
#
# This script will take a pcap file and split into multiple files, one per
# TCP 4-tuple. If the 4-tuple is reused for multiple connections all
# connections will be in the 1 file. The output file name will be the original
# file name stripped of any directories followed by
# _IP1-Port1_IP2-Port2_split.pcap
# The files are written into the current directory.
#
# The script will exit with a warning if it detects files with the same
# file name as the original file and the suffix _split.pcap. This is because
# the output files are written in append mode so if the script is run over
# the same file twice it will just add the packets to the existing files
# and you end up with duplicates.
# This script only supports pcap formated files. See the usage message for
# suggestions on converting pcapng files --
# or try googling "convert pcapng to pcap"
#
# This script requires the modules sys, re (regular expression), logging, glob
# and scapy. I expect that sys, re, logging, and glob are installed by default.
# You will probably have to install scapy. How will vary depending on your
# OS nd what is already installed. You can try:
# pip install scapy
# or apt-get install python-scapy
# or rpm install scapy (from the epel repro)
#
# Usage:
# split-pcap.py file-name [packet-count]
# Where:
# file-name is the name or path of the file to be processed. This script
# only supports pcap files, not pcapng. The following commands can be
# used to convert a pcapng file to pcap format
# tcpdump -r file.pcapng -w new-file.pcap
# or
# tshark -r file.pcapng -w new-file.pcap -F libpcap
# You can also use editcap with the -F libcap argument
#
# packet-count is optional and is the total number of packets (any protocol)
# in the file. If packet-count is provided the script will write a line
# "Percentage done: " for every integer increase in the percentage of
# the packets processed. If you get the number wrong the percentages
# will be off but you can multiple the count by 10 to get a line every
# 10 percent instead of every 1 percent. If packet-count is not provided
# the script will write a line with the packet count of the packet
# being processed.
# Version 1.0 July 9, 2017
# Version 1.1 July 9, 2017
# Correctetd handling of the file name prefix to strip off any directory
# path character to leave just thefile name. Also the detection of
# already existing files to check the current directory and not the input
# file source directory.
# Version 1.2 July 13, 2017
# Correcly write the link type for pcap contained Cooked Linux frames
# abort for anything other than Ethernet and CookedLinux
#
# from https://github.com/noahdavids/packet-analysis.git
#
# Copyright (C) 2017 Noah Davids
#
# This program is free software: you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the Free
# Software Foundation, version 3, https://www.gnu.org/licenses/gpl-3.0.html
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
import sys
import re
import glob
# This is needed to suppress a really irrating warning message when scapy
# is imported
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
try:
from scapy.all import*
except ImportError:
print "scapy is not installed. See comments for installation suggestions"
exit ()
# argument processing, require just the file name. If a second argument
# is provided make sure its an integer
if len (sys.argv) < 2 or len (sys.argv) > 3:
print "Usage is: split-pcap.py file-name [packet-count]"
print "Try\n grep -A 20 Usage: " + sys.argv[0] + \
" | head -20\nfor details"
exit ()
if len (sys.argv) == 3:
inputFileString = sys.argv [1]
try:
inputTotalPackets = int (sys.argv [2])
except ValueError:
print "The second argument must be an integer <" + \
sys.argv [2] + "> does appear to be an integer"
exit ()
else:
inputFileString = sys.argv [1]
inputTotalPackets = 0
# try opening the file.
try:
pcapIn = PcapReader (inputFileString)
except IOError:
print "It doesn't look like " + inputFileString + " exists"
exit()
except NameError:
print "It doesn't look like " + inputFileString + \
" is a file that can be processed."
print "Note that this script cannot process pcapng files. Review the "
print "usage details for ideas on how to convert from pcapng to pcap"
exit ()
# Extract out just the the file name. Note that I assume the the ".*/" match
# is greedy and will match until the last "/" character in the string. If
# the match fails there are no "/" characters so the whole string must be the
# name.
x = re.search ("^.*/(.*$)", inputFileString)
try:
prefix = x.group(1) + "_"
except:
prefix = inputFileString + "_"
# Look for prefix*_split.pcap files. If you find them print a
# warning and exit.
t = len (glob (prefix + "*_split.pcap"))
if t > 0:
print "There are already " + str (t) + " files with the name " + \
prefix + "*_split.pcap."
print "Delete or rename them or change to a different directory to"
print "avoid adding duplicate packets into the " + prefix + \
"*_split.pcap trace files."
exit ()
pcapOutName = ""
oldPcapOutName = ""
packetCount = 0
donePercentage = 0;
oldDonePercentage = -1
# Loop for each packet in the file
for aPkt in pcapIn:
# count the packets read
packetCount = packetCount + 1
# If the packet contains a TCP header extract out the IP addresses and
# port numbers
if TCP in aPkt:
ipSrc = aPkt[IP].src
tcpSport = aPkt[TCP].sport
ipDst = aPkt[IP].dst
tcpDport = aPkt[TCP].dport
# put things in some sort of cannonical order. It doesn't really matter
# what the order is as long as packets going in either direction get the
# same order.
if ipSrc > ipDst:
pcapOutName = prefix + ipSrc + "-" + str(tcpSport) + "_" + ipDst + "-" + str(tcpDport) + "_split.pcap"
elif ipSrc < ipDst:
pcapOutName = prefix + ipDst + "-" + str(tcpDport) + "_" + ipSrc + "-" + str(tcpSport) + "_split.pcap"
elif tcpSport > tcpDport:
pcapOutName = prefix + ipSrc + "-" + str(tcpSport) + "_" + ipDst + "-" + str(tcpDport) + "_split.pcap"
else:
pcapOutName = prefix + ipDst + "-" + str(tcpDport) + "_" + ipSrc + "-" + str(tcpSport) + "_split.pcap"
# If the current packet should be written to a different file from the last
# packet, close the current output file and open the new file for append
# save the name of the newly opened file so we can compare it for the next
# packet.
if pcapOutName != oldPcapOutName:
if oldPcapOutName != "":
pcapOut.close()
if type(aPkt) == scapy.layers.l2.Ether:
lkType = 1
elif type (aPkt) == scapy.layers.l2.CookedLinux:
lkType = 113
else:
print "Unknown link type: "
type (aPkt)
print " -- exiting"
exit
pcapOut = PcapWriter (pcapOutName, linktype=lkType, append=True)
oldPcapOutName = pcapOutName
# write the packet
pcapOut.write (aPkt)
# Write the progress information, either percentages if we had a packet-count
# argument or just the packet count.
if inputTotalPackets > 0:
donePercentage = packetCount * 100 / inputTotalPackets
if donePercentage > oldDonePercentage:
print "Percenage done: ", donePercentage
oldDonePercentage = donePercentage
else:
print packetCount
#
# split-pcap.py ends here