-
Notifications
You must be signed in to change notification settings - Fork 159
/
Copy pathparse_pcap.py
190 lines (161 loc) · 5.73 KB
/
parse_pcap.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
#
# CapTipper is a malicious HTTP traffic explorer tool
# By Omri Herscovici <omriher AT gmail.com>
# http://omriher.com
# @omriher
#
# This file is part of CapTipper
#
# CapTipper is a free software under the GPLv3 License
#
# This file belongs to pcap-parser written by Dong Liu
# https://github.com/xiaxiaocao/pcap-parser
# dongliu@live.cn
#
# Licensed under the Apache License, Version 2.0.
#
# This file and the library itself were modified to integrate with CapTipper
from __future__ import unicode_literals, print_function, division
import signal
import sys
# check python version
import time
import CTCore
major, minor, = sys.version_info[:2]
if major != 2 or minor < 7:
print("Python version 2.7.* needed.", file=sys.stderr)
sys.exit(1)
import io
from pcapparser import packet_parser
from pcapparser import pcap, pcapng, utils
from pcapparser.constant import FileFormat
from pcapparser.printer import HttpPrinter
from collections import OrderedDict
import struct
from pcapparser.httpparser import HttpType, HttpParser
from pcapparser import config
# when press Ctrl+C, stop the proxy.
def signal_handler(signal, frame):
sys.exit(0)
signal.signal(signal.SIGINT, signal_handler)
class HttpConn:
"""all data having same source/dest ip/port in one http connection."""
STATUS_BEGIN = 0
STATUS_RUNNING = 1
STATUS_CLOSED = 2
STATUS_ERROR = -1
def __init__(self, tcp_pac):
self.source_ip = tcp_pac.source
self.source_port = tcp_pac.source_port
self.dest_ip = tcp_pac.dest
self.dest_port = tcp_pac.dest_port
self.status = HttpConn.STATUS_BEGIN
# start parser thread
self.processor = HttpPrinter((self.source_ip, self.source_port),
(self.dest_ip, self.dest_port))
self.http_parser = HttpParser(self.processor)
self.append(tcp_pac)
def append(self, tcp_pac):
if len(tcp_pac.body) == 0:
return
if self.status == HttpConn.STATUS_ERROR or self.status == HttpConn.STATUS_CLOSED:
# not http conn or conn already closed.
return
if self.status == HttpConn.STATUS_BEGIN:
if tcp_pac.body:
if utils.is_request(tcp_pac.body):
self.status = HttpConn.STATUS_RUNNING
if tcp_pac.source == self.source_ip:
http_type = HttpType.REQUEST
else:
http_type = HttpType.RESPONSE
if self.status == HttpConn.STATUS_RUNNING and tcp_pac.body:
self.http_parser.send(http_type, tcp_pac.body, tcp_pac.micro_second)
if tcp_pac.pac_type == -1:
# end of connection
if self.status == HttpConn.STATUS_RUNNING:
self.status = HttpConn.STATUS_CLOSED
else:
self.status = HttpConn.STATUS_ERROR
def finish(self):
self.http_parser.finish()
def get_file_format(infile):
"""
get cap file format by magic num.
return file format and the first byte of string
:type infile:file
"""
buf = infile.read(4)
if len(buf) == 0:
# EOF
print("empty file", file=sys.stderr)
sys.exit(-1)
if len(buf) < 4:
print("file too small", file=sys.stderr)
sys.exit(-1)
magic_num, = struct.unpack(b'<I', buf)
if magic_num == 0xA1B2C3D4 or magic_num == 0x4D3C2B1A:
return FileFormat.PCAP, buf
elif magic_num == 0x0A0D0D0A:
return FileFormat.PCAP_NG, buf
else:
return FileFormat.UNKNOWN, buf
def pcap_file(conn_dict, infile):
"""
:type conn_dict: dict
:type infile:file
"""
file_format, head = get_file_format(infile)
if file_format == FileFormat.PCAP:
pcap_file = pcap.PcapFile(infile, head).read_packet
elif file_format == FileFormat.PCAP_NG:
pcap_file = pcapng.PcapngFile(infile, head).read_packet
else:
print("unknown file format.", file=sys.stderr)
sys.exit(1)
_filter = config.get_filter()
for tcp_pac in packet_parser.read_package_r(pcap_file):
# filter
# get time
if CTCore.activity_date_time == "":
CTCore.activity_date_time = time.strftime('%a, %x %X', time.gmtime(int(str(tcp_pac.micro_second)[:10])))
if CTCore.client.headers["IP"] == "":
CTCore.client.headers["IP"] = tcp_pac.source
if CTCore.client.headers["MAC"] == "":
CTCore.client.headers["MAC"] = tcp_pac.src_mac
if not (_filter.by_ip(tcp_pac.source) or _filter.by_ip(tcp_pac.dest)):
continue
if not (_filter.by_port(tcp_pac.source_port) or _filter.by_port(tcp_pac.dest_port)):
continue
key = tcp_pac.gen_key()
# we already have this conn
if key in conn_dict:
conn_dict[key].append(tcp_pac)
# conn closed.
if tcp_pac.pac_type == packet_parser.TcpPack.TYPE_CLOSE:
conn_dict[key].finish()
del conn_dict[key]
# begin tcp connection.
elif tcp_pac.pac_type == 1:
conn_dict[key] = HttpConn(tcp_pac)
elif tcp_pac.pac_type == 0:
# tcp init before capture, we found a http request header, begin parse
# if is a http request?
if utils.is_request(tcp_pac.body):
conn_dict[key] = HttpConn(tcp_pac)
def run(file_path):
conn_dict = OrderedDict()
try:
if file_path != '-':
infile = io.open(file_path, "rb")
else:
infile = sys.stdin
try:
pcap_file(conn_dict, infile)
finally:
time.sleep(0.1)
CTCore.sort_convs()
infile.close()
finally:
for conn in conn_dict.values():
conn.finish()