netarch/ip.py

#! /usr/bin/python

import StringIO
import struct
import socket
import warnings
import heapq
import gapstr


def unpack(fmt, buf):
    """Unpack buf based on fmt, assuming the rest is a string."""

    size = struct.calcsize(fmt)
    vals = struct.unpack(fmt, buf[:size])
    return vals + (buf[size:],)

def unpack_nybbles(byte):
    return (byte >> 4, byte & 0x0F)

ICMP = 1
TCP  = 6
UDP  = 17

class Frame:
    """Turn an ethernet frame into relevant TCP parts"""

    def __init__(self, pkt):
        ((self.time, _, _), frame) = pkt

        # Ethernet
        (self.eth_dhost,
         self.eth_shost,
         self.eth_type,
         p) = unpack('!6s6sH', frame)
        if self.eth_type != 0x0800:
            raise ValueError('Not IP %04x' % self.eth_type)

        # IP
        (self.ihlvers,
         self.tos,
         self.tot_len,
         self.id,
         self.frag_off,
         self.ttl,
         self.protocol,
         self.check,
         self.saddr,
         self.daddr,
         p) = unpack("!BBHHHBBHii", p)

        if self.protocol == TCP:
            self.name = 'TCP'
            (self.sport,
             self.dport,
             self.seq,
             self.ack,
             x2off,
             self.flags,
             self.win,
             self.sum,
             self.urp,
             p) = unpack("!HHLLBBHHH", p)
            (self.off, th_x2) = unpack_nybbles(x2off)
            opt_length = self.off * 4
            self.options, p = p[:opt_length - 20], p[opt_length - 20:]
            self.payload = p[:self.tot_len - opt_length - 20]
        elif self.protocol == UDP:
            self.name = 'UDP'
            (self.sport,
             self.dport,
             self.ulen,
             self.sum,
             p) = unpack("!HHHH", p)
            self.payload = p[:self.ulen - 8]
        elif self.protocol == ICMP:
            self.name = 'ICMP'
            self.sport = self.dport = -1
            (self.type,
             self.code,
             self.cheksum,
             self.id,
             self.seq,
             p) = unpack('!BBHHH', p)
            self.payload = p[:self.tot_len - 8]
        else:
            raise ValueError('Unknown protocol')

        # Nice formatting
        self.src = (self.saddr, self.sport)
        self.dst = (self.daddr, self.dport)

        # This hash is the same for both sides of the transaction
        self.hash = (self.saddr ^ self.sport ^ self.daddr ^ self.dport)

    def get_src_addr(self):
        saddr = struct.pack('!i', self.saddr)
        self.src_addr = socket.inet_ntoa(saddr)
        return self.src_addr
    src_addr = property(get_src_addr)

    def get_dst_addr(self):
        daddr = struct.pack('!i', self.daddr)
        self.dst_addr = socket.inet_ntoa(daddr)
        return self.dst_addr
    dst_addr = property(get_dst_addr)

    def __repr__(self):
        return '<Frame %s %s:%d -> %s:%d length %d>' % (self.name,
                                                        self.src_addr, self.sport,
                                                        self.dst_addr, self.dport,
                                                        len(self.payload))


class Chunk:
    """Chunk of frames, possibly with gaps.

    """

    def __init__(self, seq=None):
        self.collection = {}
        self.length = 0
        self.seq = seq
        self.first = None

    def add(self, frame):
        if not self.first:
            self.first = frame
        if self.seq is None:
            self.seq = frame.seq
        assert frame.seq >= self.seq, (frame.seq, self.seq)
        self.collection[frame.seq] = frame
        end = frame.seq - self.seq + len(frame.payload)
        self.length = max(self.length, long(end))

    def __len__(self):
        return int(self.length)

    def __repr__(self):
        if self.first:
            return '<Chunk %s:%d -> %s:%d length %d>' % (self.first.src_addr,
                                                         self.first.sport,
                                                         self.first.dst_addr,
                                                         self.first.dport,
                                                         len(self))
        else:
            return '<Chunk (no frames)>'

    def gapstr(self, drop='?'):
        """Return contents as a GapString"""

        ret = gapstr.GapString(drop=drop)
        while len(ret) < self.length:
            f = self.collection.get(self.seq + len(ret))
            if f:
                ret.append(f.payload)
            else:
                # This is where to fix big inefficiency for dropped packets.
                l = 1
                while ((len(ret) + l < self.length) and
                       (not (self.seq + len(ret) + l) in self.collection)):
                    l += 1
                ret.append(l)
        return ret

    def __str__(self):
        return str(self.gapstr())

    def extend(self, other):
        self.seq = min(self.seq or other.seq, other.seq)
        self.length = self.length + other.length
        if not self.first:
            self.first = other.first
        self.collection.update(other.collection)

    def __add__(self, next):
        new = self.__class__(self.seq)
        new.extend(self)
        new.extend(next)
        return new


FIN = 1
SYN = 2
RST = 4
PSH = 8
ACK = 16

class TCP_Resequence:
    """TCP session resequencer.

    >>> p = pcap.open('whatever.pcap')
    >>> s = TCP_Resequence()
    >>> while True:
    ...     pkt = p.read()
    ...     if not pkt:
    ...         break
    ...     f = Frame(pkt)
    ...     r = s.handle(f)
    ...     if r:
    ...         print ('chunk', r)

    This returns things in sequence.  So you get both sides of the
    conversation in the order that they happened.

    Doesn't (yet) handle fragments or dropped packets.  Does handle out
    of order packets.

    """

    def __init__(self):
        self.cli = None
        self.srv = None
        self.seq = [None, None]
        self.first = None
        self.pending = [{}, {}]
        self.frames = 0
        self.closed = 0

        self.handle = self.handle_handshake


    def handle(self, pkt):
        """Stub.

        This function will never be called, it is immediately overridden
        by __init__.  The current value of this function is the state.
        """

        pass

    def handle_handshake(self, pkt):
        self.frames += 1

        if not self.first:
            self.first = pkt

        if pkt.flags == SYN:
            self.cli, self.srv = pkt.src, pkt.dst
        elif pkt.flags == (SYN | ACK):
            assert (pkt.src == (self.srv or pkt.src))
            self.cli, self.srv = pkt.dst, pkt.src
            self.seq = [pkt.ack, pkt.seq + 1]
        elif pkt.flags == ACK:
            assert (pkt.src == (self.cli or pkt.src))
            self.cli, self.srv = pkt.src, pkt.dst
            self.seq = [pkt.seq, pkt.ack]
            self.handle = self.handle_packet
        else:
            # In the middle of a session, do the best we can
            self.cli, self.srv = pkt.src, pkt.dst
            self.seq = [pkt.seq, pkt.ack]
            self.handle = self.handle_packet
            self.handle(pkt)

    def handle_packet(self, pkt):
        ret = None
        self.frames += 1

        # Which way is this going?  0 == from client
        idx = int(pkt.src == self.srv)
        xdi = 1 - idx

        # Does this ACK after the last output sequence number?
        seq = self.seq[xdi]
        if pkt.ack > seq:
            ret = Chunk(seq)
            pending = self.pending[xdi]
            for key in pending.keys():
                if key >= pkt.ack:
                    continue
                if key >= seq:
                    ret.add(pending[key])
                else:
                    warnings.warn('Dropping %r from mid-stream session' % pending[key])
                del pending[key]
            self.seq[xdi] = pkt.ack

        # If it has a payload, stick it into pending
        if pkt.payload:
            self.pending[idx][pkt.seq] = pkt

        # Is it a FIN or RST?
        if pkt.flags & (FIN | RST):
            self.closed += 1
            if self.closed == 2:
                # Warn about any unhandled packets
                if self.pending[0] or self.pending[1]:
                    warnings.warn('Dropping unhandled frames after shutdown' % pkt)
                self.handle = self.handle_drop

        return ret

    def handle_drop(self, pkt):
        """Warn about any unhandled packets"""

        if pkt.payload:
            warnings.warn('Spurious frame after shutdown: %r %d' % (pkt, pkt.flags))


class HTTP_side:
    """One side of an HTTP transaction."""

    def __init__(self):
        self.buf = ''
        self.first = ''
        self.in_headers = True
        self.headers = {}
        self.pending_data = 0
        self.data = ''
        self.complete = False

    def __repr__(self):
        return '<HTTP_side %r>' % self.first

    def process(self, chunk):
        """Returns any unprocessed part of the chunk, parts which go to
        the next utterance."""

        chunk = chunk + self.buf
        while self.in_headers and chunk:
            try:
                line, chunk = chunk.split('\n', 1)
            except ValueError:
                self.buf = chunk
                return ''
            self.process_header_line(line)
        self.buf = ''
        if self.pending_data:
            d = chunk[:self.pending_data]
            chunk = chunk[self.pending_data:]
            self.data += d
            self.pending_data -= len(d) # May set to 0
        if not self.pending_data:
            self.complete = True
        return chunk

    def process_header_line(self, line):
        if not line.strip():
            self.in_headers = False
            return
        try:
            k,v = line.split(':', 1)
        except ValueError:
            if self.first:
                raise ValueError(('Not a header', line))
            else:
                self.first += line
                return
        self.headers[k] = v
        if k.lower() == 'content-length':
            self.pending_data = int(v)


def resequence(pc):
    """Re-sequence from a pcap stream.

    >>> p = pcap.open('whatever.pcap')
    >>> for chunk in resequence(p):
    ...    print `chunk`

    """

    sessions = {}
    for pkt in pc:
        f = Frame(pkt)
        if f.protocol == TCP:
            # compute TCP session hash
            s = sessions.get(f.hash)
            if not s:
                s = TCP_Resequence()
                sessions[f.hash] = s
            chunk = s.handle(f)
            if chunk:
                yield chunk

def demux(*pcs):
    """Demultiplex pcap objects based on time.

    This is iterable just like a pcap object, so you could for instance do:

    >>> resequence(demux(pcap1, pcap2, pcap3))

    """

    tops = []
    for pc in pcs:
        frame = pc.read()
        if frame:
            heapq.heappush(tops, (frame, pc))

    while tops:
        frame, pc = heapq.heappop(tops)
        yield frame
        frame = pc.read()
        if frame:
            heapq.heappush(tops, (frame, pc))


def process_http(filename):
    # XXX: probably broken
    import pcap

    pc = pcap.open(filename)
    sess = TCP_Session(pc)

    packets = []
    current = [HTTP_side(), HTTP_side()]
    for idx, chunk in sess:
        c = current[idx]
        while chunk:
            chunk = c.process(chunk)
            if c.complete:
                packets.append((idx, c))

                c = HTTP_side()
                current[idx] = c

    return packets
Some Python crap that I use 2007-11-12 21:11:25 -07:00			`#! /usr/bin/python`

			`import StringIO`
Removed scapy dependence 2007-12-12 11:07:49 -07:00			`import struct`
			`import socket`
resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00			`import warnings`
Added pcapfile demuxer 2008-01-10 17:53:11 -07:00			`import heapq`
Integrate GapString and a few tweaks 2008-01-18 19:09:09 -07:00			`import gapstr`
Added pcapfile demuxer 2008-01-10 17:53:11 -07:00
Removed scapy dependence 2007-12-12 11:07:49 -07:00
			`def unpack(fmt, buf):`
			`"""Unpack buf based on fmt, assuming the rest is a string."""`

			`size = struct.calcsize(fmt)`
			`vals = struct.unpack(fmt, buf[:size])`
			`return vals + (buf[size:],)`

			`def unpack_nybbles(byte):`
			`return (byte >> 4, byte & 0x0F)`

resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00			`ICMP = 1`
Multi-stream resequencer 2007-12-30 23:30:23 -07:00			`TCP = 6`
			`UDP = 17`
resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00
Removed scapy dependence 2007-12-12 11:07:49 -07:00			`class Frame:`
resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00			`"""Turn an ethernet frame into relevant TCP parts"""`

			`def __init__(self, pkt):`
			`((self.time, _, _), frame) = pkt`

Premature optimization 2007-12-12 12:22:20 -07:00			`# Ethernet`
Removed scapy dependence 2007-12-12 11:07:49 -07:00			`(self.eth_dhost,`
			`self.eth_shost,`
			`self.eth_type,`
			`p) = unpack('!6s6sH', frame)`
			`if self.eth_type != 0x0800:`
			`raise ValueError('Not IP %04x' % self.eth_type)`

Premature optimization 2007-12-12 12:22:20 -07:00			`# IP`
Removed scapy dependence 2007-12-12 11:07:49 -07:00			`(self.ihlvers,`
			`self.tos,`
			`self.tot_len,`
			`self.id,`
			`self.frag_off,`
			`self.ttl,`
			`self.protocol,`
			`self.check,`
			`self.saddr,`
			`self.daddr,`
resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00			`p) = unpack("!BBHHHBBHii", p)`

			`if self.protocol == TCP:`
			`self.name = 'TCP'`
			`(self.sport,`
			`self.dport,`
			`self.seq,`
			`self.ack,`
			`x2off,`
			`self.flags,`
			`self.win,`
			`self.sum,`
			`self.urp,`
			`p) = unpack("!HHLLBBHHH", p)`
			`(self.off, th_x2) = unpack_nybbles(x2off)`
			`opt_length = self.off * 4`
			`self.options, p = p[:opt_length - 20], p[opt_length - 20:]`
			`self.payload = p[:self.tot_len - opt_length - 20]`
			`elif self.protocol == UDP:`
			`self.name = 'UDP'`
			`(self.sport,`
			`self.dport,`
			`self.ulen,`
			`self.sum,`
			`p) = unpack("!HHHH", p)`
			`self.payload = p[:self.ulen - 8]`
			`elif self.protocol == ICMP:`
			`self.name = 'ICMP'`
			`self.sport = self.dport = -1`
			`(self.type,`
			`self.code,`
			`self.cheksum,`
			`self.id,`
			`self.seq,`
Small bugfixes and cosmetic changes 2008-01-01 18:55:24 -07:00			`p) = unpack('!BBHHH', p)`
			`self.payload = p[:self.tot_len - 8]`
resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00			`else:`
			`raise ValueError('Unknown protocol')`
Removed scapy dependence 2007-12-12 11:07:49 -07:00
Premature optimization 2007-12-12 12:22:20 -07:00			`# Nice formatting`
resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00			`self.src = (self.saddr, self.sport)`
			`self.dst = (self.daddr, self.dport)`
Multi-stream resequencer 2007-12-30 23:30:23 -07:00
			`# This hash is the same for both sides of the transaction`
resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00			`self.hash = (self.saddr ^ self.sport ^ self.daddr ^ self.dport)`
Removed scapy dependence 2007-12-12 11:07:49 -07:00
Premature optimization 2007-12-12 12:22:20 -07:00			`def get_src_addr(self):`
resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00			`saddr = struct.pack('!i', self.saddr)`
			`self.src_addr = socket.inet_ntoa(saddr)`
Premature optimization 2007-12-12 12:22:20 -07:00			`return self.src_addr`
			`src_addr = property(get_src_addr)`

			`def get_dst_addr(self):`
resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00			`daddr = struct.pack('!i', self.daddr)`
			`self.dst_addr = socket.inet_ntoa(daddr)`
Premature optimization 2007-12-12 12:22:20 -07:00			`return self.dst_addr`
			`dst_addr = property(get_dst_addr)`
Removed scapy dependence 2007-12-12 11:07:49 -07:00
			`def __repr__(self):`
Multi-stream resequencer 2007-12-30 23:30:23 -07:00			`return '<Frame %s %s:%d -> %s:%d length %d>' % (self.name,`
			`self.src_addr, self.sport,`
			`self.dst_addr, self.dport,`
			`len(self.payload))`
Some Python crap that I use 2007-11-12 21:11:25 -07:00
Integrate GapString and a few tweaks 2008-01-18 19:09:09 -07:00
Multi-stream resequencer 2007-12-30 23:30:23 -07:00			`class Chunk:`
			`"""Chunk of frames, possibly with gaps.`
Some Python crap that I use 2007-11-12 21:11:25 -07:00
			`"""`

Integrate GapString and a few tweaks 2008-01-18 19:09:09 -07:00			`def __init__(self, seq=None):`
Multi-stream resequencer 2007-12-30 23:30:23 -07:00			`self.collection = {}`
			`self.length = 0`
			`self.seq = seq`
			`self.first = None`
Some Python crap that I use 2007-11-12 21:11:25 -07:00
Multi-stream resequencer 2007-12-30 23:30:23 -07:00			`def add(self, frame):`
			`if not self.first:`
			`self.first = frame`
Integrate GapString and a few tweaks 2008-01-18 19:09:09 -07:00			`if self.seq is None:`
			`self.seq = frame.seq`
Added pcapfile demuxer 2008-01-10 17:53:11 -07:00			`assert frame.seq >= self.seq, (frame.seq, self.seq)`
Multi-stream resequencer 2007-12-30 23:30:23 -07:00			`self.collection[frame.seq] = frame`
			`end = frame.seq - self.seq + len(frame.payload)`
			`self.length = max(self.length, long(end))`
Some Python crap that I use 2007-11-12 21:11:25 -07:00
Multi-stream resequencer 2007-12-30 23:30:23 -07:00			`def __len__(self):`
			`return int(self.length)`
Some Python crap that I use 2007-11-12 21:11:25 -07:00
Multi-stream resequencer 2007-12-30 23:30:23 -07:00			`def __repr__(self):`
			`if self.first:`
			`return '<Chunk %s:%d -> %s:%d length %d>' % (self.first.src_addr,`
			`self.first.sport,`
			`self.first.dst_addr,`
			`self.first.dport,`
			`len(self))`
			`else:`
			`return '<Chunk (no frames)>'`

Integrate GapString and a few tweaks 2008-01-18 19:09:09 -07:00			`def gapstr(self, drop='?'):`
			`"""Return contents as a GapString"""`

Fix GapString bug 2008-01-18 19:22:39 -07:00			`ret = gapstr.GapString(drop=drop)`
Integrate GapString and a few tweaks 2008-01-18 19:09:09 -07:00			`while len(ret) < self.length:`
			`f = self.collection.get(self.seq + len(ret))`
Multi-stream resequencer 2007-12-30 23:30:23 -07:00			`if f:`
Integrate GapString and a few tweaks 2008-01-18 19:09:09 -07:00			`ret.append(f.payload)`
Multi-stream resequencer 2007-12-30 23:30:23 -07:00			`else:`
Integrate GapString and a few tweaks 2008-01-18 19:09:09 -07:00			`# This is where to fix big inefficiency for dropped packets.`
			`l = 1`
			`while ((len(ret) + l < self.length) and`
			`(not (self.seq + len(ret) + l) in self.collection)):`
			`l += 1`
			`ret.append(l)`
			`return ret`

			`def __str__(self):`
			`return str(self.gapstr())`
Multi-stream resequencer 2007-12-30 23:30:23 -07:00
Added pcapfile demuxer 2008-01-10 17:53:11 -07:00			`def extend(self, other):`
			`self.seq = min(self.seq or other.seq, other.seq)`
Integrate GapString and a few tweaks 2008-01-18 19:09:09 -07:00			`self.length = self.length + other.length`
			`if not self.first:`
			`self.first = other.first`
			`self.collection.update(other.collection)`
Added pcapfile demuxer 2008-01-10 17:53:11 -07:00
Multi-stream resequencer 2007-12-30 23:30:23 -07:00			`def __add__(self, next):`
Integrate GapString and a few tweaks 2008-01-18 19:09:09 -07:00			`new = self.__class__(self.seq)`
Added pcapfile demuxer 2008-01-10 17:53:11 -07:00			`new.extend(self)`
			`new.extend(next)`
Multi-stream resequencer 2007-12-30 23:30:23 -07:00			`return new`
Some Python crap that I use 2007-11-12 21:11:25 -07:00

Small bugfixes and cosmetic changes 2008-01-01 18:55:24 -07:00			`FIN = 1`
			`SYN = 2`
			`RST = 4`
			`PSH = 8`
			`ACK = 16`

Added pcapfile demuxer 2008-01-10 17:53:11 -07:00			`class TCP_Resequence:`
Multi-stream resequencer 2007-12-30 23:30:23 -07:00			`"""TCP session resequencer.`

			`>>> p = pcap.open('whatever.pcap')`
Added pcapfile demuxer 2008-01-10 17:53:11 -07:00			`>>> s = TCP_Resequence()`
Multi-stream resequencer 2007-12-30 23:30:23 -07:00			`>>> while True:`
			`... pkt = p.read()`
			`... if not pkt:`
			`... break`
			`... f = Frame(pkt)`
			`... r = s.handle(f)`
			`... if r:`
			`... print ('chunk', r)`
Some Python crap that I use 2007-11-12 21:11:25 -07:00
			`This returns things in sequence. So you get both sides of the`
			`conversation in the order that they happened.`

			`Doesn't (yet) handle fragments or dropped packets. Does handle out`
			`of order packets.`

			`"""`

resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00			`def __init__(self):`
Some Python crap that I use 2007-11-12 21:11:25 -07:00			`self.cli = None`
			`self.srv = None`
			`self.seq = [None, None]`
resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00			`self.first = None`
Some Python crap that I use 2007-11-12 21:11:25 -07:00			`self.pending = [{}, {}]`
			`self.frames = 0`
resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00			`self.closed = 0`

			`self.handle = self.handle_handshake`


			`def handle(self, pkt):`
			`"""Stub.`

			`This function will never be called, it is immediately overridden`
			`by __init__. The current value of this function is the state.`
			`"""`

			`pass`

			`def handle_handshake(self, pkt):`
			`self.frames += 1`

			`if not self.first:`
			`self.first = pkt`

Small bugfixes and cosmetic changes 2008-01-01 18:55:24 -07:00			`if pkt.flags == SYN:`
resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00			`self.cli, self.srv = pkt.src, pkt.dst`
Small bugfixes and cosmetic changes 2008-01-01 18:55:24 -07:00			`elif pkt.flags == (SYN \| ACK):`
resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00			`assert (pkt.src == (self.srv or pkt.src))`
			`self.cli, self.srv = pkt.dst, pkt.src`
Multi-stream resequencer 2007-12-30 23:30:23 -07:00			`self.seq = [pkt.ack, pkt.seq + 1]`
Small bugfixes and cosmetic changes 2008-01-01 18:55:24 -07:00			`elif pkt.flags == ACK:`
resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00			`assert (pkt.src == (self.cli or pkt.src))`
			`self.cli, self.srv = pkt.src, pkt.dst`
Multi-stream resequencer 2007-12-30 23:30:23 -07:00			`self.seq = [pkt.seq, pkt.ack]`
resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00			`self.handle = self.handle_packet`
			`else:`
Pick up TCP mid-stream 2008-01-01 14:47:06 -07:00			`# In the middle of a session, do the best we can`
			`self.cli, self.srv = pkt.src, pkt.dst`
			`self.seq = [pkt.seq, pkt.ack]`
			`self.handle = self.handle_packet`
			`self.handle(pkt)`
resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00
			`def handle_packet(self, pkt):`
			`ret = None`
			`self.frames += 1`

Pick up TCP mid-stream 2008-01-01 14:47:06 -07:00			`# Which way is this going? 0 == from client`
resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00			`idx = int(pkt.src == self.srv)`
			`xdi = 1 - idx`

			`# Does this ACK after the last output sequence number?`
Pick up TCP mid-stream 2008-01-01 14:47:06 -07:00			`seq = self.seq[xdi]`
			`if pkt.ack > seq:`
			`ret = Chunk(seq)`
resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00			`pending = self.pending[xdi]`
Multi-stream resequencer 2007-12-30 23:30:23 -07:00			`for key in pending.keys():`
resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00			`if key >= pkt.ack:`
			`continue`
Pick up TCP mid-stream 2008-01-01 14:47:06 -07:00			`if key >= seq:`
			`ret.add(pending[key])`
Small bugfixes and cosmetic changes 2008-01-01 18:55:24 -07:00			`else:`
			`warnings.warn('Dropping %r from mid-stream session' % pending[key])`
resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00			`del pending[key]`
			`self.seq[xdi] = pkt.ack`

			`# If it has a payload, stick it into pending`
			`if pkt.payload:`
			`self.pending[idx][pkt.seq] = pkt`

			`# Is it a FIN or RST?`
Small bugfixes and cosmetic changes 2008-01-01 18:55:24 -07:00			`if pkt.flags & (FIN \| RST):`
resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00			`self.closed += 1`
			`if self.closed == 2:`
			`# Warn about any unhandled packets`
			`if self.pending[0] or self.pending[1]:`
Small bugfixes and cosmetic changes 2008-01-01 18:55:24 -07:00			`warnings.warn('Dropping unhandled frames after shutdown' % pkt)`
resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00			`self.handle = self.handle_drop`

			`return ret`

			`def handle_drop(self, pkt):`
Some Python crap that I use 2007-11-12 21:11:25 -07:00			`"""Warn about any unhandled packets"""`

Small bugfixes and cosmetic changes 2008-01-01 18:55:24 -07:00			`if pkt.payload:`
			`warnings.warn('Spurious frame after shutdown: %r %d' % (pkt, pkt.flags))`
Some Python crap that I use 2007-11-12 21:11:25 -07:00

			`class HTTP_side:`
			`"""One side of an HTTP transaction."""`

			`def __init__(self):`
			`self.buf = ''`
			`self.first = ''`
			`self.in_headers = True`
			`self.headers = {}`
			`self.pending_data = 0`
			`self.data = ''`
			`self.complete = False`

			`def __repr__(self):`
			`return '<HTTP_side %r>' % self.first`

			`def process(self, chunk):`
			`"""Returns any unprocessed part of the chunk, parts which go to`
			`the next utterance."""`

			`chunk = chunk + self.buf`
			`while self.in_headers and chunk:`
			`try:`
			`line, chunk = chunk.split('\n', 1)`
			`except ValueError:`
			`self.buf = chunk`
			`return ''`
			`self.process_header_line(line)`
			`self.buf = ''`
			`if self.pending_data:`
			`d = chunk[:self.pending_data]`
			`chunk = chunk[self.pending_data:]`
			`self.data += d`
			`self.pending_data -= len(d) # May set to 0`
			`if not self.pending_data:`
			`self.complete = True`
			`return chunk`

			`def process_header_line(self, line):`
			`if not line.strip():`
			`self.in_headers = False`
			`return`
			`try:`
			`k,v = line.split(':', 1)`
			`except ValueError:`
			`if self.first:`
			`raise ValueError(('Not a header', line))`
			`else:`
			`self.first += line`
			`return`
			`self.headers[k] = v`
			`if k.lower() == 'content-length':`
			`self.pending_data = int(v)`
Add HTTP resequencing example 2007-12-11 17:20:54 -07:00

resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00			`def resequence(pc):`
Multi-stream resequencer 2007-12-30 23:30:23 -07:00			`"""Re-sequence from a pcap stream.`

			`>>> p = pcap.open('whatever.pcap')`
			`>>> for chunk in resequence(p):`
			... print `chunk`

			`"""`

resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00			`sessions = {}`
			`for pkt in pc:`
			`f = Frame(pkt)`
			`if f.protocol == TCP:`
			`# compute TCP session hash`
			`s = sessions.get(f.hash)`
			`if not s:`
Added pcapfile demuxer 2008-01-10 17:53:11 -07:00			`s = TCP_Resequence()`
resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00			`sessions[f.hash] = s`
Multi-stream resequencer 2007-12-30 23:30:23 -07:00			`chunk = s.handle(f)`
			`if chunk:`
			`yield chunk`
resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00
Added pcapfile demuxer 2008-01-10 17:53:11 -07:00			`def demux(*pcs):`
			`"""Demultiplex pcap objects based on time.`

			`This is iterable just like a pcap object, so you could for instance do:`

			`>>> resequence(demux(pcap1, pcap2, pcap3))`

			`"""`

			`tops = []`
			`for pc in pcs:`
			`frame = pc.read()`
			`if frame:`
			`heapq.heappush(tops, (frame, pc))`

			`while tops:`
			`frame, pc = heapq.heappop(tops)`
			`yield frame`
			`frame = pc.read()`
			`if frame:`
			`heapq.heappush(tops, (frame, pc))`

resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00
Add HTTP resequencing example 2007-12-11 17:20:54 -07:00			`def process_http(filename):`
Added pcapfile demuxer 2008-01-10 17:53:11 -07:00			`# XXX: probably broken`
Add HTTP resequencing example 2007-12-11 17:20:54 -07:00			`import pcap`

			`pc = pcap.open(filename)`
			`sess = TCP_Session(pc)`

			`packets = []`
			`current = [HTTP_side(), HTTP_side()]`
			`for idx, chunk in sess:`
			`c = current[idx]`
			`while chunk:`
			`chunk = c.process(chunk)`
			`if c.complete:`
			`packets.append((idx, c))`

			`c = HTTP_side()`
			`current[idx] = c`

			`return packets`

resequencer and esab64 This features a resequencer that deals with more than one session per pcap file (this will break all former code), and a decoder for a type of incorrectly-implemented base64. 2007-12-21 17:08:00 -07:00