-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpcap-analyzer.py
More file actions
159 lines (132 loc) · 6.13 KB
/
pcap-analyzer.py
File metadata and controls
159 lines (132 loc) · 6.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
import os, sys, json
import hashlib
#from scapy.all import *
from scapy.all import PcapReader
from scapy.all import sr1,TCP,IP,UDP,DNS,DNSQR,DNSRR
from scapy.all import sniff
import copy
def writeFile(filename, data):
fh = open(filename, "w")
fh.write(json.dumps(data, sort_keys=True, indent=4, separators=(',', ': ')))
fh.close()
def hashTCP(packet, flip=False):
#tcpHash = hashlib.md5(
#packet[IP].src + str(packet[IP][TCP].sport) + packet[IP].dst + str(packet[IP][TCP].dport)).hexdigest()
if flip:
tcpHash = packet[IP].dst + ":" + str(packet[IP][TCP].dport) + "->" + packet[IP].src + ":" + str(
packet[IP][TCP].sport)
else:
tcpHash = packet[IP].src + ":" + str(packet[IP][TCP].sport) + "->" + packet[IP].dst + ":" + str(packet[IP][TCP].dport)
return tcpHash
if(len(sys.argv) <2):
print "You must specify a folder"
sys.exit(2)
folder = sys.argv[1]
if(not os.path.isdir(folder)):
print "You must specify a valid folder"
sys.exit(2)
folder.rstrip("/")
tcpState = {}
dnsMapping={}
objectData={}
for file in os.listdir(folder):
file = "%s/%s" % (folder, file)
if ".pcap" in file:
myreader = PcapReader(file)
while True:
packet = myreader.read_packet()
if packet is None:
break
#packet.show()
if not packet.haslayer("IP"):
continue
if packet.haslayer("TCP"):
#packet.show()
proto="TCP"
tcpflags = [x for x in packet.sprintf('%TCP.flags%')]
if hashTCP(packet) in tcpState:
print "Packet src to dst"
src = packet[IP].src
dst = packet[IP].dst
port = packet[TCP].dport
flow="upload"
elif hashTCP(packet, True) in tcpState:
print "Packet dst to src"
src = packet[IP].dst
dst = packet[IP].src
port = packet[TCP].sport
flow="download"
else:
if tcpflags != ["S"]:
print "packet out of sync skipping"
continue
if tcpflags == ["S"]:
print "This is connection start"
src=packet[IP].src
dst=packet[IP].dst
flow="upload"
tcpState[hashTCP(packet)] = "SYN"
port = packet[TCP].dport
else:
if packet.haslayer("UDP"):
packet.show()
proto = "UDP"
port = packet[UDP].dport
else:
proto="unknown"
port = "unknown"
flow = "upload"
src = packet[IP].src
dst = packet[IP].dst
if packet.haslayer("DNSRR"):
#packet.show()
#print "DNS"
for x in range(packet[DNS].ancount):
dnsMapping[packet[DNSRR][x].rdata] = packet[DNSRR][x].rrname
continue
if src not in objectData:
objectData[src] = {}
if proto not in objectData[src]:
objectData[src][proto] = {}
if port not in objectData[src][proto]:
objectData[src][proto][port] = {}
if dst not in objectData[src][proto][port]:
objectData[src][proto][port][dst] = {"firstseen" : packet.time, "lastseen": packet.time, "upload": 0, "download": 0}
#print objectData
objectData[src][proto][port][dst]["lastseen"] = packet.time
objectData[src][proto][port][dst][flow] = objectData[src][proto][port][dst][flow] + int(packet.sprintf("%IP.len%"))
#Enrich Data
cpObjectData={}
for objSrc in objectData:
origSrc = objSrc
if objSrc in dnsMapping:
objSrc = dnsMapping[objSrc]
cpObjectData[objSrc] = {}
print cpObjectData
for proto in objectData[objSrc]:
cpObjectData[objSrc][proto] = {}
for port in objectData[objSrc][proto]:
cpObjectData[objSrc][proto][port] = {}
for host in objectData[objSrc][proto][port]:
origHost = host
if host in dnsMapping:
host = dnsMapping[host]
if host in cpObjectData[objSrc][proto][port]:
cpObjectData[objSrc][proto][port][host]['download'] = cpObjectData[objSrc][proto][port][host]['download'] + \
objectData[origSrc][proto][port][origHost]['download']
cpObjectData[objSrc][proto][port][host]['upload'] = cpObjectData[objSrc][proto][port][host]['upload'] + \
objectData[origSrc][proto][port][origHost]['upload']
if(cpObjectData[objSrc][proto][port][host]['firstseen'] > objectData[origSrc][proto][port][origHost]['firstseen']):
cpObjectData[objSrc][proto][port][host]['firstseen'] = objectData[origSrc][proto][port][origHost]['firstseen']
if(cpObjectData[objSrc][proto][port][host]['lastseen'] < objectData[origSrc][proto][port][origHost]['lastseen']):
cpObjectData[objSrc][proto][port][host]['lastseen'] = objectData[origSrc][proto][port][origHost]['lastseen']
else:
cpObjectData[objSrc][proto][port][host] = {}
cpObjectData[objSrc][proto][port][host]['download'] = objectData[origSrc][proto][port][origHost]['download']
cpObjectData[objSrc][proto][port][host]['lastseen'] = objectData[origSrc][proto][port][origHost]['lastseen']
cpObjectData[objSrc][proto][port][host]['upload'] = objectData[origSrc][proto][port][origHost]['upload']
cpObjectData[objSrc][proto][port][host]['firstseen'] = objectData[origSrc][proto][port][origHost]['firstseen']
print dnsMapping
print tcpState
writeFile("output.json", cpObjectData)
writeFile("dnsMapping.json", dnsMapping)