1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
#!/usr/bin/env python2
import pcap
import sys
import string
import time
import socket
import struct
protocols={socket.IPPROTO_TCP:'tcp',
socket.IPPROTO_UDP:'udp',
socket.IPPROTO_ICMP:'icmp'}
def decode_ip_packet(s):
d={}
d['version']=(ord(s[0]) & 0xf0) >> 4
d['header_len']=ord(s[0]) & 0x0f
d['tos']=ord(s[1])
d['total_len']=socket.ntohs(struct.unpack('H',s[2:4])[0])
d['id']=socket.ntohs(struct.unpack('H',s[4:6])[0])
d['flags']=(ord(s[6]) & 0xe0) >> 5
d['fragment_offset']=socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)
d['ttl']=ord(s[8])
d['protocol']=ord(s[9])
d['checksum']=socket.ntohs(struct.unpack('H',s[10:12])[0])
d['source_address']=pcap.ntoa(struct.unpack('i',s[12:16])[0])
d['destination_address']=pcap.ntoa(struct.unpack('i',s[16:20])[0])
if d['header_len']>5:
d['options']=s[20:4*(d['header_len']-5)]
else:
d['options']=None
d['data']=s[4*d['header_len']:]
return d
def dumphex(s):
bytes = map(lambda x: '%.2x' % x, map(ord, s))
for i in xrange(0,len(bytes)/16):
print ' %s' % string.join(bytes[i*16:(i+1)*16],' ')
print ' %s' % string.join(bytes[(i+1)*16:],' ')
def print_packet(pktlen, data, timestamp):
if not data:
return
if data[12:14]=='\x08\x00':
decoded=decode_ip_packet(data[14:])
print '\n%s.%f %s > %s' % (time.strftime('%H:%M',
time.localtime(timestamp)),
timestamp % 60,
decoded['source_address'],
decoded['destination_address'])
for key in ['version', 'header_len', 'tos', 'total_len', 'id',
'flags', 'fragment_offset', 'ttl']:
print ' %s: %d' % (key, decoded[key])
print ' protocol: %s' % protocols[decoded['protocol']]
print ' header checksum: %d' % decoded['checksum']
print ' data:'
dumphex(decoded['data'])
if __name__=='__main__':
if len(sys.argv) < 3:
print 'usage: sniff.py <interface> <expr>'
sys.exit(0)
#dev = pcap.lookupdev()
dev = sys.argv[1]
#net, mask = pcap.lookupnet(dev)
# note: to_ms does nothing on linux
p = pcap.pcap(dev)
#p.open_live(dev, 1600, 0, 100)
#p.dump_open('dumpfile')
#p.setfilter(string.join(sys.argv[2:],' '), 0, 0)
# try-except block to catch keyboard interrupt. Failure to shut
# down cleanly can result in the interface not being taken out of promisc.
# mode
#p.setnonblock(1)
try:
while 1:
p.dispatch(1, print_packet)
# specify 'None' to dump to dumpfile, assuming you have called
# the dump_open method
# p.dispatch(0, None)
# the loop method is another way of doing things
# p.loop(1, print_packet)
# as is the next() method
# p.next() returns a (pktlen, data, timestamp) tuple
# apply(print_packet,p.next())
except KeyboardInterrupt:
print '%s' % sys.exc_type
print 'shutting down'
print '%d packets received, %d packets dropped, %d packets dropped by interface' % p.stats()
|
