Menu
Home
Log in / Register
 
Home arrow Computer Science arrow Understanding Network Hacks
< Prev   CONTENTS   Next >

5.3 Reading and Writing PCAP Dump Files

Next we develop a script that will not display the caught data packets on screen in human readable format, but save them in a PCAP dump file for further processing by other network tools. In case the script gets a file as parameter it will try to read it and print its contents by utilizing EthDecoders as shown in the first example.

1 #!/usr/bin/python

2

3 import sys

4 import getopt

5 import pcapy

6 from impacket.ImpactDecoder import EthDecoder

7 from impacket.ImpactPacket import IP

8

9 dev = "eth0"

10 decoder = EthDecoder()

11 input_file = None

12 dump_file = "sniffer.pcap"

13

14

15 def write_packet(hdr, data):

16 print decoder.decode(data)

17 dumper.dump(hdr, data)

18

19

20 def read_packet(hdr, data):

21 ether = decoder.decode(data)

22 if ether.get_ether_type() == IP.ethertype:

23 iphdr = ether.child()

24 tcphdr = iphdr.child()

25 print iphdr.get_ip_src() + ":" +

26 str(tcphdr.get_th_sport()) +

27 " -> " + iphdr.get_ip_dst() + ":" +

28 str(tcphdr.get_th_dport())

29

30

31 def usage():

32 print sys.argv[0] + """

33 -i <dev>

34 -r <input_file>

35 -w <output_file>"""

36 sys.exit(1)

37

38

39 # Parse parameter

40 try:

41 cmd_opts = "i:r:w:"

42 opts, args = getopt.getopt(sys.argv[1:], cmd_opts)

43 except getopt.GetoptError:

44 usage()

45

46 for opt in opts:

47 if opt[0] == "-w":

48 dump_file = opt[1]

49 elif opt[0] == "-i":

50 dev = opt[1]

51 elif opt[0] == "-r":

52 input_file = opt[1]

53 else:

54 usage()

55

56 # Start sniffing and write packet to a pcap dump file

57 if input_file == None:

58 pcap = pcapy.open_live(dev, 1500, 0, 100)

59 dumper = pcap.dump_open(dump_file)

60 pcap.loop(0, write_packet)

61

62 # Read a pcap dump file and print it

63 else:

64 pcap = pcapy.open_offline(input_file)

65 pcap.loop(0, read_packet)

The function pcap.dump_open() opens a PCAP dump file for writing and returns a Dumper object, which provides a dump() method to write the header and payload of the packet. For reading a PCAP file we apply the method open_offline() instead of the further used method open_live() and give it the file to open as exclusive parameter. The rest of the reading process is analogous.

The example shows an improvement on the decoding of the packet data. We output all data of the packet at once by using the str method of Ethernet in ImpactPacket. Now we only decode the IP and TCP headers instead and display the source and destination ip and port as an example.

The header of higher layers can be comfortably accessed by calling the child() method. The rest of the code are simple getters to the desired properties of the protocol.

 
Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
 
Subjects
Accounting
Business & Finance
Communication
Computer Science
Economics
Education
Engineering
Environment
Geography
Health
History
Language & Literature
Law
Management
Marketing
Philosophy
Political science
Psychology
Religion
Sociology
Travel