study-switzerland-pcaps

   1 #!/usr/bin/env python
   2 import sys
   3 import logging
   4 logging.basicConfig()
   5
   6 from switzerland.client.PacketDiff import PacketDiffer
   7 from switzerland.common.Dummies    import DummyAlice
   8
   9 import switzerland.lib.shrunk_scapy.utils       as scapy_utils
  10 import switzerland.lib.shrunk_scapy.layers.inet as scapy_inet
  11
  12 dummy = DummyAlice
  13
  14 print_unmatched = True
  15 print_firewalled = True
  16
  17 def check_args():
  18     try:
  19         assert len(sys.argv) > 1
  20         for arg in sys.argv[1:]:
  21             assert "-in.pcap" in arg
  22     except:
  23         print "Usage:"
  24         print sys.argv[0], "<-in.pcap file> [-in.pcap file...]"
  25         sys.exit(1)
  26
  27 import re
  28 in_re = re.compile("-in")
  29 def handle_file(file):
  30     """
  31     Look through a -in file (and its paired -out file, if there is one) and
  32     try to determine which of the -out packets might have been modified to
  33     produce the forgery.
  34     """
  35     file2 = in_re.sub("-out",file)
  36     packets1 = scapy_utils.rdpcap(file)
  37     try:
  38         packets2 = scapy_utils.rdpcap(file2)
  39     except IOError:
  40         if print_unmatched:
  41             print "The -in file is not accompanied by a -out file;",
  42             print "the packet is probably injected:"
  43             print packets1[0].summary()
  44         return
  45
  46     results = compare_pcaps(packets1,packets2)
  47     if results == -1:
  48         # firewalled
  49         return
  50
  51     print "Sent logs: %d packets; Rec'd logs: %d packets" % \
  52           (len(packets1), len(packets2))
  53     if not results:
  54         print "Probably a spoofed packet or 3rd party retransmission:\n"
  55         print packets1[0].summary()
  56     else:
  57         print "------------Modified packet--------------"
  58         try:
  59             seq = "seq: " + `packets1[0].seq`
  60         except:
  61             seq = ""
  62         print "Received:", packets1[0].summary(), "id:", packets1[0].id, seq
  63         for n in xrange(len(results)):
  64             if n > 0:
  65                 print "** Another packet that might have been the one sent:\n"
  66             recd, sent =  results[n]
  67             print "latency:", recd.time - sent.time
  68             print PacketDiffer(str(sent), str(recd), dummy).diff()
  69
  70 def compare_pcaps(packets1, packets2):
  71     target = packets1[0]
  72     target_ipid = target.id
  73     tp =target.payload
  74
  75     example = packets2[0]
  76     ep = example.payload
  77     assert type(tp) == type(ep) == scapy_inet.IP
  78
  79     if tp.src != ep.src or tp.dst != ep.dst:
  80         print "Firewalled", tp.src, tp.dst, ep.src, ep.dst
  81         if not print_firewalled:
  82             return -1
  83
  84     results = []
  85     for p in packets2:
  86         if p.id == target_ipid:
  87             results.append( (target, p) )
  88     return results
  89
  90 def main():
  91     check_args()
  92     for file in sys.argv[1:]:
  93         handle_file(file)
  94
  95 if __name__ == "__main__":
  96     main()