Network-Entropy/capanalyzer.py at master · batidiane/Network-Entropy · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
#!/usr/bin/env python2
import pcap
import sys
import string
import time
import socket
import struct
from Algos.shannon import *
from Algos.kolmogorov import *

protocols={socket.IPPROTO_TCP:'tcp',
           socket.IPPROTO_UDP:'udp',
           socket.IPPROTO_ICMP:'icmp'}

def decode_ip_packet(s):
   d={}
   d['version']=(ord(s[0]) & 0xf0) >> 4
   d['header_len']=ord(s[0]) & 0x0f
   d['tos']=ord(s[1])
   d['total_len']=socket.ntohs(struct.unpack('H',s[2:4])[0])
   d['id']=socket.ntohs(struct.unpack('H',s[4:6])[0])
   d['flags']=(ord(s[6]) & 0xe0) >> 5
   d['fragment_offset']=socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)
   d['ttl']=ord(s[8])
   d['protocol']=ord(s[9])
   d['checksum']=socket.ntohs(struct.unpack('H',s[10:12])[0])
   d['source_address']=pcap.ntoa(struct.unpack('i',s[12:16])[0])
   d['destination_address']=pcap.ntoa(struct.unpack('i',s[16:20])[0])
   if d['header_len']>5:
      d['options']=s[20:4*(d['header_len']-5)]
   else:
      d['options']=None
   d['data']=s[4*d['header_len']:]
   d['entropy'] = shannon(d['data'])
   d['entropy-k'] = kolmogorov(d['data'])
   return d


def dumphex(s):
   bytes = map(lambda x: '%.2x' % x, map(ord, s))
   for i in xrange(0,len(bytes)/16):
      print '    %s' % string.join(bytes[i*16:(i+1)*16],' ')
   print '    %s' % string.join(bytes[(i+1)*16:],' ')


def print_packet(pktlen, data, timestamp):
   if not data:
      return

   if data[12:14]=='\x08\x00':
      decoded=decode_ip_packet(data[14:])
      print '\n%s.%f %s > %s | e:%f | k:%f | %d'% (time.strftime('%H:%M',
                                           time.localtime(timestamp)),
                             timestamp % 60,
                             decoded['source_address'],
                             decoded['destination_address'],
                             decoded['entropy'],
                             decoded['entropy-k'],
                             len (decoded['data']))
#      for key in ['version', 'header_len', 'tos', 'total_len', 'id',
#                'flags', 'fragment_offset', 'ttl']:
#         print '  %s: %d' % (key, decoded[key])
#      print '  protocol: %s' % protocols[decoded['protocol']]
#      print '  header checksum: %d' % decoded['checksum']
#      print '  data:'
#      dumphex(decoded['data'])


if __name__=='__main__':

   if len(sys.argv) < 3:
      print 'usage: capanalyser.py <file> <expr>'
      sys.exit(0)
   p = pcap.pcapObject()
   f = sys.argv[1]
   p.open_offline(f)
   p.setfilter(string.join(sys.argv[2:],' '), 0, 0)

   # try-except block to catch keyboard interrupt.  Failure to shut
   # down cleanly can result in the interface not being taken out of promisc.
   # mode
   try:
      while 1:
         p.dispatch(1, print_packet)
   except KeyboardInterrupt:
      print '%s' % sys.exc_type
      print 'shutting down'
      print '%d packets received, %d packets dropped, %d packets dropped by interface' % p.stats()