Exemple #1
0
// HandlePacketTmp used in development to display package data
func (krb *krbAuth) HandlePacketTmp(packet gopacket.Packet) {
	app := packet.ApplicationLayer()
	if app == nil {
		return
	}
	udp := packet.TransportLayer().(*layers.UDP)

	if udp.DstPort == 88 {
		msgType := app.Payload()[17:18]
		if msgType[0] == 10 { // AS-REQ type = 10
			var n kdcReq
			_, err := asn1.UnmarshalWithParams(app.Payload(), &n, asReqParam)
			if err != nil {
				fmt.Println("Error in asn.1 parse")
				fmt.Println(err)
			} else {
				fmt.Println("-------------------------------")
				fmt.Printf("PnDataType: %v\n", n.PnData[0].PnDataType)
				//fmt.Println(hex.Dump(n.Pdata[0].PdataValue))
				var encData encryptedData
				asn1.Unmarshal(n.PnData[0].PnDataValue, &encData)
				fmt.Printf("Etype: %v\n", encData.Etype)
				fmt.Printf("Kvno: %v\n", encData.Kvno)
				//fmt.Println(hex.Dump(encData.Cipher))
				//fmt.Println(len(encData.Cipher))
				fmt.Printf("Cname: %v\n", n.ReqBody.Cname)
				fmt.Printf("Sname %v\n", n.ReqBody.Sname)
				fmt.Printf("Realm: %v\n", n.ReqBody.Realm)

			}
		}
	}
}
Exemple #2
0
func (p *processor) decodeAppLayer(pkt gopacket.Packet) error {
	var moldUdp64Decoder gopacket.Decoder = nasdaq.LayerTypeMoldUDP64
	var ittoDecoder gopacket.Decoder = nasdaq.LayerTypeItto
	//log.Println("decodeAppLayer", pkt)
	transpLayer := pkt.TransportLayer()
	appLayer := pkt.ApplicationLayer()
	if transpLayer == nil || transpLayer.LayerType() != layers.LayerTypeUDP || appLayer == nil {
		return nil
	}

	packetBuilder := pkt.(gopacket.PacketBuilder)
	if packetBuilder == nil {
		panic("packet is not packetBuilder")
	}
	if appLayer.LayerType() != gopacket.LayerTypePayload {
		panic("appLayer is not LayerTypePayload")
	}
	data := appLayer.LayerContents()
	if err := moldUdp64Decoder.Decode(data, packetBuilder); err != nil {
		return err
	}
	for _, l := range pkt.Layers() {
		if mb, ok := l.(*nasdaq.MoldUDP64MessageBlockChained); ok {
			ittoDecoder.Decode(mb.Payload, packetBuilder)
		}
	}
	return nil
}
Exemple #3
0
// IsUdpPacket returns true if the packet is of UDP type
func IsUdpPacket(packet gopacket.Packet) bool {
	if packet == nil {
		return false
	}
	if packet.NetworkLayer() == nil || packet.TransportLayer() == nil || packet.TransportLayer().LayerType() != layers.LayerTypeUDP {
		return false
	}
	return true
}
Exemple #4
0
func main() {
	flag.Usage = usage
	flag.Parse()

	pcapfile, err := openPcap()
	if err != nil {
		glog.Fatalf("%v", err)
	}

	bpf := strings.Join(flag.Args(), " ")
	if err = pcapfile.SetBPFFilter(bpf); err != nil {
		glog.Fatalf("unable to set BPF: %v", err)
	}

	// "Pass this stream factory to an tcpassembly.StreamPool ,
	// start up an tcpassembly.Assembler, and you're good to go!"

	done := make(chan struct{})
	results := make(chan string)
	go printResults(done, results)

	wg := &sync.WaitGroup{}
	rtmp := &rtmpStreamWrapper{wg, results}
	pool := tcpassembly.NewStreamPool(rtmp)
	asm := tcpassembly.NewAssembler(pool)
	asm.MaxBufferedPagesTotal = 4096 // limit gopacket memory allocation

	source := gopacket.NewPacketSource(pcapfile, pcapfile.LinkType())

	var pkt gopacket.Packet
	for {
		pkt, err = source.NextPacket()
		if pkt == nil || err != nil {
			break
		}

		if tcp := pkt.Layer(layers.LayerTypeTCP); tcp != nil {
			asm.AssembleWithTimestamp(
				pkt.TransportLayer().TransportFlow(),
				tcp.(*layers.TCP),
				pkt.Metadata().Timestamp)
		}
	}

	if err != nil && !errIsEOF(err) {
		glog.Errorf("packet: %v", err)
		if err = pcapfile.Error(); err != nil {
			glog.Errorf("pcap: %v", err)
		}
	}

	asm.FlushAll() // abort any in progress tcp connections
	wg.Wait()      // tcp streams have finished processing
	close(results) // no more results will be generated by tcp streams
	<-done         // printResults has finished
}
Exemple #5
0
func (p *processor) getFlow(pkt gopacket.Packet) gopacket.Flow {
	mu := moldudp64Layer(pkt)
	//p.flowBufSrc.Reset()
	//p.flowBufSrc.Write(pkt.NetworkLayer().NetworkFlow().Src().Raw())
	//p.flowBufSrc.Write(pkt.TransportLayer().TransportFlow().Src().Raw())
	//p.flowBufSrc.Write(mu.Flow().Src().Raw())
	p.flowBufDst.Reset()
	p.flowBufDst.Write(pkt.NetworkLayer().NetworkFlow().Dst().Raw())
	p.flowBufDst.Write(pkt.TransportLayer().TransportFlow().Dst().Raw())
	p.flowBufDst.Write(mu.Flow().Dst().Raw())
	return gopacket.NewFlow(packet.EndpointCombinedSession, p.flowBufSrc.Bytes(), p.flowBufDst.Bytes())
}
func SendPacket(packet gopacket.Packet,
	connectionWaitGroup *sync.WaitGroup,
	mongodHost string,
	mongodPort string) {
	// If packet contains a mongo message
	if packet.ApplicationLayer() != nil {
		payload := packet.ApplicationLayer().Payload()
		delta := GetPacketTime(packet).Sub(packetMinTimestamp)

		// Get timestamp's delta from first packet
		// Get mongo wire protocol payload
		mongoPacket := MongoPacket{
			payload: payload,
			delta:   delta,
		}

		transportLayer := packet.TransportLayer()
		networkLayer := packet.NetworkLayer()

		var srcIp string
		var srcPort string

		if networkLayer.LayerType() == layers.LayerTypeIPv4 {
			ip4header := networkLayer.LayerContents()
			// Convert binary to IP string
			srcIp = strconv.Itoa(int(ip4header[12])) + "." +
				strconv.Itoa(int(ip4header[13])) + "." +
				strconv.Itoa(int(ip4header[14])) + "." +
				strconv.Itoa(int(ip4header[15]))
		}
		if transportLayer.LayerType() == layers.LayerTypeTCP {
			tcpHeader := transportLayer.LayerContents()
			// Hack to be able to use convert what should be a uint16 to string
			tcpHeaderSrcPort := []byte{0, 0, tcpHeader[0], tcpHeader[1]}
			srcPort = strconv.Itoa(int(binary.BigEndian.Uint32(tcpHeaderSrcPort)))
		}

		src := srcIp + ":" + srcPort

		if mConnection, ok := mapHostConnection[src]; ok {
			mConnection.Send(mongoPacket)
		} else {
			connectionWaitGroup.Add(1)
			mConnection := NewMongoConnection(mongodHost, mongodPort, 100)
			mapHostConnection[src] = mConnection
			go mConnection.ExecuteConnection(connectionWaitGroup)
			mConnection.Send(mongoPacket)
		}
	}
}
Exemple #7
0
func (b *Benchmark) decodePacket(pkt gopacket.Packet) (key *FiveTuple, payload []byte) {
	ipv4, ok := pkt.NetworkLayer().(*layers.IPv4)

	if !ok {
		return // Ignore packets that aren't IPv4
	}

	if ipv4.FragOffset != 0 || (ipv4.Flags&layers.IPv4MoreFragments) != 0 {
		return // Ignore fragmented packets.
	}

	var stream FiveTuple

	stream.protocol = ipv4.Protocol
	stream.srcAddr = ipv4.SrcIP
	stream.dstAddr = ipv4.DstIP

	switch t := pkt.TransportLayer().(type) {
	case *layers.TCP:
		stream.srcPort = uint16(t.SrcPort)
		stream.dstPort = uint16(t.DstPort)
		return &stream, t.Payload

	case *layers.UDP:
		stream.srcPort = uint16(t.SrcPort)
		stream.dstPort = uint16(t.DstPort)
		return &stream, t.Payload
	}

	return
}
Exemple #8
0
// HandlePacket extract the krb5 AS-Requests
func (krb *krbAuth) HandlePacket(packet gopacket.Packet) {
	app := packet.ApplicationLayer()
	if app == nil {
		return
	}
	udp := packet.TransportLayer().(*layers.UDP)

	if udp.DstPort == 88 {
		var n kdcReq
		_, err := asn1.UnmarshalWithParams(app.Payload(), &n, asReqParam)
		if err != nil {
			return
		}
		if n.MsgType == asRequestType {
			krb.addKdcReq(n)
		}
	}
}
Exemple #9
0
// HandlePacket assemble the correct challenge with the response
func (nt *ntlm) HandlePacket(packet gopacket.Packet) {
	app := packet.ApplicationLayer()
	if app == nil {
		return
	}
	nlen := len(app.Payload())
	values := strings.Split(string(app.Payload()[:nlen]), "\r\n")
	for _, s := range values {
		if isNtlm(s) {
			baseStrings := strings.Split(s, " ")
			if len(baseStrings) != 3 {
				return
			}
			tcp := packet.TransportLayer().(*layers.TCP)
			if isChallenge(s) {
				nt.addServerResponse(tcp.Ack, baseStrings[2])
			} else if isResponse(s) {
				nt.addClientResponse(tcp.Seq, baseStrings[2])
			}
		}
	}
}
Exemple #10
0
// Extract the ftp login reposnses and requests
func (ftp *ftpLogin) HandlePacket(packet gopacket.Packet) {
	app := packet.ApplicationLayer()
	if app == nil {
		return
	}
	n := len(app.Payload())
	values := strings.Split(string(app.Payload()[:n]), "\r\n")
	for _, s := range values {
		if isFtp(s) {
			tcp := packet.TransportLayer().(*layers.TCP)
			if isUser(s) {
				ftp.user(tcp.Ack, strings.Split(s, " ")[1])
				ftp.destination(tcp.Ack, destAndPort{
					Destination: util.GetDstIP(packet),
					Port:        tcp.DstPort,
				})
			} else if isServer(s) {
				ftp.server(tcp.Seq, tcp.Ack)
			} else if isPass(s) {
				ftp.pass(tcp.Seq, strings.Split(s, " ")[1])
			}
		}
	}
}
Exemple #11
0
// Handle reads the pcap file into assembled packets for the streamHandler
func (p *PacketHandler) Handle(streamHandler StreamHandler, numToHandle int) error {
	count := int64(0)
	start := time.Now()
	if p.Verbose && numToHandle > 0 {
		userInfoLogger.Logvf(Always, "Processing", numToHandle, "packets")
	}
	source := gopacket.NewPacketSource(p.pcap, p.pcap.LinkType())
	streamPool := NewStreamPool(streamHandler)
	assembler := NewAssembler(streamPool)
	defer func() {
		if userInfoLogger.isInVerbosity(DebugLow) {
			userInfoLogger.Logv(DebugLow, "flushing assembler.")
			userInfoLogger.Logvf(DebugLow, "num flushed/closed: %v", assembler.FlushAll())
			userInfoLogger.Logv(DebugLow, "closing stream handler.")
		} else {
			assembler.FlushAll()
		}
		streamHandler.Close()
	}()
	defer func() {
		if userInfoLogger.isInVerbosity(DebugLow) {
			userInfoLogger.Logvf(DebugLow, "Dropped %v packets out of %v", p.numDropped, count)
			runTime := float64(time.Now().Sub(start)) / float64(time.Second)
			userInfoLogger.Logvf(DebugLow, "Processed %v packets per second", float64(count-p.numDropped)/runTime)
		}
	}()
	ticker := time.Tick(time.Second * 1)
	var pkt gopacket.Packet
	var pktCount uint
	for {
		select {
		case pkt = <-source.Packets():
			pktCount++
			if pkt == nil { // end of pcap file
				userInfoLogger.Logv(DebugLow, "Reached end of stream")
				return nil
			}
			if tcpLayer := pkt.Layer(layers.LayerTypeTCP); tcpLayer != nil {
				userInfoLogger.Logv(DebugHigh, "Assembling TCP layer")
				assembler.AssembleWithTimestamp(
					pkt.TransportLayer().TransportFlow(),
					tcpLayer.(*layers.TCP),
					pkt.Metadata().Timestamp) // TODO: use time.Now() here when running in realtime mode
			}
			if count == 0 {
				if firstSeener, ok := streamHandler.(SetFirstSeener); ok {
					firstSeener.SetFirstSeen(pkt.Metadata().Timestamp)
				}
			}
			count++
			if numToHandle > 0 && count >= int64(numToHandle) {
				userInfoLogger.Logv(DebugLow, "Count exceeds requested packets, returning.")
				break
			}
			select {
			case <-ticker:
				bookkeep(pktCount, pkt, assembler)
			default:
			}
		case <-ticker:
			bookkeep(pktCount, pkt, assembler)
		case <-p.stop:
			return nil
		}
	}
}