-
Notifications
You must be signed in to change notification settings - Fork 24
/
tshark2.py
executable file
·164 lines (137 loc) · 3.71 KB
/
tshark2.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
#!/usr/bin/python
import subprocess
import sys
import binascii
import argparse
import textwrap
import os
import fnmatch
def hex_output(line):
""" Print only non-empty lines."""
if line != '':
""" Parse the line appropriately and print printable characters. """
chars = line.split(':')
for c in chars:
if c >= '20' and c <= '7e':
try:
cc = binascii.unhexlify(c)
except:
pass
sys.stdout.write(cc)
else:
sys.stdout.write('.')
print
def ascii_output(line):
if line != '':
print line
def tshark(pcap, mfilter, port, mformat, fields, quiet):
""" Use tshark to read pcap file. """
targs = []
targs.append("tshark")
targs.append("-r"+pcap)
targs.append("-R "+mfilter+" && (tcp.port=="+port+") && (tcp.len>0)")
if fields != None:
targs.append("-Tfields")
for item in fields.split(';'):
targs.append("-e"+item)
if not quiet:
print targs
p = subprocess.Popen(targs, stderr=subprocess.PIPE, stdout=subprocess.PIPE)
print "|",
while True:
""" Read a line of output from the tshark output- """
out = p.stdout.readline()
if mformat == "hex":
hex_output(out)
elif mformat == "ascii":
ascii_output(out)
""" When there is no more data, break out of infinite loop."""
if out == '' and p.poll() != None:
break
print "|",
p.stdout.close()
"""
Main Function
"""
if __name__ == "__main__":
"""
Parse command line arguments.
"""
parser = argparse.ArgumentParser(
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog = textwrap.dedent('''\
\tExamples:
\t\t./tshark.py -r log.pcap -p 21 -R 'ftp.request.command' -e 'ftp.request.command;ftp.request.arg' -f ascii
\t\t./tshark.py -r log.pcap -p 9999 -R '(tcp.port==9999) && (ip.src == 10.1.1.176)' -e 'data.data' -f hex
''')
)
parser.add_argument(
'-r',
'--infile',
dest='mfile',
nargs=1,
required=False,
help='Set the filename to read from.')
parser.add_argument(
'-R',
'--filter',
dest='mfilter',
nargs=1,
required=True,
help='Packet filter in Wireshark display filter syntax.')
parser.add_argument(
'-p',
'--port',
dest='port',
nargs=1,
required=True,
help='Set the port on which to filter.')
parser.add_argument(
'-e',
'--fields',
dest='fields',
nargs=1,
required=False,
help='Fields to print if -Tfields selected. Multiple fields are separated by \';\'.')
parser.add_argument(
'-f',
'--format',
dest='mformat',
nargs=1,
required=False,
help='In which format the tshark outputs the pcap file: hex, ascii.')
parser.add_argument(
'-d',
'--dir',
dest='mdir',
nargs=1,
required=False,
help='Specify the directory that contains pcap files. They will all be read one by one.')
parser.add_argument(
'-q',
'--quiet',
dest='quiet',
action='store_true',
help='Don\'t print the tshark array used with python subprocess command.')
args = parser.parse_args()
if args.mdir and args.mfile:
print "[*] Specify either the -r or -d argument, not both."
exit(-1)
""" Parse the PCAP file """
if not args.fields:
args.fields = [None]
if not args.mformat:
args.mformat = ['ascii']
if args.mdir:
if args.mdir[0][-1] != '/':
args.mdir[0] += '/'
for filename in os.listdir(args.mdir[0]):
if fnmatch.fnmatch(filename, '*'+'.pcap'):
tshark(args.mdir[0]+filename, args.mfilter[0], args.port[0], args.mformat[0], args.fields[0], args.quiet)
else:
tshark(args.mfile[0],
args.mfilter[0],
args.port[0],
args.mformat[0],
args.fields[0],
args.quiet)