From a1291667386b00d181a837f0d2fe95c5c7c11f1f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 8 Dec 2012 13:18:11 +0100 Subject: [PATCH] netbeacon pcap collector nb_collect output netbeacon packet from pcap or live capture. Example usage: nb_collect.py -r test.pcap The extended output includes the timestamp of the pcap header. --- nb_collect.py | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 nb_collect.py diff --git a/nb_collect.py b/nb_collect.py new file mode 100644 index 0000000..1c9f584 --- /dev/null +++ b/nb_collect.py @@ -0,0 +1,46 @@ +import dpkt +import pcap +import re +import sys + +from optparse import OptionParser + + +usage = "usage: %prog [options] " +parser = OptionParser(usage) +parser.add_option("-i","--interface", dest="interface", help="live capture on interface (default:lo)") +parser.add_option("-r","--read", dest="filedump", help="read pcap file") +parser.add_option("-e","--extended", dest="extended", help="enable extended format including pcap timestamp") + +(options, args) = parser.parse_args() + +if options.interface: + interface = options.interface +else: + interface = "lo" + +if options.filedump: + interface = options.filedump + +pc = pcap.pcap(interface) +pc.setfilter("port 12345 and udp") + +decode = { pcap.DLT_LOOP:dpkt.loopback.Loopback, + pcap.DLT_NULL:dpkt.loopback.Loopback, + pcap.DLT_EN10MB:dpkt.ethernet.Ethernet }[pc.datalink()] + +try: + sys.stderr.write('listening on %s: %s' % (pc.name, pc.filter)) + for ts, pkt in pc: + ip = decode(pkt).data + udp = ip.data + if re.search("^nb", udp.data): + if options.extended: + print str(ts)+"|"+udp.data + else: + print udp.data +except KeyboardInterrupt: + nrecv, ndrop, nifdrop = pc.stats() + sys.stderr.write('\n%d packets received by filter' % nrecv) + sys.stderr.write('%d packets dropped by kernel' % ndrop) +