-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathp0f_sniffer.py
61 lines (50 loc) · 2.54 KB
/
p0f_sniffer.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
from multiprocessing import Process, Queue
import scapy.all as scapy
import scapy.modules.p0f as p0f
import time
import socket
import logger
class p0f_sniffer:
def __init__(self, options, database):
self.options = options
self.database = database
self.proc = Process(target=self.sniff)
self.logger = logger.logger(self)
def start(self):
self.proc.start()
def stop(self):
self.proc.join()
def sniff(self):
# Start Scapy sniffer on interface
try:
scapy.sniff(iface = self.options.listen_interface, prn = self.update_os_info, filter = self.options.p0f_filter, store = 0)
except socket.error, e:
self.logger.error("P0f sniffer error on %s: %s" % (self.options.listen_interface, e[1]))
def update_os_info(self, pkt):
if not 'TCP' in pkt:
return
tos = self.get_os_info(pkt)
if tos:
ip = pkt.sprintf("%IP.src%")
os = tos[0]
os_ver = tos[1]
distance = tos[2]
uptime = self.get_uptime_info(pkt)
self.database.push("INSERT INTO ips(ip_addr, ip_os, ip_os_ver, ip_uptime, ip_distance) VALUES (INET_ATON('%s'), '%s', '%s','%d','%d') ON DUPLICATE KEY UPDATE ip_os = '%s', ip_os_ver = '%s', ip_uptime = '%d', ip_distance = '%d'" % (ip, self.database.escape(os), self.database.escape(os_ver), int(uptime), int(distance), self.database.escape(os), self.database.escape(os_ver), int(uptime), int(distance)))
# Determine packet OS through p0f
def get_os_info(self, pkt):
tcpflags = pkt.sprintf("{TCP:%TCP.flags%}")
if 'S' in tcpflags and not ('A' in tcpflags or 'R' in tcpflags or 'F' in tcpflags):
try:
p0f_list = p0f.p0f(pkt)
if len(p0f_list) > 0:
return p0f_list[0]
except:
pass
return False
def get_uptime_info(self, pkt):
for opt in pkt.options:
if opt[0] == "Timestamp":
t = opt[1][0] / 100
return t
return False