Autodetect presence of pcap-converter for conversion, expliciet --tshark argument for using tshark even if pcap-converter is present

poorting · poorting · commit 01caa3b8828f · 2024-08-09T23:52:00.000+02:00
diff --git a/src/main.py b/src/main.py
@@ -14,36 +14,45 @@
 from attack import Attack, Fingerprint
 from analysis import infer_target, extract_attack_vectors, compute_summary
 from util import parquet_files_to_view, FileType, determine_filetype, determine_source_filetype, \
-    print_logo, parse_config
+    print_logo, parse_config, is_executable_present
 from graphs import create_line_graph, create_bar_graph
 
 DOCKERIZED: bool = 'DISSECTOR_DOCKER' in os.environ
 
 
 def parse_arguments() -> Namespace:
     parser = ArgumentParser()
-    parser.add_argument('-f', '--file', type=Path, help='Path to Flow / PCAP file(s)', nargs='+', required=True,
-                        dest='files')
-    parser.add_argument('--summary', action='store_true', help='Optional: print fingerprint without source addresses')
-    parser.add_argument('-r', action='store_true', help='Optional: use experimental Rust pcap-converter')
-    parser.add_argument('--output', type=Path, help='Path to directory in which to save the fingerprint '
-                                                    f'(default {"/data" if DOCKERIZED else "."}/fingerprints)',
-                        default=Path('/data/fingerprints') if DOCKERIZED else Path('./fingerprints'))
-    parser.add_argument('--config', type=Path, help='Path to DDoS-DB and/or MISP config file (default /etc/config.ini)',
-                        default=Path('/etc/config.ini'))
-    parser.add_argument('--nprocesses', dest='n', type=int, help='Number of processes used to concurrently read PCAPs '
-                                                                 '(default is the number of CPU cores)',
-                        default=os.cpu_count())
+    parser.add_argument('-f', '--file', type=Path, nargs='+', required=True, dest='files',
+                        help='Path to Flow / PCAP file(s)')
+    parser.add_argument('--summary', action='store_true',
+                        help='Optional: print fingerprint without source addresses')
+    # parser.add_argument('-r', action='store_true', help='Optional: use experimental Rust pcap-converter')
+    parser.add_argument('--output', type=Path,
+                        default=Path('/data/fingerprints') if DOCKERIZED else Path('./fingerprints'),
+                        help='Path to directory in which to save the fingerprint '
+                            f'(default: {"/data" if DOCKERIZED else "."}/fingerprints)')
+    parser.add_argument('--config', type=Path, default=Path('/etc/config.ini'),
+                        help='Path to DDoS-DB and/or MISP config file (default: /etc/config.ini)')
+    parser.add_argument('--nprocesses', dest='n', type=int, default=os.cpu_count(),
+                        help='Number of processes used to read and process PCAPs '
+                            f'(default: number of CPU cores ({os.cpu_count()}))')
     parser.add_argument('--target', type=str, dest='target',
-                        help='Optional: target IP address of this attack (subnet currently unsupported)')
-    parser.add_argument('--ddosdb', action='store_true', help='Optional: directly upload fingerprint to DDoS-DB')
-    parser.add_argument('--misp', action='store_true', help='Optional: directly upload fingerprint to MISP')
+                        help='Optional: Specify target IP address of this attack (subnet currently unsupported)')
+    parser.add_argument('--ddosdb', action='store_true',
+                        help='Optional: Directly upload fingerprint to DDoS-DB')
+    parser.add_argument('--misp', action='store_true',
+                        help='Optional: Directly upload fingerprint to MISP')
     parser.add_argument('--graph', action='store_true',
                         help='Optional: Create graphs of the attack, stored alongside the fingerprint')
-    parser.add_argument('--noverify', action='store_true', help="Optional: Don't verify TLS certificates")
-    parser.add_argument('--debug', action='store_true', help='Optional: show debug messages')
-    parser.add_argument('--show-target', action='store_true', help='Optional: Do NOT anonymize the target IP address '
-                                                                   '/ network in the fingerprint')
+    parser.add_argument('--noverify', action='store_true',
+                        help="Optional: Do not verify TLS certificates (accept self-signed certificates)")
+    parser.add_argument('--show-target', action='store_true',
+                        help='Optional: Do NOT anonymize the target IP address/network in the fingerprint')
+    parser.add_argument('--tshark', action='store_true',
+                        help='Optional: Force use of tshark/tcpdump over pcap-converter, even if it is present')
+    parser.add_argument('--debug', action='store_true',
+                        help='Optional: Show debug messages')
+
     return parser.parse_args()
 
 
@@ -65,6 +74,32 @@ def parse_arguments() -> Namespace:
 
     filetype = determine_filetype(args.files)
 
+    # Determine which of pcap-converter, tcpdump, tshark or nfdump are installed
+    pcap_converter_ok = is_executable_present('pcap-converter')
+    tcpdump_ok = is_executable_present('tcpdump')
+    tshark_ok = is_executable_present('tshark')
+    nfdump_ok = is_executable_present('nfdump')
+
+    # Error out early if one of the required executables (for the specified file type) is not present
+    if filetype == FileType.PCAP and args.tshark and not tshark_ok:
+        LOGGER.error("Use of tshark requested, but tshark cannot be found. Is it installed properly?")
+        exit(1)
+
+    if filetype == FileType.PCAP and args.tshark and not tcpdump_ok:
+        LOGGER.error("Use of tshark requested, but tcpdump is needed as well and cannot be found. Is it installed properly?")
+        exit(1)
+
+    if filetype == FileType.PCAP and not args.tshark and not pcap_converter_ok and (not tshark_ok or not tcpdump_ok):
+        tshark=' nor tshark' if not tshark_ok else ''
+        tcpdump=' nor tcpdump' if not tcpdump_ok else ''
+        LOGGER.error(f"Pcap file supplied, but neither pcap-converter{tshark}{tcpdump} can be found.")
+        LOGGER.error(f"Please ensure that either pcap-converter OR tcpdump and tshark are installed")
+        exit(1)
+
+    if filetype == FileType.FLOW and not nfdump_ok:
+        LOGGER.error("Flow file supplied, but nfdump cannot be found. Is it installed properly?")
+        exit(1)
+
     start = time.time()
     if filetype == FileType.PQT:
         # If parquet files: check all contain data from either pcap or flow, but not both
@@ -79,8 +114,12 @@ def parse_arguments() -> Namespace:
         pqt_files = [str(f) for f in args.files]
     else:
         # Convert the file(s) to parquet
-        dst_dir = tempfile.gettempdir() if DOCKERIZED else f"{os.getcwd()}/parquet"
-        pqt_files = read_files(args.files, dst_dir=dst_dir, filetype=filetype, nr_processes=args.n, rust_converter=args.r)
+        dst_dir = Path(tempfile.gettempdir()) if DOCKERIZED else Path(f"{os.getcwd()}/parquet")
+        pqt_files = read_files(args.files,
+                               dst_dir=dst_dir,
+                               filetype=filetype,
+                               nr_processes=args.n,
+                               rust_converter=pcap_converter_ok and not args.tshark)
         duration = time.time()-start
         LOGGER.info(f"Conversion took {duration:.2f}s")
         LOGGER.debug(pqt_files)
