diff options
Diffstat (limited to 'resources/libraries/python/IPFIXUtil.py')
-rw-r--r-- | resources/libraries/python/IPFIXUtil.py | 102 |
1 files changed, 102 insertions, 0 deletions
diff --git a/resources/libraries/python/IPFIXUtil.py b/resources/libraries/python/IPFIXUtil.py new file mode 100644 index 0000000000..f3247a8982 --- /dev/null +++ b/resources/libraries/python/IPFIXUtil.py @@ -0,0 +1,102 @@ +# Copyright (c) 2016 Cisco and/or its affiliates. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +"""IPFIX utilities library. Provides classes that allow scapy to work +with IPFIX packets. + + Note: + Template and data sets in one packet are not supported. + Option template sets (Set_ID = 3) are not supported. + """ + + +from scapy.all import Packet, bind_layers +from scapy.fields import * +from scapy.layers.inet import UDP +from scapy.contrib.ppi_geotag import UTCTimeField + + +class IPFIXHandler(object): + """Class for handling IPFIX packets. To use, create instance of class before + dissecting IPFIX packets with scapy, then run update_template every time + an IPFIX template packet is received.""" + + template_elements = { + 4: ByteField("Protocol_ID", 0x00), + 7: ShortField("src_port", 0), + 8: IPField("IPv4_src", ""), + 11: ShortField("dst_port", 0), + 12: IPField("IPv4_dst", ""), + 86: LongField("packetTotalCount", 0), + 180: ShortField("udp_src_port", 0), + 181: ShortField("udp_dst_port", 0), + 182: ShortField("tcp_src_port", 0), + 183: ShortField("tcp_dst_port", 0), + } + + def __init__(self): + """Initializer, registers IPFIX header and template layers with scapy. + """ + bind_layers(UDP, IPFIXHeader, dport=4739) + bind_layers(IPFIXHeader, IPFIXTemplate, Set_ID=2) + + def update_template(self, packet): + """Updates IPFIXData class with new data template. Registers IPFIX data + layer with scapy using the new template. + + :param packet: Packet containing an IPFIX template. + :type packet: scapy.Ether + """ + template_list = packet['IPFIX template'].Template + template_id = packet['IPFIX template'].Template_ID + + IPFIXData.fields_desc = [] + for item in template_list[::2]: + try: + IPFIXData.fields_desc.append(self.template_elements[item]) + except KeyError: + raise KeyError( + "Unknown IPFIX template element with ID {0}".format(item)) + bind_layers(IPFIXHeader, IPFIXData, Set_ID=template_id) + # if the packet doesn't end here, assume it contains more data sets + bind_layers(IPFIXData, IPFIXData) + + +class IPFIXHeader(Packet): + """Class for IPFIX header.""" + name = "IPFIX header" + fields_desc = [StrFixedLenField("Version", 0x000a, length=2), + ShortField("Message Length", 0), + UTCTimeField("Timestamp(UTC)", ""), + IntField("Sequence Number", 0), + IntField("Observation Domain ID", 0), + ShortField("Set_ID", 0), + ShortField("Set_Length", 0) + ] + + +class IPFIXTemplate(Packet): + """Class for IPFIX template layer.""" + name = "IPFIX template" + fields_desc = [ShortField("Template_ID", 256), + ShortField("nFields", 2), + FieldListField("Template", [], ShortField("type_len", ""), + count_from=lambda p: p.nFields*2) + ] + + +class IPFIXData(Packet): + """Class for IPFIX data layer. Needs to be updated with + a template before use.""" + name = "IPFIX flow data" + fields_desc = [] |