1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
# Copyright (c) 2016 Cisco and/or its affiliates.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""IPFIX utilities library. Provides classes that allow scapy to work
with IPFIX packets.
Note:
Template and data sets in one packet are not supported.
Option template sets (Set_ID = 3) are not supported.
"""
from scapy.all import Packet, bind_layers
from scapy.fields import ByteField, ShortField, IntField, LongField, IPField,\
StrFixedLenField, FieldListField
from scapy.layers.inet import UDP
from scapy.layers.inet6 import IP6Field
from scapy.contrib.ppi_geotag import UTCTimeField
class IPFIXHandler(object):
"""Class for handling IPFIX packets. To use, create instance of class before
dissecting IPFIX packets with scapy, then run update_template every time
an IPFIX template packet is received."""
template_elements = {
4: ByteField("Protocol_ID", 0x00),
7: ShortField("src_port", 0),
8: IPField("IPv4_src", ""),
11: ShortField("dst_port", 0),
12: IPField("IPv4_dst", ""),
27: IP6Field("IPv6_src", "::"),
28: IP6Field("IPv6_dst", "::"),
86: LongField("packetTotalCount", 0),
180: ShortField("udp_src_port", 0),
181: ShortField("udp_dst_port", 0),
182: ShortField("tcp_src_port", 0),
183: ShortField("tcp_dst_port", 0),
193: ByteField("Next_header", 0x00)
}
def __init__(self):
"""Initializer, registers IPFIX header and template layers with scapy.
"""
bind_layers(UDP, IPFIXHeader, dport=4739)
bind_layers(IPFIXHeader, IPFIXTemplate, Set_ID=2)
def update_template(self, packet):
"""Updates IPFIXData class with new data template. Registers IPFIX data
layer with scapy using the new template.
:param packet: Packet containing an IPFIX template.
:type packet: scapy.Ether
"""
template_list = packet['IPFIX template'].Template
template_id = packet['IPFIX template'].Template_ID
IPFIXData.fields_desc = []
for item in template_list[::2]:
try:
IPFIXData.fields_desc.append(self.template_elements[item])
except KeyError:
raise KeyError(
"Unknown IPFIX template element with ID {0}".format(item))
bind_layers(IPFIXHeader, IPFIXData, Set_ID=template_id)
# if the packet doesn't end here, assume it contains more data sets
bind_layers(IPFIXData, IPFIXData)
class IPFIXHeader(Packet):
"""Class for IPFIX header."""
name = "IPFIX header"
fields_desc = [StrFixedLenField("Version", 0x000a, length=2),
ShortField("Message Length", 0),
UTCTimeField("Timestamp(UTC)", ""),
IntField("Sequence Number", 0),
IntField("Observation Domain ID", 0),
ShortField("Set_ID", 0),
ShortField("Set_Length", 0)
]
class IPFIXTemplate(Packet):
"""Class for IPFIX template layer."""
name = "IPFIX template"
fields_desc = [ShortField("Template_ID", 256),
ShortField("nFields", 2),
FieldListField("Template", [], ShortField("type_len", ""),
count_from=lambda p: p.nFields*2)
]
class IPFIXData(Packet):
"""Class for IPFIX data layer. Needs to be updated with
a template before use."""
name = "IPFIX flow data"
fields_desc = []
|
