diff options
Diffstat (limited to 'external/construct/formats/data')
| -rw-r--r-- | external/construct/formats/data/__init__.py | 3 | ||||
| -rw-r--r-- | external/construct/formats/data/cap.py | 55 | ||||
| -rw-r--r-- | external/construct/formats/data/snoop.py | 50 |
3 files changed, 108 insertions, 0 deletions
diff --git a/external/construct/formats/data/__init__.py b/external/construct/formats/data/__init__.py new file mode 100644 index 0000000..50ce2de --- /dev/null +++ b/external/construct/formats/data/__init__.py @@ -0,0 +1,3 @@ +""" +all sorts of raw data serialization (tcpdump capture files, etc.) +""" diff --git a/external/construct/formats/data/cap.py b/external/construct/formats/data/cap.py new file mode 100644 index 0000000..f95c5c1 --- /dev/null +++ b/external/construct/formats/data/cap.py @@ -0,0 +1,55 @@ +""" +tcpdump capture file +""" +from construct import * +import time +from datetime import datetime + + +class MicrosecAdapter(Adapter): + def _decode(self, obj, context): + return datetime.fromtimestamp(obj[0] + (obj[1] / 1000000.0)) + def _encode(self, obj, context): + offset = time.mktime(*obj.timetuple()) + sec = int(offset) + usec = (offset - sec) * 1000000 + return (sec, usec) + +packet = Struct("packet", + MicrosecAdapter( + Sequence("time", + ULInt32("time"), + ULInt32("usec"), + ) + ), + ULInt32("length"), + Padding(4), + HexDumpAdapter(Field("data", lambda ctx: ctx.length)), +) + +cap_file = Struct("cap_file", + Padding(24), + Rename("packets", OptionalGreedyRange(packet)), +) + + +if __name__ == "__main__": + obj = cap_file.parse_stream(open("../../tests/cap2.cap", "rb")) + print(len(obj.packets)) + + + + + + + + + + + + + + + + + diff --git a/external/construct/formats/data/snoop.py b/external/construct/formats/data/snoop.py new file mode 100644 index 0000000..a5fa799 --- /dev/null +++ b/external/construct/formats/data/snoop.py @@ -0,0 +1,50 @@ +""" +what : snoop v2 capture file. + how : http://tools.ietf.org/html/rfc1761 + who : jesse @ housejunkie . ca +""" + +import time +from construct import (Adapter, Enum, Field, HexDumpAdapter, Magic, OptionalGreedyRange, + Padding, Struct, UBInt32) + +class EpochTimeStampAdapter(Adapter): + """ Convert epoch timestamp <-> localtime """ + + def _decode(self, obj, context): + return time.ctime(obj) + def _encode(self, obj, context): + return int(time.mktime(time.strptime(obj))) + +packet_record = Struct("packet_record", + UBInt32("original_length"), + UBInt32("included_length"), + UBInt32("record_length"), + UBInt32("cumulative_drops"), + EpochTimeStampAdapter(UBInt32("timestamp_seconds")), + UBInt32("timestamp_microseconds"), + HexDumpAdapter(Field("data", lambda ctx: ctx.included_length)), + # 24 being the static length of the packet_record header + Padding(lambda ctx: ctx.record_length - ctx.included_length - 24), + ) + +datalink_type = Enum(UBInt32("datalink"), + IEEE802dot3 = 0, + IEEE802dot4 = 1, + IEEE802dot5 = 2, + IEEE802dot6 = 3, + ETHERNET = 4, + HDLC = 5, + CHARSYNC = 6, + IBMCHANNEL = 7, + FDDI = 8, + OTHER = 9, + UNASSIGNED = 10, + ) + +snoop_file = Struct("snoop", + Magic("snoop\x00\x00\x00"), + UBInt32("version"), # snoop v1 is deprecated + datalink_type, + OptionalGreedyRange(packet_record), + ) |