dpd_to_pcap.py

#!/usr/bin/env python2
##
## This script takes a line from the dpd.log generated with the
## policy/frameworks/dpd/packet-segment-logging.bro script, and
## outputs a PCAP to stdout
##
##    Vlad Grigorescu
##    vlad@broala.com
##

import struct
import sys

# Parse the DPD log line

line = sys.stdin.readline().strip()
items = line.split('\t')
if len(items) < 10:
    print "Error - could not recognize file format"
    sys.exit(1)

packet_segment = items[9]
tsec, tusec = items[0].split('.')

# We need to deal with 3 types of encodings.
# Replace \0 with actual NUL
packet_segment = packet_segment.replace("\\0", chr(0))

# Escape the C0 encodings
for i in range(1, 32):
    next_chr = chr(ord('A') + i - 1)
    packet_segment = packet_segment.replace("^" + next_chr, chr(i))
packet_segment = packet_segment.replace("^?", chr(127))

# Escape the \xff encodings
packet_segment = packet_segment.decode('string_escape')

# Generate the PCAP file:
MAGIC = 0xa1b2c3d4
VER_MAJ, VER_MIN = 2, 4
GMT_CORRECTION = 0
ACCURACY = 0
SNAPLEN = 65535
DATALINK_TYPE = 1

pcap_header = struct.pack('<L', MAGIC) + struct.pack('<H', VER_MAJ) + struct.pack('<H', VER_MIN) + \
              struct.pack('<L', 0) + struct.pack('<L', 0) + struct.pack('<L', SNAPLEN) + struct.pack('<L', DATALINK_TYPE)
sys.stdout.write(pcap_header)

record_header = struct.pack('<L', int(tsec)) + struct.pack('<L', int(tusec)) +\
                struct.pack('<L', len(packet_segment)) + struct.pack('<L', len(packet_segment))
sys.stdout.write(record_header)

sys.stdout.write(packet_segment)