capture.py

import pyshark
from datetime import datetime,timedelta
import time


capture = pyshark.LiveCapture(interface='wlp3s0')
# capture.set_debug()

connection_map = {}

# generates a sorted key based on the source/destination of the packet
def key(pkt):
  src = src_addr(pkt)
  dst = dst_addr(pkt)
  if src < dst:
    return src + "+" + dst
  return dst + "+" + src

def src_addr(pkt):
  if 'ip' in pkt:
      src = pkt.ip.src
  elif 'ipv6' in pkt:
      src = pkt.ipv6.src
  try:
    src_port = pkt[pkt.transport_layer].srcport
  except:
    src_port = 0

  return src + ":" + str(src_port)

def dst_addr(pkt):
  if 'ip' in pkt:
      dst = pkt.ip.dst
  elif 'ipv6' in pkt:
      dst = pkt.ipv6.dst
  try:
    dst_port = pkt[pkt.transport_layer].dstport
  except:
    dst_port = 0

  return dst + ":" + str(dst_port)


def log(pkt, desc, value):
  src = None
  if 'ip' in pkt:
      src = pkt.ip.src
      dst = pkt.ip.dst
  elif 'ipv6' in pkt:
      src = pkt.ipv6.src
      dst = pkt.ipv6.dst
  try:
    src_port = pkt[pkt.transport_layer].srcport
  except:
    src_port = 0

  try:
    dst_port = pkt[pkt.transport_layer].dstport
  except:
    dst_port = 0

  print datetime.utcnow(), src_addr(pkt), "->", dst_addr(pkt), "===", desc, value

def print_callback(pkt):
    # print dir(pkt)
    if 'ip' in pkt:
      pass
    elif 'ipv6' in pkt:
      pass
    else: return

    try:
      log(pkt, "SNI", pkt.ssl.handshake_extensions_server_name)
    except: pass

    try:
      log(pkt, "Cert name", pkt.ssl.x509ce_dnsname)
    except: pass

    try:
      dns = pkt.dns
      log(pkt, "DNS "+ str("Response" if str(dns.flags_response) == "1" else "Query"),
          str(dns.qry_name)+" id:"+str(dns.id))
    except: pass

    try:
      if str(pkt.tcp.flags_syn)=="1" and str(pkt.tcp.flags_ack)=="1":
        log(pkt, "New connection", "")
        for k in connection_map:
          t = connection_map[k]['time']
          now = datetime.now()
          dif = now - t
          if dif.seconds < 10:
            connection_map[k]['counter'] += 1
          if dif.seconds > 600:
            del connection_map[k]
        for ke, value in sorted(connection_map.iteritems(), key=lambda (k,v): (v,k), reverse=True)[:3]:
          print "**** %s: %s" % (ke, value)
        print "-------------"
    except: pass

    try:
      log(pkt, "HTTP Request", pkt.http.request_full_uri)
    except: pass

    try:
      ssl = pkt.ssl

      k = key(pkt)
      entry = {'time': datetime.now(), 'counter': 0}
      try:
        if k in connection_map:
          entry = connection_map[k]
      except: pass

      entry['time'] = datetime.now()
      connection_map[k] = entry
    except: pass

    try:
      if str(pkt.tcp.flags_fin)=="1" or str(pkt.tcp.flags_reset)=="1":
        log(pkt, "Connection closed", "FIN" if str(pkt.tcp.flags_fin)=="1" else "RESET")
        k = key(pkt)
        del connection_map[k]
    except: pass


def start():
  print "starting capture"

  capture.apply_on_packets(print_callback, timeout=10000)

  # try:
  #   capture.apply_on_packets(print_callback, timeout=10000)
  # except:
  #   print "Exception: restarting."
  #   start()

start()

# while True:
#   for packet in capture.sniff_continuously(packet_count=1):
#     # ssl.handshake.extensions_server_name
#     try:
#       print packet.ssl.handshake #.extensions_server_name
#       print "-----------------"
#     except:
#       print "packet"
#     # print 'Just arrived:', packet