observe: Allow the offline analysis of a PCAP file

mami-project · Jan 15, 2018 · fe240d0 · fe240d0
1 parent 684127b
commit fe240d0
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 3 deletions.
diff --git a/doc/using.rst b/doc/using.rst
@@ -117,6 +117,11 @@ redirection instead. You will be required to set your interface name and
 PATHspider will not start if it detects that the chosen interface is not
 active.
 
+It is also possible to perform offline analysis of a PCAP file using the
+"observe" command. Instead of an interface name, pass the name of the pcap file
+to ``-i`` instead. The PCAP file must have a ``.pcap`` extension to be
+recognised.
+
 .. code-block:: text
 
  usage: pspdr observe [-h] [--list-chains] [-i INTERFACE] [--output OUTPUTFILE]

diff --git a/pathspider/cmd/observe.py b/pathspider/cmd/observe.py
@@ -30,7 +30,15 @@ def run_observer(args):
         print("\nSpider safely!")
         sys.exit(0)
 
-    if not interface_up(args.interface):
+    interface = args.interface
+
+    if not ":" in args.interface:
+        if interface.endswith(".pcap") or interface.startswith("/"):
+            interface = "pcapfile:" + interface
+        else:
+            interface = "int:" + interface
+
+    if interface.startswith("int:") and not interface_up(interface[4:]):
         logger.error("The chosen interface is not up! Cannot continue.")
         logger.error("Try --help for more information.")
         sys.exit(1)
@@ -49,7 +57,8 @@ def run_observer(args):
 
     observer_shutdown_queue = queue.Queue(QUEUE_SIZE)
     flowqueue = queue.Queue(QUEUE_SIZE)
-    observer = Observer("int:" + args.interface, chosen_chains)
+
+    observer = Observer(interface, chosen_chains)
 
     logger.info("starting observer...")
     threading.Thread(target=observer.run_flow_enqueuer, args=(flowqueue,observer_shutdown_queue)).start()
@@ -83,7 +92,10 @@ def _format_action(self, action):
     parser.add_argument('--list-chains', help="Prints a list of available chains",
                         action='store_true')
     parser.add_argument('-i', '--interface', default="eth0",
-                        help="The interface to use for the observer. (Default: eth0)")
+                        help=("The interface to use for the observer. If this "
+                              "argument ends with '.pcap' then it will instead "
+                              "be treated as a PCAP file for offline analysis. "
+                              "(Default: eth0)"))
     parser.add_argument('--output', default='/dev/stdout', metavar='OUTPUTFILE',
                         help=("The file to output results data to. "
                               "Defaults to standard output."))