pcapng support

[aziel12]

Hi,
Can we somehow process pcapng file directly with satori without converting it into pcap first?

[aziel12]

besides that, where can I find docu about sytax of the outputs, example: S;8192:128:1:52:M1460,N,W8,N,N,S:T or S;XYZ:XYZ:1:52:M1460,N,W8,N,N,S:ZAT, what does each character mean like T or ZAT at the end.
Thanks

[xnih]

pcapng - so it does appear that pypacker has a pcapng.py file: https://gitlab.com/mike01/pypacker/-/blob/master/pypacker/pcapng.py
and someone did one example here on how the reader works:
mike01/pypacker#8

So yeah if pypacker has support for reading it I'll see what I can do it get it added in in a future build.

[xnih]

As for the TCP syntax, the format is based on p0f v1 format

Here is a really old paper I wrote on OS fingerprinting:
https://dl.packetstormsecurity.net/papers/general/OSFingerPrint.pdf

Page 21 or so, look p0f piece and it gives you the general breakdown. My port of p0f v1 probably wasn't perfect. I did it back in about 2004 or so converting it to delphi and then used that code to covert to python as it was "good enough" for what I needed.

Hopefully that gets you started. Past that you may have to look at the satoriTCP.py code a bit, though I'll look around and try to put something together one of these days as a few ppl have asked on it before.

You can also see some of the ending oddities here:
#10

[xnih]

pcapng - attempted to get what is in pypacker to work tonight and it errors out. Have query in on pypacker github to see if ever actually implemented.

[xnih]

so at this time pypacker isn't going to support it, but I'll look into other options to support it if/when I get a chance.

[xnih]

Hi, Can we somehow process pcapng file directly with satori without converting it into pcap first?

So how much do you want to be able to process pcapng files? It appears I can probably do it by adding another import into the program from another dev:
https://pypi.org/project/python-pcapng/

I've got some rough code to parse and loop it that looks like:
from pcapng import FileScanner
from pcapng.blocks import EnhancedPacket

[...]

with open('/home/xnih/Downloads/printer.pcapng', 'rb') as fp:
rdr = FileScanner(fp)

for block in rdr:
    print(repr(block))

    if isinstance(block, EnhancedPacket):
        assert block.interface.link_type == 1  # must be ethernet!

        (pkt, layer, tcpPacket, dhcpPacket, httpPacket, udpPacket) = packetType(block.packet_data)
        print(pkt)

And from there it would be the same acting on pkt as it was with pcap reading. I'd have to dig into the timestamp piece though since pcapng is a bit different there and still not sure how I'd run a check for pcap vs pcapng file just yet.

If anyone else is interested in pcapng support please let me know and I'll look at adding it in, but since most of what I do is live and only read files/directories in for testing purposes haven't put much effort into looking into this. It does look doable though if there is interest.

My main concern is just requiring one more imported piece of code to make this work.

[daluu]

Just wondering if use of pyshark would do, but that's a dependency, and also depends on Wireshark.

[xnih]

I've used pyshark in other products so it may be an option, but since there haven't been any other requests to date on this and there are ways to convert from pcapng to pcap from what I recall, this hasn't been a priority at all. Happy to revisit options on this if there is really a desire.

[xnih]

May reopen at a later date if there is actual push to support this, but as it has been 3 years since originally requested with minimal additions, closing for now.