CovertMark.data.parser module

class CovertMark.data.parser.PCAPParser(pcap_file)[source]

Bases: object

clean_up(collection)[source]

Drop the collection and its index to clean up space, if the stored trace is temporary only.

Parameters: collection (str) – the name of the collection to be cleaned up.

get_ip_filter()[source]

Return the current ip filter configuration.

Returns: a list of acceptable IPv4/IPv6 subnets in ipaddress subnet objects.

load_and_insert_existing(collection_name)[source]

Load raw packets from pcap file, and insert into an existing collection. Returned collection name must be verified to not be False.

Returns: True if insertion successful, False if failed.

load_and_insert_new(description='')[source]

Load raw packet from pcap file, and insert into a new collection. Returned collection name must be verified to not be False.

Parameters: description (str) – description of the new collection, empty by default.
Returns: name of the new collection, False if failed.

load_packet_info()[source]

Load and return information of raw packets. Non-IP/IPv6 packets are ignored. Format:

[{
type: v4/v6, dst: dst_ip, src: src_ip, len: packet_length,
proto: protocol, time: time_stamp, ttl: TTL/hop_limit,
tcp_info (None for non-TCP packets):
    {sport: src_port, dport: dst_port, flags: tcp_flags,
    opts: tcp_options, seq: tcp_seq, ack: tcp_ack,
    payload: b64encoded_payload},
tls_info (None for non-TLS packets):
    {type: tls_type, ver: tls_version, len: tls_data_length,
    records: tls_num_records, data: [b64_encoded_tls_data],
    data_length = [b64_encoded_tls_data_length]}
}]

Returns: a list of packets parsed formatted as above.

static log_invalid(error_content)[source]

Utility function to log invalid packet information parsed.

Returns: None

set_ip_filter(subjects)[source]

Configure the parser to only store a packet if its source or destination address belongs to an address or subnet as specified. Always process single addresses as lowest-level subnets for convenience. Calling this method overwrites the previous filter configuration.

Parameters: subjects (list) – a list of acceptable IPv4/IPv6 addresses or subnets in string format, and their direction. Format: [(NET, POSITION)], where NET represents the IPv4/IPv6 address or subnet to track, and POSITION represents whether this is supposed to be constants.IP_SRC, constants.IP_DST, or constants.IP_EITHER. Precedence: for each packet, if there is either no IP_SRC or no IP_DST specified, then it will be seen as matched; otherwise, as long as its src or dst matches one of the constants.IP_SRC/constants.IP_DST filters, it will be seen as matched. In the case of constants.IP_EITHER, the filter will match either source or destination occurrences of that IP, superceding acceptance by constants.IP_SRC/constants.IP_DST filters covering the same subnets.
Returns: the number of successfully added filters (filter with overlapping subnets represented and processed separately).