X-Git-Url: https://git.teslayout.com/public/public/public/?a=blobdiff_plain;f=example%2Fdiameter%2Flauncher%2Fresources%2Fscripts%2Fpcap2diameterHex.sh;fp=example%2Fdiameter%2Flauncher%2Fresources%2Fscripts%2Fpcap2diameterHex.sh;h=355b70f657d304801632a56850ca1413859ed6f6;hb=431d322261ecfd6ef354abb392edbf8987e2407a;hp=0000000000000000000000000000000000000000;hpb=a8cde75abebb30020be4d9cb10d898f8986e124c;p=anna.git diff --git a/example/diameter/launcher/resources/scripts/pcap2diameterHex.sh b/example/diameter/launcher/resources/scripts/pcap2diameterHex.sh new file mode 100755 index 0000000..355b70f --- /dev/null +++ b/example/diameter/launcher/resources/scripts/pcap2diameterHex.sh @@ -0,0 +1,180 @@ +#!/bin/bash + +# ANNA - Anna is Not Nothingness Anymore +# +# (c) Copyright 2005-2014 Eduardo Ramos Testillano & Francisco Ruiz Rayo +# +# http://redmine.teslayout.com/projects/anna-suite +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following disclaimer +# in the documentation and/or other materials provided with the +# distribution. +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# Authors: eduardo.ramos.testillano@gmail.com +# cisco.tierra@gmail.com + + +############# +# VARIABLES # +############# +tmpdir=$(mktemp -d) + +############# +# FUNCTIONS # +############# + +usage () { + echo "Usage: $0 [results_dir]" + echo + echo " pcap_file: pcap formatted file to be processed." + echo " results_dir: directory where results are stored." + echo " By default, pcap file dirname is used." + echo + echo " The utility, dumps the extracted hexadecimal content" + echo " and useful information as timestamps, source and" + echo " destination:" + echo " /.hex" + echo " /.metadata" + echo + _exit +} + +_exit () { + echo + echo -e $1 + echo + + # Cleanup + rm -rf $tmpdir + + rc=1 + [ -n "$2" ] && rc=$2 + exit $rc +} + + +############# +# EXECUTION # +############# + +echo +echo "============================================" +echo "Diameter buffer extractor from PCAP raw file" +echo "============================================" +echo + +# Usage: +[ "$1" = "" ] && usage + +# Pcap file: +PCAP_FILE=$1 +[ ! -f $PCAP_FILE ] && _exit "Cannot found provided pcap file '$1' !!" + +# Optional result dir: +RESULTS_DIR=`dirname $PCAP_FILE` +[ "$2" != "" ] && RESULTS_DIR=$2 +[ ! -d $RESULTS_DIR ] && _exit "The results directory '$RESULTS_DIR' must exists !!" + +# Get the frames with diameter content (take care about '-2' two-pass option and don't add it, because we need to get reassembled parts in their corresponding frames): +# Fields needed (we won't need diameter.hopbyhopid & diameter.endtoendid to verify diameter message as hint patterns; length management will be enough): +FIELDS_DIAMETER="-e diameter.cmd.code -e diameter.flags.request -e diameter.applicationId -e diameter.hopbyhopid -e diameter.endtoendid -e diameter.length" +FIELDS="-e frame.number -e frame.time_epoch -e ip.src_host -e ip.dst_host $FIELDS_DIAMETER -e tcp.len -e frame.protocols -e tcp.segment" +tshark -E separator="|" -r $PCAP_FILE -N mntC -Tfields $FIELDS 2>/dev/null | grep -i diameter > $tmpdir/diameter_frames +# Example output: +# /length\ +# frame timestamp src dst code R App-ID HopByHop EndToEnd DIAM TCP protocol segments +# 1|1427215933.697904000|gt_traf|vcbavipt|272|1|16777238|0x0004e6e6|0x000bd986|432|432|eth:ip:tcp:diameter:diameter:diameter3gpp| +# 3|1427215934.449523000|vcbavipt|gt_traf|272|0|16777238|0x0004e6e6|0x000bd986|292|292|eth:ip:tcp:diameter:diameter:diameter3gpp| +# 5|1427215934.456160000|gt_traf|vcbavipt|||||||1400|eth:ip:tcp:diameter| +# 6|1427215934.456204000|gt_traf|vcbavipt|265|1|16777236|0x000c73c3|0x0004cee4|1972|572|eth:ip:tcp:diameter:diameter:diameter3gpp|5,6 +# 8|1427215935.123559000|vcbavipt|gt_traf|265|0|16777236|0x000c73c3|0x0004cee4|248|248|eth:ip:tcp:diameter:diameter:diameter3gpp| +all_frames=( $(cat $tmpdir/diameter_frames | cut -d\| -f1) ) +needs_join=( $(cat $tmpdir/diameter_frames | cut -d\| -f13) ) +main_frames=( $(cat $tmpdir/diameter_frames | awk -F\| '{ if ($11 != "") print $1 }') ) + +# Reassemble procedure (using frame 1 as example): +# (for non segmented frames, it is enough with tcp or diameter length within the frame content itself) +# 1) Get the TCP length: 432 bytes. 432*2 = 864 characters per byte in hexadecimal string format +# 2) Get the frame length: `wc -c $tmpdir/block.$frame` => 997 +# 3) Get 864 from the tail: `cat $tmpdir/block.$frame | cut -c133 + +# Dump the hex blocks for all the diameter frames: +cat $PCAP_FILE | rawshark -s -r - -d proto:diameter -F data 2>/dev/null > $tmpdir/all_hex_data +for frame in ${all_frames[@]}; do + grep "^$frame " $tmpdir/all_hex_data | cut -d\" -f2 | sed 's/://g' > $tmpdir/block.$frame + frame_info=$(grep "^${frame}|" $tmpdir/diameter_frames) + + # Get the diameter part: + tcp_len=$(echo $frame_info | cut -d\| -f11) + frm_len=$(wc -c $tmpdir/block.$frame | awk '{ print $1 }') + cut_len=$((frm_len-2*tcp_len)) + cat $tmpdir/block.$frame | cut -c${cut_len}- > $RESULTS_DIR/$frame.hex + echo -n "Created $RESULTS_DIR/$frame.hex" + + # Metadata: + ts=$(echo $frame_info | cut -d\| -f2) + date=$(date -d @$ts) + src=$(echo $frame_info | cut -d\| -f3) + dst=$(echo $frame_info | cut -d\| -f4) + code=$(echo $frame_info | cut -d\| -f5) + isreq=$(echo $frame_info | cut -d\| -f6) + appid=$(echo $frame_info | cut -d\| -f7) + hbh=$(echo $frame_info | cut -d\| -f8) + e2e=$(echo $frame_info | cut -d\| -f9) + # To decimal: + hbh=$(printf "%d\n" $hbh) + e2e=$(printf "%d\n" $e2e) + echo "date=$date" > $RESULTS_DIR/$frame.metadata + echo "timestamp=$ts" >> $RESULTS_DIR/$frame.metadata + echo "src=$src" >> $RESULTS_DIR/$frame.metadata + echo "dst=$dst" >> $RESULTS_DIR/$frame.metadata + echo "code=$code" >> $RESULTS_DIR/$frame.metadata + echo "isrequest=$isreq" >> $RESULTS_DIR/$frame.metadata + echo "applicationid=$appid" >> $RESULTS_DIR/$frame.metadata + #echo "sequence=${hbh}.${e2e}" >> $RESULTS_DIR/$frame.metadata +# echo "hopbyhop=$hbh" >> $RESULTS_DIR/$frame.metadata +# echo "endtoend=$e2e" >> $RESULTS_DIR/$frame.metadata + + echo " and $RESULTS_DIR/$frame.metadata" +done + +# Join frames which need to be reassembled: +for group in ${needs_join[@]}; do + echo "Grouping frames $group ..." + group_array=( $(echo $group | sed 's/,/ /g') ) + for frame in ${group_array[@]}; do + cat $RESULTS_DIR/$frame.hex >> $tmpdir/diam.$group + done + cat $tmpdir/diam.$group | tr -d '\n' > $RESULTS_DIR/$frame.hex +done + +# Delete superfluous metadata: +echo "Deleting superfluous buffers & metadata ..." +segments=( $(cat $tmpdir/diameter_frames | awk -F\| '{ if ($10 == "") print $1 }') ) +for s in ${segments[@]}; do rm $RESULTS_DIR/$s.*; done + + +_exit "Done!" 0 +