-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathgetflags.py
More file actions
executable file
·125 lines (97 loc) · 3.75 KB
/
getflags.py
File metadata and controls
executable file
·125 lines (97 loc) · 3.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
#!/usr/bin/python
# -*- coding: utf-8 -*-
import argparse
import scapy.all as s
def dostuff( pcap ):
totpkt = totsynonly = totsynack = totlegalack = totcongestioncontrol = 0
totgracefullfin = totgracefullfinpsh = 0
totrst = totrstack = 0
totece = totcwr = totsynece = 0
totphsack = toturgack = totveryurg = 0
totsyninvalid = totnoackillegal = totinvalidsynack = 0
totnull = totxmas = totsynfinscan = 0
pkts = s.rdpcap(pcap)
flags = {'F':'FIN','S':'SYN','R':'RST','P':'PSH','A':'ACK','U':'URG','E':'ECE','C':'CWR'}
for p in pkts:
# print p.sprintf("%IP.len%") ## pkt size (TODO: try and detect jumb sized frames)
F = [flags[x] for x in p.sprintf('%TCP.flags%')]
totpkt += 1
# based on: http://www.symantec.com/connect/articles/abnormal-ip-packets
if 'SYN' in F and len(F) == 1:
totsynonly += 1
if all((f in F for f in ['SYN','ECE','CWR'])) and len(F) == 3:
totsynece += 1
if all((f in F for f in ['SYN','ACK'])) and len(F) == 2:
totsynack += 1
if all((f in F for f in ['SYN','ACK'])) and len(F) > 2:
if not 'ECE' and not 'CWR' in F:
totinvalidsynack += 1
if 'SYN' in F and len(F) > 1:
if 'ACK' not in F:
if not any((f in F for f in ['ECE','CWR'])):
totsyninvalid += 1
if 'ACK' in F and len(F) == 1:
totlegalack += 1
if 'ACK' not in F:
if not any((f in F for f in ['SYN','RST'])):
totnoackillegal += 1
if len(F) >= 6:
totxmas += 1
if len(F) == 0:
totnull += 1
if all((f in F for f in ['SYN', 'FIN'])):
totsynfinscan += 1
if any((f in F for f in ['ECE','CWR'])):
totcongestioncontrol += 1
if 'ECE' in F:
totece += 1
if 'CWR' in F:
totcwr += 1
if all((f in F for f in ['FIN','ACK'])) and not 'PSH' in F:
totgracefullfin += 1
if all((f in F for f in ['FIN','ACK','PSH'])):
totgracefullfinpsh += 1
if 'RST' in F and len(F) == 1:
totrst += 1
if all((f in F for f in ['RST','ACK'])) and len(F) == 2:
totrstack += 1
if all((f in F for f in ['PSH','ACK'])) and len(F) == 2:
totphsack += 1
if all((f in F for f in ['URG','ACK'])) and len(F) == 2:
toturgack += 1
if all((f in F for f in ['PSH','URG','ACK'])) and len(F) == 3:
totveryurg += 1
print '-----'
print 'Total number of packets:', totpkt
print '-----'
print 'SYN only:', totsynonly
print 'SYN with ECE and CWR:', totsynece
print 'SYN-ACK', totsynack
print '--'
print 'ACK only:', totlegalack
print 'Congestion control (ECE or CWR) flag raised:', totcongestioncontrol
print 'ECE:', totece, 'CWR:', totcwr, 'Tot congestion:', totece + totcwr
print '-----'
print 'Gracefull FIN:', totgracefullfin
print 'Gracefull FIN and PSH:', totgracefullfinpsh
print 'RST only:', totrst
print 'RST ACK:', totrstack
print '-----'
print 'PSH ACK:', totphsack
print 'URG ACK:', toturgack
print 'Very urgent (PSH, URG, ACK):', totveryurg
print '-----'
print 'SYN and other flag but no ACK (invalid pkt):', totsyninvalid
print 'Invalid SYN-ACK (more flags but no congestion control):', totinvalidsynack
print 'No SYN no ACK (invalid pkt):', totnoackillegal
print 'XMAS scan:', totxmas
print 'NULL scan:', totnull
print 'SYN-FIN scan:', totsynfinscan
def main():
parser = argparse.ArgumentParser()
parser.add_argument('infile')
args = parser.parse_args()
pcap = args.infile
dostuff( pcap )
if __name__ == '__main__':
main()