-
Notifications
You must be signed in to change notification settings - Fork 10
/
community-id-tcpdump
executable file
·47 lines (38 loc) · 1.55 KB
/
community-id-tcpdump
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#! /usr/bin/env python
"""
An example of Community ID use based on high-level, textual
addresses / ports as input. This script parses tcpdump output on stdin
and augments it on stdout with Community ID strings. Parsing is
clearly rough and simplistic, and kicks in for TCP only, but you get
the idea.
"""
import argparse
import sys
import communityid
def main():
parser = argparse.ArgumentParser(description='Community ID tcpdump filter')
parser.add_argument('--seed', type=int, default=0, metavar='NUM',
help='Seed value for hash operations')
parser.add_argument('--no-base64', action='store_true', default=False,
help="Don't base64-encode the SHA1 binary value")
args = parser.parse_args()
commid = communityid.CommunityID(args.seed, not args.no_base64)
for line in sys.stdin:
parts = line.split()
try:
dir_arrow_idx = parts.index('>')
src = parts[dir_arrow_idx-1].rsplit('.', 1)
dst = parts[dir_arrow_idx+1].rstrip(':').rsplit('.', 1)
is_tcp = parts[dir_arrow_idx+2] == 'Flags'
if is_tcp and len(src) == 2 and len(dst) == 2:
tpl = communityid.FlowTuple.make_tcp(src[0], dst[0], src[1], dst[1])
res = commid.calc(tpl)
parts[dir_arrow_idx-1] = '%s %s:%s' % (res, src[0], src[1])
print(' '.join(parts))
continue
except ValueError:
pass
print(line.rstrip())
return 0
if __name__ == '__main__':
sys.exit(main())