1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
--
-- Sharkfest 2021
--
-- This is going to be an example of a lua script that can be written for cybersecurity reasons.
-- TCP No Data Exchanged:
-- The TCP No Data Exchanged is a really important script to check if flows are suspicious
-- Because usually, a typic TCP traffic, have some payload and it is not 0. Instead, in some attacks,
-- for example the TCP SYN Scan or SYN Flood, there is a lot of TCP traffic with no data.
local f_tcp_traffic = Field.new("tcp")
local f_tcp_payload = Field.new("tcp.len")
local f_ip_src = Field.new("ip.src")
local f_ip_dst = Field.new("ip.dst")
local f_port_src = Field.new("tcp.srcport")
local f_port_dst = Field.new("tcp.dstport")
local f_conn_fin = Field.new("tcp.flags.fin")
--############################################
local function getstring(finfo)
local ok, val = pcall(tostring, finfo)
if not ok then val = "(unknown)" end
return val
end
--############################################
local function processResponse(tcp_table, src, src_port, dst, dst_port, payload)
local key = src .. ":" .. src_port .. "->" .. dst .. ":" .. dst_port
-- Create the table entry if needed
if not tcp_table[key] then
local key2 = dst .. ":" .. dst_port .. "->" .. src .. ":" .. src_port
if not tcp_table[key2] then
tcp_table[key] = {
payload = 0,
fin = false
}
else
key = key2
end
end
-- Increase the stats
tcp_table[key]["payload"] = tcp_table[key]["payload"] + getstring(payload.value)
if getstring(f_conn_fin().value) == true then
tcp_table[key]["fin"] = true
end
return tcp_table
end
--############################################
local function processPackets(pinfo,tvb, tcp_table)
-- Call the function that extracts the field
local tcp_traffic = f_tcp_traffic()
local tcp_payload = f_tcp_payload()
--Check if there is an HTTP request or reply
if tcp_traffic then
local src = getstring(f_ip_src().value)
local dst = getstring(f_ip_dst().value)
local src_port = getstring(f_port_src().value)
local dst_port = getstring(f_port_dst().value)
tcp_table = processResponse(tcp_table, src, src_port, dst, dst_port, tcp_payload)
end
return tcp_table
end
--############################################
local function tcpPayload()
-- Declare the window we will use
local tw = TextWindow.new("TCP No Data Exchanged")
local tcp_table = {}
local tap = Listener.new();
local function removeListener()
-- This way we remove the listener that otherwise will remain running indefinitely
tap:remove();
end
-- We tell the window to call the remove() function when closed
tw:set_atclose(removeListener)
-- This function will be called once for each packet
function tap.packet(pinfo,tvb)
tcp_table = processPackets(pinfo,tvb, tcp_table)
end
-- This function will be called once every few seconds to update our window
function tap.draw(t)
tw:clear()
for flow in pairs(tcp_table) do
local payload = tcp_table[flow]["payload"]
local fin = tcp_table[flow]["fin"]
local danger = ""
if tonumber(payload) == 0 then
danger = "-- DANGER: NO DATA EXCHANGED FOR THIS FLOW --\n"
end
tw:append(danger .. flow .. ":\n\tPayload: " .. payload .. "\n\tFlow Ended: " .. tostring(fin) .. "\n\n");
end
end
-- This function will be called whenever a reset is needed
-- e.g. when reloading the capture file
function tap.reset()
tw:clear()
tcp_table = {}
end
-- Ensure that all existing packets are processed.
retap_packets()
end
-- Register the menu Entry
register_menu("Sharkfest/TCP No Data Exchanged", tcpPayload, MENU_TOOLS_UNSORTED)
|