diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2020-09-26 15:15:15 +0200 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2020-09-26 15:15:15 +0200 |
| commit | 04bbbcd0553362f7764c5b70d614c71f1817aed1 (patch) | |
| tree | a537b753aef66a9fe3ef1371fce1c941056bc6fe | |
| parent | 8c61f883621169f5c9451758eed4b3a4ee9ee3a2 (diff) | |
Improved event parsing for Python scripts.
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| -rw-r--r-- | contrib/nDPIsrvd.py | 101 | ||||
| -rwxr-xr-x | examples/py-flow-info/flow-info.py | 17 | ||||
| -rwxr-xr-x | examples/py-risky-flow-to-pcap/risky-flow-to-pcap.py | 2 |
3 files changed, 72 insertions, 48 deletions
diff --git a/contrib/nDPIsrvd.py b/contrib/nDPIsrvd.py index 3214952b5..3ca8750eb 100644 --- a/contrib/nDPIsrvd.py +++ b/contrib/nDPIsrvd.py @@ -13,6 +13,16 @@ NETWORK_BUFFER_MAX_SIZE = 9216 # Please keep this value in sync with the one in PKT_TYPE_ETH_IP4 = 0x0800 PKT_TYPE_ETH_IP6 = 0x86DD +BASIC_EVENTS = ['Invalid', 'Unknown-Datalink-Layer', 'Unknown-Layer3-Protocol', 'Non-IP-Packet', + 'Ethernet-Packet-Too-Short', 'Ethernet-Packet-Unknown', 'IP4-Packet-Too-Short', + 'IP4-Size-Smaller-Than-Header', 'IP4-Layer4-Payload-Detection-Failed', 'IP6-Packet-Too-Short', + 'IP6-Size-Smaller-Than-Header', 'IP6-Layer4-Payload-Detection-Failed', 'TCP-Packet-Too-Short', + 'UDP-Packet-Too-Short', 'Capture-Size-Smaller-Than-Packet-Size', 'Max-Flow-To-Track', + 'Flow-Memory-Allocation-Failed', 'NDPI-Flow-Memory-Allocation-Failed', + 'NDPI-ID-Memory-Allocation-Failed'] +PACKET_EVENTS = ['Invalid', 'Packet', 'Packet-Flow'] +FLOW_EVENTS = ['Invalid', 'New', 'End', 'Idle', 'Guessed', 'Detected', 'Detection-Update', 'Not-Detected'] + class TermColor: WARNING = '\033[93m' FAIL = '\033[91m' @@ -129,48 +139,65 @@ class PcapPacket: def JsonParseBytes(json_bytes): return json.loads(json_bytes.decode('ascii', errors='replace'), strict=False) -def validateFlowEventName(json_dict): - if type(json_dict) is not dict: - raise RuntimeError('Argument is not a dictionary!') +class nDPIdEvent: + isValid = False + BasicEventID = -1 + BasicEventName = 'Unknown' + PacketEventID = -1 + PacketEventName = 'Unknown' + FlowEventID = -1 + FlowEventName = 'Unknown' - event_str = 'Unknown' - - if 'flow_event_name' in json_dict: - event = json_dict['flow_event_name'].lower() - if event == 'new': - event_str = 'New flow' - elif event == 'end': - event_str = 'End flow' - elif event == 'idle': - event_str = 'Idle flow' - elif event == 'detected': - event_str = 'Detected' - elif event == 'detection-update': - event_str = 'Update' - elif event == 'guessed': - event_str = 'Guessed' - elif event == 'not-detected': - event_str = 'Not detected' - else: - raise RuntimeError('Unknown flow event name: `{}\'.'.format(event)) +def validateFlowEventID(event_id): + if type(event_id) is not int: + raise RuntimeError('Argument is not an Integer/EventID!') + + if event_id < 0 or event_id > len(FLOW_EVENTS): + raise RuntimeError('Unknown flow event id: {}.'.format(event_id)) + else: + event_str = FLOW_EVENTS[event_id] return event_str -def validatePacketEventName(json_dict): - if type(json_dict) is not dict: - raise RuntimeError('Argument is not a dictionary!') +def validatePacketEventID(event_id): + if type(event_id) is not int: + raise RuntimeError('Argument is not an Integer/EventID!') - event_str = 'Unknown' + if event_id < 0 or event_id > len(PACKET_EVENTS): + raise RuntimeError('Unknown packet event id: {}.'.format(event_id)) + else: + event_str = PACKET_EVENTS[event_id] - if 'packet_event_name' in json_dict: - event = json_dict['packet_event_name'].lower() - if event == 'invalid': - event_str = 'Invalid' - elif event == 'packet': - event_str = 'Packet' - elif event == 'packet-flow': - event_str = 'Packet Flow' - else: - raise RuntimeError('Unknown packet event name: `{}\'.'.format(event)) + return event_str + +def validateBasicEventID(event_id): + if type(event_id) is not int: + raise RuntimeError('Argument is not an Integer/EventID!') + + if event_id < 0 or event_id > len(BASIC_EVENTS): + raise RuntimeError('Unknown basic event id: {}.'.format(event_id)) + else: + event_str = BASIC_EVENTS[event_id] return event_str + +def validateJsonEventTypes(json_dict): + if type(json_dict) is not dict: + raise RuntimeError('Argument is not a dictionary!') + + nev = nDPIdEvent() + + if 'basic_event_id' in json_dict: + nev.BasicEventID = json_dict['basic_event_id'] + nev.BasicEventName = validateBasicEventID(nev.BasicEventID) + nev.isValid = True + if 'packet_event_id' in json_dict: + nev.PacketEventID = json_dict['packet_event_id'] + nev.PacketEventName = validatePacketEventID(nev.PacketEventID) + nev.isValid = True + if 'flow_event_id' in json_dict: + nev.FlowEventID = json_dict['flow_event_id'] + nev.FlowEventName = validateFlowEventID(nev.FlowEventID) + nev.isValid = True + + return nev diff --git a/examples/py-flow-info/flow-info.py b/examples/py-flow-info/flow-info.py index 61f25429d..ff513023e 100755 --- a/examples/py-flow-info/flow-info.py +++ b/examples/py-flow-info/flow-info.py @@ -11,12 +11,11 @@ from nDPIsrvd import nDPIsrvdSocket, TermColor def parse_json_str(json_str): j = nDPIsrvd.JsonParseBytes(json_str[0]) - event_str = nDPIsrvd.validateFlowEventName(j) - if event_str is 'Unknown': - if nDPIsrvd.validatePacketEventName(j) is 'Unknown': - raise RuntimeError('Missing flow_event_name in the JSON string.') - else: - return + nDPIdEvent = nDPIsrvd.validateJsonEventTypes(j) + if nDPIdEvent.isValid is False: + raise RuntimeError('Missing flow_event_name in the JSON string: {}'.format(j)) + if nDPIdEvent.FlowEventID == -1: + return ndpi_proto_categ = '' ndpi_frisk = '' @@ -39,7 +38,7 @@ def parse_json_str(json_str): ndpi_frisk[:-2]) if j['l3_proto'] == 'ip4': - print('{:>14}: [{:.>6}] [{}][{:.>5}] [{:.>15}]{} -> [{:.>15}]{} {}'.format(event_str, + print('{:>16}: [{:.>6}] [{}][{:.>5}] [{:.>15}]{} -> [{:.>15}]{} {}'.format(nDPIdEvent.FlowEventName, j['flow_id'], j['l3_proto'], j['l4_proto'], j['src_ip'].lower(), '[{:.>5}]'.format(j['src_port']) if 'src_port' in j else '', @@ -47,7 +46,7 @@ def parse_json_str(json_str): '[{:.>5}]'.format(j['dst_port']) if 'dst_port' in j else '', ndpi_proto_categ)) elif j['l3_proto'] == 'ip6': - print('{:>14}: [{:.>6}] [{}][{:.>5}] [{:.>39}]{} -> [{:.>39}]{} {}'.format(event_str, + print('{:>16}: [{:.>6}] [{}][{:.>5}] [{:.>39}]{} -> [{:.>39}]{} {}'.format(nDPIdEvent.FlowEventName, j['flow_id'], j['l3_proto'], j['l4_proto'], j['src_ip'].lower(), '[{:.>5}]'.format(j['src_port']) if 'src_port' in j else '', @@ -58,7 +57,7 @@ def parse_json_str(json_str): raise RuntimeError('unsupported l3 protocol: {}'.format(j['l3_proto'])) if len(ndpi_frisk) > 0: - print('{:>16}{}'.format('', ndpi_frisk)) + print('{:>18}{}'.format('', ndpi_frisk)) if __name__ == '__main__': diff --git a/examples/py-risky-flow-to-pcap/risky-flow-to-pcap.py b/examples/py-risky-flow-to-pcap/risky-flow-to-pcap.py index 5636b25d5..f3348e9a1 100755 --- a/examples/py-risky-flow-to-pcap/risky-flow-to-pcap.py +++ b/examples/py-risky-flow-to-pcap/risky-flow-to-pcap.py @@ -33,8 +33,6 @@ def parse_json_str(json_str): elif event == 'detected' or event == 'detection-update' or event == 'guessed' or event == 'not-detected': if 'ndpi' in j and 'flow_risk' in j['ndpi']: print('Risky flow with id {}, PCAP dump returned: {}'.format(flow_id, FLOWS[flow_id].fin('risky'))) - - FLOWS[flow_id].detected() else: raise RuntimeError('unknown flow event name: {}'.format(event)) |