modpcap reader support (#633)

Author: oosthoek

dpkt/pcap.py

@@ -11,10 +11,15 @@
 from . import dpkt
 from .compat import intround
 
+# big endian magics
 TCPDUMP_MAGIC = 0xa1b2c3d4
 TCPDUMP_MAGIC_NANO = 0xa1b23c4d
+MODPCAP_MAGIC = 0xa1b2cd34
+
+# little endian magics
 PMUDPCT_MAGIC = 0xd4c3b2a1
 PMUDPCT_MAGIC_NANO = 0x4d3cb2a1
+PACPDOM_MAGIC = 0x34cdb2a1
 
 PCAP_VERSION_MAJOR = 2
 PCAP_VERSION_MINOR = 4
@@ -159,9 +164,44 @@ class PktHdr(dpkt.Packet):
     )
 
 
+class PktModHdr(dpkt.Packet):
+    """modified pcap packet header.
+    https://wiki.wireshark.org/Development/LibpcapFileFormat#modified-pcap
+
+    TODO: Longer class information....
+
+    Attributes:
+        __hdr__: Header fields of pcap header.
+        TODO.
+    """
+    __hdr__ = (
+        ('tv_sec', 'I', 0),
+        ('tv_usec', 'I', 0),
+        ('caplen', 'I', 0),
+        ('len', 'I', 0),
+        ('ifindex', 'I', 0),
+        ('protocol', 'H', 0),
+        ('pkt_type', 'B', 0),
+        ('pad', 'B', 0),
+    )
+
+
 class LEPktHdr(PktHdr):
     __byte_order__ = '<'
 
+class LEPktModHdr(PktModHdr):
+    __byte_order__ = '<'
+
+
+MAGIC_TO_PKT_HDR = {
+    TCPDUMP_MAGIC: PktHdr,
+    TCPDUMP_MAGIC_NANO: PktHdr,
+    MODPCAP_MAGIC: PktModHdr,
+    PMUDPCT_MAGIC: LEPktHdr,
+    PMUDPCT_MAGIC_NANO: LEPktHdr,
+    PACPDOM_MAGIC: LEPktModHdr
+}
+
 
 class FileHdr(dpkt.Packet):
     """pcap file header.
@@ -277,17 +317,24 @@ def __init__(self, fileobj):
         self.__f = fileobj
         buf = self.__f.read(FileHdr.__hdr_len__)
         self.__fh = FileHdr(buf)
-        self.__ph = PktHdr
-        if self.__fh.magic in (PMUDPCT_MAGIC, PMUDPCT_MAGIC_NANO):
+
+        # save magic
+        magic = self.__fh.magic
+
+        if magic in (PMUDPCT_MAGIC, PMUDPCT_MAGIC_NANO, PACPDOM_MAGIC):
             self.__fh = LEFileHdr(buf)
-            self.__ph = LEPktHdr
-        elif self.__fh.magic not in (TCPDUMP_MAGIC, TCPDUMP_MAGIC_NANO):
+
+        if magic not in MAGIC_TO_PKT_HDR:
             raise ValueError('invalid tcpdump header')
+
+        self.__ph = MAGIC_TO_PKT_HDR[magic]
+
+
         if self.__fh.linktype in dltoff:
             self.dloff = dltoff[self.__fh.linktype]
         else:
             self.dloff = 0
-        self._divisor = 1E6 if self.__fh.magic in (TCPDUMP_MAGIC, PMUDPCT_MAGIC) else Decimal('1E9')
+        self._divisor = Decimal('1E9') if magic in (TCPDUMP_MAGIC_NANO, PMUDPCT_MAGIC_NANO) else 1E6
         self.snaplen = self.__fh.snaplen
         self.filter = ''
         self.__iter = iter(self)
@@ -344,7 +391,7 @@ def loop(self, callback, *args):
 
     def __iter__(self):
         while 1:
-            buf = self.__f.read(PktHdr.__hdr_len__)
+            buf = self.__f.read(self.__ph.__hdr_len__)
             if not buf:
                 break
             hdr = self.__ph(buf)
@@ -418,6 +465,12 @@ class TestData():
         b'\x18\xb1\x0c\xad\x08\x00\x45\x00\x00\x38\x00\x00\x40\x00\x40\x11\x65\x47\xc0\xa8\xaa\x08\xc0\xa8'
         b'\xaa\x14\x80\x1b\x00\x35\x00\x24\x85\xed'
     )
+    modified_pcap = (
+        b'\x34\xcd\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x01\x00\x00\x00'
+        b'\x3c\xfb\x80\x61\x6d\x32\x08\x00\x03\x00\x00\x00\x72\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
+        b'\xff\xff\xff'
+
+    )
 
 
 def test_reader():
@@ -520,6 +573,22 @@ def test_reader_fd():
         assert reader.fileno() == fd.fileno()
 
 
+def test_reader_modified_pcap_type():
+    data = TestData().modified_pcap
+
+    import tempfile
+    with tempfile.TemporaryFile() as fd:
+        fd.write(data)
+        fd.seek(0)
+        reader = Reader(fd)
+        assert reader.fd == fd.fileno()
+        assert reader.fileno() == fd.fileno()
+
+        timestamp, pkts = next(reader)
+        assert pkts == 3 * b'\xff'
+        assert timestamp == 1635842876.537197000
+
+
 class WriterTestWrap:
     """
     Decorate a writer test function with an instance of this class.