| 84 | |
| 85 | |
| 86 | def packet_handler(self, pkt): |
| 87 | |
| 88 | # iterate through the layers and find the NBNS layer |
| 89 | nbns_packet = pkt.pkt.upper_layer |
| 90 | try: |
| 91 | nbns_packet = nbns_packet.upper_layer |
| 92 | except IndexError as e: |
| 93 | self.logger.error('{}: could not parse session data \ |
| 94 | (NBNS packet not found)'.format(str(e))) |
| 95 | # pypacker may throw an Exception here; could use |
| 96 | # further testing |
| 97 | return |
| 98 | |
| 99 | |
| 100 | # Extract the Client hostname from the connection data |
| 101 | # It is represented as 32-bytes half-ASCII |
| 102 | try: |
| 103 | nbns_name = unpack('32s', pkt.data[13:45])[0] |
| 104 | except Exception as e: |
| 105 | self.logger.error('{}: (NBNS packet not found)'.format(str(e))) |
| 106 | return |
| 107 | |
| 108 | |
| 109 | # Decode the 32-byte half-ASCII name to its 16 byte NetBIOS name |
| 110 | try: |
| 111 | if len(nbns_name) == 32: |
| 112 | decoded = [] |
| 113 | for i in range(0,32,2): |
| 114 | nibl = hex(ord(chr(nbns_name[i])) - ord('A'))[2:] |
| 115 | nibh = hex(ord(chr(nbns_name[i+1])) - ord('A'))[2:] |
| 116 | decoded.append(chr(int(''.join((nibl, nibh)), 16))) |
| 117 | |
| 118 | # For uniformity, strip excess byte and space chars |
| 119 | self.client_hostname = ''.join(decoded)[0:-1].strip() |
| 120 | else: |
| 121 | self.client_hostname = str(nbns_name) |
| 122 | |
| 123 | except ValueError as e: |
| 124 | self.logger.error('{}: Hostname in improper format \ |
| 125 | (NBNS packet not found)'.format(str(e))) |
| 126 | return |
| 127 | |
| 128 | |
| 129 | # Extract the Transaction ID from the NBNS packet |
| 130 | xid = unpack('2s', pkt.data[0:2])[0] |
| 131 | self.xid = "0x{}".format(xid.hex()) |
| 132 | |
| 133 | # Extract the opcode info from the NBNS Packet |
| 134 | op = unpack('2s', pkt.data[2:4])[0] |
| 135 | op_hex = op.hex() |
| 136 | op = int(op_hex, 16) |
| 137 | # Remove excess bits |
| 138 | op = (op >> 11) & 15 |
| 139 | |
| 140 | # Decode protocol info if it was present in the payload |
| 141 | try: |
| 142 | self.prot_info = nbns_op[op] |
| 143 | except: |