(pkt)
| 119 | |
| 120 | |
| 121 | def packet2p0f(pkt): |
| 122 | pkt = pkt.copy() |
| 123 | pkt = pkt.__class__(raw(pkt)) |
| 124 | while pkt.haslayer(IP) and pkt.haslayer(TCP): |
| 125 | pkt = pkt.getlayer(IP) |
| 126 | if isinstance(pkt.payload, TCP): |
| 127 | break |
| 128 | pkt = pkt.payload |
| 129 | |
| 130 | if not isinstance(pkt, IP) or not isinstance(pkt.payload, TCP): |
| 131 | raise TypeError("Not a TCP/IP packet") |
| 132 | # if pkt.payload.flags & 0x7 != 0x02: #S,!F,!R |
| 133 | # raise TypeError("Not a SYN or SYN/ACK packet") |
| 134 | |
| 135 | db = p0f_selectdb(pkt.payload.flags) |
| 136 | |
| 137 | # t = p0f_kdb.ttl_range[:] |
| 138 | # t += [pkt.ttl] |
| 139 | # t.sort() |
| 140 | # ttl=t[t.index(pkt.ttl)+1] |
| 141 | ttl = pkt.ttl |
| 142 | |
| 143 | ss = len(pkt) |
| 144 | # from p0f/config.h : PACKET_BIG = 100 |
| 145 | if ss > 100: |
| 146 | if db == p0fr_kdb: |
| 147 | # p0fr.fp: "Packet size may be wildcarded. The meaning of |
| 148 | # wildcard is, however, hardcoded as 'size > |
| 149 | # PACKET_BIG'" |
| 150 | ss = '*' |
| 151 | else: |
| 152 | ss = 0 |
| 153 | if db == p0fo_kdb: |
| 154 | # p0fo.fp: "Packet size MUST be wildcarded." |
| 155 | ss = '*' |
| 156 | |
| 157 | ooo = "" |
| 158 | mss = -1 |
| 159 | qqT = False |
| 160 | qqP = False |
| 161 | # qqBroken = False |
| 162 | ilen = (pkt.payload.dataofs << 2) - 20 # from p0f.c |
| 163 | for option in pkt.payload.options: |
| 164 | ilen -= 1 |
| 165 | if option[0] == "MSS": |
| 166 | ooo += "M" + str(option[1]) + "," |
| 167 | mss = option[1] |
| 168 | # FIXME: qqBroken |
| 169 | ilen -= 3 |
| 170 | elif option[0] == "WScale": |
| 171 | ooo += "W" + str(option[1]) + "," |
| 172 | # FIXME: qqBroken |
| 173 | ilen -= 2 |
| 174 | elif option[0] == "Timestamp": |
| 175 | if option[1][0] == 0: |
| 176 | ooo += "T0," |
| 177 | else: |
| 178 | ooo += "T," |
no test coverage detected