die("Missing file\n"); } } $filter = false; if (isset($argv[2])) { $filter = $argv[2]; } $p = new pcap_file_reader(); $r = $p->open($argv[1]); $reg = array(); $num = array(); while ($s = $p->read_packet()) { $eth = parse_ethframe($s['data']); $ip = parse_ip($eth['data']); if ($ip['protocol'] == 6) { $tcp = parse_tcp($ip['data']); $data = $tcp['data']; $line = date("H:i:s", $s['ts_sec']) . "." . $s['ts_usec'] . " " . $ip['source_ip'] . ":" . $tcp['source_port'] . " > " . $ip['destination_ip'] . ":" . $tcp['destination_port'] . " TCP"; } else { if ($ip['protocol'] == 17) { $udp = parse_udp($ip['data']); $data = $udp['data']; $line = date("H:i:s", $s['ts_sec']) . "." . $s['ts_usec'] . " " . $ip['source_ip'] . ":" . $udp['source_port'] . " > " . $ip['destination_ip'] . ":" . $udp['destination_port'] . " UDP"; } else { continue; } } if ($filter !== false) { if (strpos($data, $filter) === false) { continue; }
function dump_pcap($fname, $force = false) { $hdr = null; $path_parts = pathinfo($fname); $dir = preg_replace('#.pcap$#i', '', $path_parts['basename']); if (!is_dir('./' . $dir)) { mkdir('./' . $dir); } $ret = ''; $fs = filesize($fname); if (file_exists($dir . '/' . $fs . ".htm") && !$force) { $ret = "Previously parsed<br/>" . file_get_contents($dir . '/' . $fs . ".htm"); return $ret; } clean_dir($dir); $ret = $fname . "<br/>" . get_now() . "<br/><br/>"; if (valid_pcap($fname)) { $cnt = 0; $hdr = new pcap_hdr_s(); $hdr->records = array(); $hdr->size = $fs; $b = file_get_contents($fname, NULL, NULL, 0, 24); $lng = byte_array_to_long($b, 0); $hdr->magic_number = $lng; $hdr->version_major = byte_array_to_int($b, 4); $hdr->version_minor = byte_array_to_int($b, 6); $hdr->thiszone = byte_array_to_long($b, 8); $hdr->sigfigs = byte_array_to_long($b, 12); $hdr->snaplen = byte_array_to_long($b, 16); $hdr->network = byte_array_to_long($b, 20); $offset = 24; if ($hdr->network == 1) { // link type was expected. continue while ($offset + 54 < $hdr->size) { $off = $offset; $cnt++; $pr = new pcap_record(); $b = file_get_contents($fname, NULL, NULL, $offset, 16); $pr->ts_sec = byte_array_to_long($b, 0); $pr->ts_usec = byte_array_to_long($b, 4); $pr->incl_len = byte_array_to_long($b, 8); $pr->orig_len = byte_array_to_long($b, 12); $off += 16; if ($pr->incl_len < 0 || $pr->orig_len < 0) { $ret .= "Error parsing"; break; } else { // ethernet header $pr->eth = parse_ethernet_header($fname, $off); $off += 14; // add size of ethernet packet header // ip header $pr->ip = parse_ip($fname, $off); $off += $pr->ip->hdr_len * 4; // add size of ip packet header if ($pr->ip->proto == 6) { // tcp $pr->tcp = parse_tcp($fname, $off, $pr->ip->src, $pr->ip->dest, $pr->incl_len - (14 + $pr->ip->hdr_len * 4)); $off += $pr->tcp->data_offset * 4; // add size of tcp packet header // data $dend = $pr->incl_len - (14 + $pr->ip->hdr_len * 4 + $pr->tcp->data_offset * 4); if ($dend > 0) { $pr->tcp->data = file_get_contents($fname, NULL, NULL, $off, $dend); if ($pr->tcp->data != "") { $fn = $pr->ip->src_ip . "-" . $pr->tcp->src_port; $fn .= "--" . $pr->ip->dest_ip . "-" . $pr->tcp->dest_port; $fn .= "--" . $pr->tcp->ack; $seq = 0; if (file_exists($dir . '/' . $fn . ".seq")) { $seq = file_get_contents($dir . '/' . $fn . ".seq"); } //$se = chr(($pr->tcp->seq >> 24) & 0xff) . chr(($pr->tcp->seq >> 16) & 0xff) . chr(($pr->tcp->seq >> 8) & 0xff) . chr($pr->tcp->seq & 0xff); if ($pr->tcp->seq > $seq) { // is packet unique? file_put_contents($dir . '/' . $fn . ".seq", $pr->tcp->seq); file_put_contents($dir . '/' . $fn . ".raw", $pr->tcp->data, FILE_APPEND); } } } } elseif ($pr->ip->proto == 17) { // udp } elseif ($pr->ip->proto == 1) { // icmp } } $pr->index = $cnt; $offset += $pr->incl_len + 16; } } else { $ret .= "Unknown network link type<br/>"; } } else { $ret .= "Invalid pcap file<br/>"; } $ret .= parse_streams($fname); file_put_contents($dir . '/' . $fs . ".htm", $ret); return $ret; }