die("Missing file\n");
}
}
$filter = false;
if (isset($argv[2])) {
$filter = $argv[2];
}
$p = new pcap_file_reader();
$r = $p->open($argv[1]);
$reg = array();
$num = array();
while ($s = $p->read_packet()) {
$eth = parse_ethframe($s['data']);
$ip = parse_ip($eth['data']);
if ($ip['protocol'] == 6) {
$tcp = parse_tcp($ip['data']);
$data = $tcp['data'];
$line = date("H:i:s", $s['ts_sec']) . "." . $s['ts_usec'] . " " . $ip['source_ip'] . ":" . $tcp['source_port'] . " > " . $ip['destination_ip'] . ":" . $tcp['destination_port'] . " TCP";
} else {
if ($ip['protocol'] == 17) {
$udp = parse_udp($ip['data']);
$data = $udp['data'];
$line = date("H:i:s", $s['ts_sec']) . "." . $s['ts_usec'] . " " . $ip['source_ip'] . ":" . $udp['source_port'] . " > " . $ip['destination_ip'] . ":" . $udp['destination_port'] . " UDP";
} else {
continue;
}
}
if ($filter !== false) {
if (strpos($data, $filter) === false) {
continue;
}
function dump_pcap($fname, $force = false)
{
$hdr = null;
$path_parts = pathinfo($fname);
$dir = preg_replace('#.pcap$#i', '', $path_parts['basename']);
if (!is_dir('./' . $dir)) {
mkdir('./' . $dir);
}
$ret = '';
$fs = filesize($fname);
if (file_exists($dir . '/' . $fs . ".htm") && !$force) {
$ret = "Previously parsed<br/>" . file_get_contents($dir . '/' . $fs . ".htm");
return $ret;
}
clean_dir($dir);
$ret = $fname . "<br/>" . get_now() . "<br/><br/>";
if (valid_pcap($fname)) {
$cnt = 0;
$hdr = new pcap_hdr_s();
$hdr->records = array();
$hdr->size = $fs;
$b = file_get_contents($fname, NULL, NULL, 0, 24);
$lng = byte_array_to_long($b, 0);
$hdr->magic_number = $lng;
$hdr->version_major = byte_array_to_int($b, 4);
$hdr->version_minor = byte_array_to_int($b, 6);
$hdr->thiszone = byte_array_to_long($b, 8);
$hdr->sigfigs = byte_array_to_long($b, 12);
$hdr->snaplen = byte_array_to_long($b, 16);
$hdr->network = byte_array_to_long($b, 20);
$offset = 24;
if ($hdr->network == 1) {
// link type was expected. continue
while ($offset + 54 < $hdr->size) {
$off = $offset;
$cnt++;
$pr = new pcap_record();
$b = file_get_contents($fname, NULL, NULL, $offset, 16);
$pr->ts_sec = byte_array_to_long($b, 0);
$pr->ts_usec = byte_array_to_long($b, 4);
$pr->incl_len = byte_array_to_long($b, 8);
$pr->orig_len = byte_array_to_long($b, 12);
$off += 16;
if ($pr->incl_len < 0 || $pr->orig_len < 0) {
$ret .= "Error parsing";
break;
} else {
// ethernet header
$pr->eth = parse_ethernet_header($fname, $off);
$off += 14;
// add size of ethernet packet header
// ip header
$pr->ip = parse_ip($fname, $off);
$off += $pr->ip->hdr_len * 4;
// add size of ip packet header
if ($pr->ip->proto == 6) {
// tcp
$pr->tcp = parse_tcp($fname, $off, $pr->ip->src, $pr->ip->dest, $pr->incl_len - (14 + $pr->ip->hdr_len * 4));
$off += $pr->tcp->data_offset * 4;
// add size of tcp packet header
// data
$dend = $pr->incl_len - (14 + $pr->ip->hdr_len * 4 + $pr->tcp->data_offset * 4);
if ($dend > 0) {
$pr->tcp->data = file_get_contents($fname, NULL, NULL, $off, $dend);
if ($pr->tcp->data != "") {
$fn = $pr->ip->src_ip . "-" . $pr->tcp->src_port;
$fn .= "--" . $pr->ip->dest_ip . "-" . $pr->tcp->dest_port;
$fn .= "--" . $pr->tcp->ack;
$seq = 0;
if (file_exists($dir . '/' . $fn . ".seq")) {
$seq = file_get_contents($dir . '/' . $fn . ".seq");
}
//$se = chr(($pr->tcp->seq >> 24) & 0xff) . chr(($pr->tcp->seq >> 16) & 0xff) . chr(($pr->tcp->seq >> 8) & 0xff) . chr($pr->tcp->seq & 0xff);
if ($pr->tcp->seq > $seq) {
// is packet unique?
file_put_contents($dir . '/' . $fn . ".seq", $pr->tcp->seq);
file_put_contents($dir . '/' . $fn . ".raw", $pr->tcp->data, FILE_APPEND);
}
}
}
} elseif ($pr->ip->proto == 17) {
// udp
} elseif ($pr->ip->proto == 1) {
// icmp
}
}
$pr->index = $cnt;
$offset += $pr->incl_len + 16;
}
} else {
$ret .= "Unknown network link type<br/>";
}
} else {
$ret .= "Invalid pcap file<br/>";
}
$ret .= parse_streams($fname);
file_put_contents($dir . '/' . $fs . ".htm", $ret);
return $ret;
}
