aptdetector.network.parser package

aptdetector.network.parser.httpparser module

http_parser implementation

couple of functions that was required to parse and reassemble http requests and responses

class aptdetector.network.parser.httpparser.HttpParser[source]

Bases: object

parse http req & resp

finish()[source]

if still have unprocessed data then process them

read_chunked_body(reader, skip=False)[source]

read chunked body

Args:
reader (DataReader): type of reader that is required skip (bool): either return if error happened or continue to work
Returns:
if skip=False return None else return broken packet
read_headers(reader, lines)[source]

read headers

Args:
reader (DataReader): type of reader that is required lines (list): list of lines that we think is part of the header section
Returns:
dict of parsed_header
read_http_req_header(reader)[source]

read & parse request http headers

Args:
reader (DataReader): type of reader that is required
Returns:
None if not a response or any error happend , dict of parsed_header otherwise
read_http_resp_header(reader)[source]

read & parse response http headers

Args:
reader (DataReader): type of reader that is required
Returns:
None if not a response or any error happend , dict of parsed_header otherwise
read_request(reader, message)[source]

read and output one http request.

Args:
reader (DataReader): type of reader that is required message (RequestMessage): response packet
Returns:
None if error happened , content otherwise
read_response(reader, message)[source]

read and output one http response

Args:
reader (DataReader): type of reader that is required message (RequestMessage): response packet
Returns:
None
send(http_type, data)[source]

append http request or reponses

if the connection is not initiated yet then start the connection and if it’s still the current connection then append the packet

Args:
http_type (HttpType): type of packet data (str): data of unparsed packet
Returns:
None
class aptdetector.network.parser.httpparser.HttpRequestHeader[source]

Bases: object

mimic the header of a request packet

class aptdetector.network.parser.httpparser.HttpResponseHeader[source]

Bases: object

mimic the header of a response packet

class aptdetector.network.parser.httpparser.RequestMessage[source]

Bases: object

used to pass data between requests

aptdetector.network.parser.parse_pcap module

parse_pcap

parsing a pcap file so that later we would be able to use the urls that was found to check for any harmfull activity

>>> from aptdetector.network.parser.parse_pcap import parse_pcap_file
>>> parse_pcap_file()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
TypeError: parse_pcap_file() missing 1 required positional argument: 'file_path'
class aptdetector.network.parser.parse_pcap.Stream[source]

Bases: object

stream handler

handle the problem of tcp window and reassembling a packet by using tcp sequence number and keeping track of last ack sequence number

append_packet(packet)[source]

packet appender

if the packet is after last ack sequence then it’s a new packet so add it to buffer , and we will deal with it later

Args:
packet (TcpPack): packet that need to be appended
retrieve_packet(ack_seq)[source]

packet reassmbler

read all packets till now and reassmble a packet based on it’s ack sequence number

Args:
ack_seq (int): ack sequence number
Returns:
the whole packet that were reassembled
class aptdetector.network.parser.parse_pcap.TcpConnection(packet)[source]

Bases: object

pcap tcp parser

parse a pcap file and creates TcpPacket objects from that by the help of packetparse project

closed()[source]

check if this is the end of a conversation

Returns:
True if the connection is closed , False otherwise
finish()[source]

if the connection was closed() then it is finished

on_packet(packet)[source]

parse a TcpPack object.

change attributes(ack, sin, fin , ...) of a TcpPack object

Args:
packet (TcpPack): packet that need to be appended
Returns:
a tcp request header
aptdetector.network.parser.parse_pcap.get_file_format(infile)[source]

get cap file format by magic num.

Args:
infile (file): saved Pcap file that is ready to be parsed
Returns:
file format and the first byte of string
Raises:
:class:FileParsingException when file is empty or too small
aptdetector.network.parser.parse_pcap.parse_pcap_file(file_path)[source]

pcap parser.

parse a pcap file to get a list TcpPacket objects

Args:
file_path (str): address of the Pcap file that is ready to be parsed
Returns:
list of :class:TcpPacket of found conversations in the Pcap file
Raises:
:class:FileParsingException if either file format were not recognized or file was not found

Module contents