From 27b1f485845413aabe8443e0ad3f08db2d6007c0 Mon Sep 17 00:00:00 2001 From: evilsocket Date: Wed, 10 Jan 2018 02:26:18 +0100 Subject: [PATCH] new: implemented dns packet parser --- caplets/local-sniffer.cap | 2 +- modules/net_sniff.go | 8 ++--- modules/net_sniff_dns.go | 36 +++++++++++++++++++ modules/net_sniff_parsers.go | 68 +++++++++++++++++++++--------------- modules/net_sniff_views.go | 2 +- 5 files changed, 79 insertions(+), 37 deletions(-) create mode 100644 modules/net_sniff_dns.go diff --git a/caplets/local-sniffer.cap b/caplets/local-sniffer.cap index e99d8ca6..99bf7860 100644 --- a/caplets/local-sniffer.cap +++ b/caplets/local-sniffer.cap @@ -3,7 +3,7 @@ events.clear set events.stream.filter net.sniff events.stream on -set net.sniffer.verbose true +set net.sniffer.verbose false set net.sniffer.local true net.sniffer on diff --git a/modules/net_sniff.go b/modules/net_sniff.go index 782091d0..0378b2ee 100644 --- a/modules/net_sniff.go +++ b/modules/net_sniff.go @@ -25,7 +25,7 @@ func NewSniffer(s *session.Session) *Sniffer { sniff.AddParam(session.NewBoolParameter("net.sniffer.verbose", "true", - "Print captured packets to screen.")) + "If true, will print every captured packet, otherwise only selected ones.")) sniff.AddParam(session.NewBoolParameter("net.sniffer.local", "false", @@ -117,11 +117,7 @@ func (s Sniffer) isLocalPacket(packet gopacket.Packet) bool { } func (s *Sniffer) onPacketMatched(pkt gopacket.Packet) { - if s.Ctx.Verbose == false { - return - } - - if mainParser(pkt) == true { + if mainParser(pkt, s.Ctx.Verbose) == true { s.Stats.NumDumped++ } } diff --git a/modules/net_sniff_dns.go b/modules/net_sniff_dns.go new file mode 100644 index 00000000..ab6028c0 --- /dev/null +++ b/modules/net_sniff_dns.go @@ -0,0 +1,36 @@ +package modules + +import ( + "fmt" + + "github.com/evilsocket/bettercap-ng/core" + + "github.com/google/gopacket" + "github.com/google/gopacket/layers" +) + +func dnsParser(ip *layers.IPv4, pkt gopacket.Packet, udp *layers.UDP) bool { + dns, parsed := pkt.Layer(layers.LayerTypeDNS).(*layers.DNS) + if parsed == false { + return false + } + + if dns.OpCode != layers.DNSOpCodeQuery || len(dns.Answers) == 0 { + return false + } + + for _, a := range dns.Answers { + if a.IP == nil { + continue + } + fmt.Printf("[%s] %s %s > %s : %s is %s\n", + vTime(pkt.Metadata().Timestamp), + core.W(core.BG_DGRAY+core.FG_WHITE, "dns"), + vIP(ip.SrcIP), + vIP(ip.DstIP), + core.Yellow(string(a.Name)), + vIP(a.IP)) + } + + return true +} diff --git a/modules/net_sniff_parsers.go b/modules/net_sniff_parsers.go index c9fbc521..0ae51369 100644 --- a/modules/net_sniff_parsers.go +++ b/modules/net_sniff_parsers.go @@ -10,46 +10,56 @@ import ( "github.com/google/gopacket/layers" ) -func tcpParser(ip *layers.IPv4, pkt gopacket.Packet) { +func tcpParser(ip *layers.IPv4, pkt gopacket.Packet, verbose bool) { tcp := pkt.Layer(layers.LayerTypeTCP).(*layers.TCP) if sniParser(ip, pkt, tcp) { return } - fmt.Printf("[%s] %s %s:%s > %s:%s %s\n", - vTime(pkt.Metadata().Timestamp), - core.W(core.BG_LBLUE+core.FG_BLACK, "tcp"), - vIP(ip.SrcIP), - vPort(tcp.SrcPort), - vIP(ip.DstIP), - vPort(tcp.DstPort), - core.Dim(fmt.Sprintf("%d bytes", len(ip.Payload)))) + if verbose == true { + fmt.Printf("[%s] %s %s:%s > %s:%s %s\n", + vTime(pkt.Metadata().Timestamp), + core.W(core.BG_LBLUE+core.FG_BLACK, "tcp"), + vIP(ip.SrcIP), + vPort(tcp.SrcPort), + vIP(ip.DstIP), + vPort(tcp.DstPort), + core.Dim(fmt.Sprintf("%d bytes", len(ip.Payload)))) + } } -func udpParser(ip *layers.IPv4, pkt gopacket.Packet) { +func udpParser(ip *layers.IPv4, pkt gopacket.Packet, verbose bool) { udp := pkt.Layer(layers.LayerTypeUDP).(*layers.UDP) - fmt.Printf("[%s] %s %s:%s > %s:%s %s\n", - vTime(pkt.Metadata().Timestamp), - core.W(core.BG_DGRAY+core.FG_WHITE, "udp"), - vIP(ip.SrcIP), - vPort(udp.SrcPort), - vIP(ip.DstIP), - vPort(udp.DstPort), - core.Dim(fmt.Sprintf("%d bytes", len(ip.Payload)))) + if dnsParser(ip, pkt, udp) { + return + } + + if verbose == true { + fmt.Printf("[%s] %s %s:%s > %s:%s %s\n", + vTime(pkt.Metadata().Timestamp), + core.W(core.BG_DGRAY+core.FG_WHITE, "udp"), + vIP(ip.SrcIP), + vPort(udp.SrcPort), + vIP(ip.DstIP), + vPort(udp.DstPort), + core.Dim(fmt.Sprintf("%d bytes", len(ip.Payload)))) + } } -func unkParser(ip *layers.IPv4, pkt gopacket.Packet) { - fmt.Printf("[%s] [%s] %s > %s (%d bytes)\n", - vTime(pkt.Metadata().Timestamp), - pkt.TransportLayer().LayerType(), - vIP(ip.SrcIP), - vIP(ip.DstIP), - len(ip.Payload)) +func unkParser(ip *layers.IPv4, pkt gopacket.Packet, verbose bool) { + if verbose == true { + fmt.Printf("[%s] [%s] %s > %s (%d bytes)\n", + vTime(pkt.Metadata().Timestamp), + pkt.TransportLayer().LayerType(), + vIP(ip.SrcIP), + vIP(ip.DstIP), + len(ip.Payload)) + } } -func mainParser(pkt gopacket.Packet) bool { +func mainParser(pkt gopacket.Packet, verbose bool) bool { nlayer := pkt.NetworkLayer() if nlayer == nil { log.Warning("Missing network layer skipping packet.") @@ -70,11 +80,11 @@ func mainParser(pkt gopacket.Packet) bool { } if tlayer.LayerType() == layers.LayerTypeTCP { - tcpParser(ip, pkt) + tcpParser(ip, pkt, verbose) } else if tlayer.LayerType() == layers.LayerTypeUDP { - udpParser(ip, pkt) + udpParser(ip, pkt, verbose) } else { - unkParser(ip, pkt) + unkParser(ip, pkt, verbose) } return true diff --git a/modules/net_sniff_views.go b/modules/net_sniff_views.go index 27db0407..212d2df1 100644 --- a/modules/net_sniff_views.go +++ b/modules/net_sniff_views.go @@ -17,7 +17,7 @@ func vTime(t time.Time) string { func vIP(ip net.IP) string { if session.I.Interface.IP.Equal(ip) { - return core.Dim("-") + return core.Dim("local") } else if session.I.Gateway.IP.Equal(ip) { return "gateway" }