new: integrated net.sniff events into main events system ( with new.sniff.leak.* even type )

caplets/local-sniffer.cap

@@ -1,7 +1,7 @@
 events.stream off
 events.clear
-set events.stream.filter net.sniff
+# set events.stream.filter net.sniff
-events.stream on
+# events.stream on
 
 set net.sniff.verbose false
 set net.sniff.local true

modules/net_sniff_dns.go

@@ -34,14 +34,23 @@ func dnsParser(ip *layers.IPv4, pkt gopacket.Packet, udp *layers.UDP) bool {
 	}
 
 	for hostname, ips := range m {
-		SniffPrinter("[%s] %s %s > %s : %s is %s\n",
+		NewSnifferEvent(
+			pkt.Metadata().Timestamp,
+			"dns",
+			ip.SrcIP.String(),
+			ip.DstIP.String(),
+			SniffData{
+				"Hostname":  hostname,
+				"Addresses": ips,
+			},
+			"[%s] %s %s > %s : %s is %s",
 			vTime(pkt.Metadata().Timestamp),
 			core.W(core.BG_DGRAY+core.FG_WHITE, "dns"),
 			vIP(ip.SrcIP),
 			vIP(ip.DstIP),
 			core.Yellow(hostname),
 			core.Dim(strings.Join(ips, ", ")),
-		)
+		).Push()
 	}
 
 	return true

modules/net_sniff_event.go

@@ -0,0 +1,36 @@
+package modules
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/evilsocket/bettercap-ng/session"
+)
+
+type SniffData map[string]interface{}
+
+type SnifferEvent struct {
+	PacketTime  time.Time
+	Protocol    string
+	Source      string
+	Destination string
+	Data        SniffData
+	Message     string
+}
+
+func NewSnifferEvent(t time.Time, proto string, src string, dst string, data SniffData, format string, args ...interface{}) SnifferEvent {
+	return SnifferEvent{
+		PacketTime:  t,
+		Protocol:    proto,
+		Source:      src,
+		Destination: dst,
+		Data:        data,
+		Message:     fmt.Sprintf(format, args...),
+	}
+}
+
+func (e SnifferEvent) Push() {
+	fmt.Printf("%s\n", e.Message)
+	session.I.Events.Add("net.sniff.leak."+e.Protocol, e.Data)
+	session.I.Input.Refresh()
+}

modules/net_sniff_http.go

@@ -26,25 +26,40 @@ func httpParser(ip *layers.IPv4, pkt gopacket.Packet, tcp *layers.TCP) bool {
 		return false
 	}
 
+	method := string(m[1])
+	hostname := string(m[2])
+	path := string(m[3])
 	ua := ""
 	mu := uaRe.FindSubmatch(data)
 	if len(mu) == 2 {
 		ua = string(mu[1])
 	}
 
-	url := fmt.Sprintf("%s", core.Yellow(string(m[3])))
+	url := fmt.Sprintf("%s", core.Yellow(path))
 	if tcp.DstPort != 80 {
 		url += fmt.Sprintf(":%s", vPort(tcp.DstPort))
 	}
-	url += fmt.Sprintf("%s", string(m[2]))
+	url += fmt.Sprintf("%s", hostname)
 
-	SniffPrinter("[%s] %s %s %s %s %s\n",
+	NewSnifferEvent(
+		pkt.Metadata().Timestamp,
+		"http",
+		ip.SrcIP.String(),
+		hostname,
+		SniffData{
+			"Method":   method,
+			"Hostname": hostname,
+			"URL":      url,
+			"UA":       ua,
+		},
+		"[%s] %s %s %s %s %s",
 		vTime(pkt.Metadata().Timestamp),
 		core.W(core.BG_RED+core.FG_BLACK, "http"),
 		vIP(ip.SrcIP),
-		core.W(core.BG_LBLUE+core.FG_BLACK, vURL(string(m[1]))),
+		core.W(core.BG_LBLUE+core.FG_BLACK, method),
 		vURL(url),
-		core.Dim(ua))
+		core.Dim(ua),
+	).Push()
 
 	return true
 }

modules/net_sniff_parsers.go

@@ -5,20 +5,11 @@ import (
 
 	"github.com/evilsocket/bettercap-ng/core"
 	"github.com/evilsocket/bettercap-ng/log"
-	"github.com/evilsocket/bettercap-ng/session"
 
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 )
 
-type SniffPrinterType func(format string, args ...interface{}) (int, error)
-
-var SniffPrinter = SniffPrinterType(func(format string, args ...interface{}) (n int, e error) {
-	n, e = fmt.Printf(format, args...)
-	session.I.Input.Refresh()
-	return
-})
-
 func tcpParser(ip *layers.IPv4, pkt gopacket.Packet, verbose bool) {
 	tcp := pkt.Layer(layers.LayerTypeTCP).(*layers.TCP)
 
@@ -29,14 +20,23 @@ func tcpParser(ip *layers.IPv4, pkt gopacket.Packet, verbose bool) {
 	}
 
 	if verbose == true {
-		SniffPrinter("[%s] %s %s:%s > %s:%s %s\n",
+		NewSnifferEvent(
+			pkt.Metadata().Timestamp,
+			"tcp",
+			fmt.Sprintf("%s:%s", ip.SrcIP, vPort(tcp.SrcPort)),
+			fmt.Sprintf("%s:%s", ip.DstIP, vPort(tcp.DstPort)),
+			SniffData{
+				"Size": len(ip.Payload),
+			},
+			"[%s] %s %s:%s > %s:%s %s",
 			vTime(pkt.Metadata().Timestamp),
 			core.W(core.BG_LBLUE+core.FG_BLACK, "tcp"),
 			vIP(ip.SrcIP),
 			vPort(tcp.SrcPort),
 			vIP(ip.DstIP),
 			vPort(tcp.DstPort),
-			core.Dim(fmt.Sprintf("%d bytes", len(ip.Payload))))
+			core.Dim(fmt.Sprintf("%d bytes", len(ip.Payload))),
+		).Push()
 	}
 }
 
@@ -48,25 +48,43 @@ func udpParser(ip *layers.IPv4, pkt gopacket.Packet, verbose bool) {
 	}
 
 	if verbose == true {
-		SniffPrinter("[%s] %s %s:%s > %s:%s %s\n",
+		NewSnifferEvent(
+			pkt.Metadata().Timestamp,
+			"udp",
+			fmt.Sprintf("%s:%s", ip.SrcIP, vPort(udp.SrcPort)),
+			fmt.Sprintf("%s:%s", ip.DstIP, vPort(udp.DstPort)),
+			SniffData{
+				"Size": len(ip.Payload),
+			},
+			"[%s] %s %s:%s > %s:%s %s",
 			vTime(pkt.Metadata().Timestamp),
 			core.W(core.BG_DGRAY+core.FG_WHITE, "udp"),
 			vIP(ip.SrcIP),
 			vPort(udp.SrcPort),
 			vIP(ip.DstIP),
 			vPort(udp.DstPort),
-			core.Dim(fmt.Sprintf("%d bytes", len(ip.Payload))))
+			core.Dim(fmt.Sprintf("%d bytes", len(ip.Payload))),
+		).Push()
 	}
 }
 
 func unkParser(ip *layers.IPv4, pkt gopacket.Packet, verbose bool) {
 	if verbose == true {
-		SniffPrinter("[%s] [%s] %s > %s (%d bytes)\n",
+		NewSnifferEvent(
-			vTime(pkt.Metadata().Timestamp),
+			pkt.Metadata().Timestamp,
-			pkt.TransportLayer().LayerType(),
+			pkt.TransportLayer().LayerType().String(),
 			vIP(ip.SrcIP),
 			vIP(ip.DstIP),
-			len(ip.Payload))
+			SniffData{
+				"Size": len(ip.Payload),
+			},
+			"[%s] %s %s > %s %s",
+			vTime(pkt.Metadata().Timestamp),
+			core.W(core.BG_DGRAY+core.FG_WHITE, pkt.TransportLayer().LayerType().String()),
+			vIP(ip.SrcIP),
+			vIP(ip.DstIP),
+			core.Dim(fmt.Sprintf("%d bytes", len(ip.Payload))),
+		).Push()
 	}
 }
 

modules/net_sniff_sni.go

@@ -31,11 +31,20 @@ func sniParser(ip *layers.IPv4, pkt gopacket.Packet, tcp *layers.TCP) bool {
 		domain = fmt.Sprintf("%s:%d", domain, tcp.DstPort)
 	}
 
-	SniffPrinter("[%s] %s %s > %s\n",
+	NewSnifferEvent(
+		pkt.Metadata().Timestamp,
+		"sni",
+		ip.SrcIP.String(),
+		domain,
+		SniffData{
+			"Domain": domain,
+		},
+		"[%s] %s %s > %s",
 		vTime(pkt.Metadata().Timestamp),
 		core.W(core.BG_YELLOW+core.FG_WHITE, "sni"),
 		vIP(ip.SrcIP),
-		core.Yellow("https://"+domain))
+		core.Yellow("https://"+domain),
+	).Push()
 
 	return true
 }