Package modules :: Package auxiliary :: Module sniffer
[hide private]
[frames] | no frames]

Source Code for Module modules.auxiliary.sniffer

  1  # Copyright (C) 2010-2015 Cuckoo Foundation. 
  2  # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 
  3  # See the file 'docs/LICENSE' for copying permission. 
  4   
  5  import os 
  6  import stat 
  7  import getpass 
  8  import logging 
  9  import subprocess 
 10   
 11  from lib.cuckoo.common.abstracts import Auxiliary 
 12  from lib.cuckoo.common.config import Config 
 13  from lib.cuckoo.common.constants import CUCKOO_ROOT, CUCKOO_GUEST_PORT 
 14  from lib.cuckoo.core.resultserver import ResultServer 
 15   
 16  log = logging.getLogger(__name__) 
 17   
18 -class Sniffer(Auxiliary):
19 - def start(self):
20 tcpdump = self.options.get("tcpdump", "/usr/sbin/tcpdump") 21 bpf = self.options.get("bpf", "") 22 file_path = os.path.join(CUCKOO_ROOT, "storage", "analyses", str(self.task.id), "dump.pcap") 23 host = self.machine.ip 24 # Selects per-machine interface if available. 25 if self.machine.interface: 26 interface = self.machine.interface 27 else: 28 interface = self.options.get("interface") 29 # Selects per-machine resultserver IP if available. 30 if self.machine.resultserver_ip: 31 resultserver_ip = self.machine.resultserver_ip 32 else: 33 resultserver_ip = str(Config().resultserver.ip) 34 # Get resultserver port from its instance because it could change dynamically. 35 resultserver_port = str(ResultServer().port) 36 37 if not os.path.exists(tcpdump): 38 log.error("Tcpdump does not exist at path \"%s\", network " 39 "capture aborted", tcpdump) 40 return 41 42 # TODO: this isn't working. need to fix. 43 #mode = os.stat(tcpdump)[stat.ST_MODE] 44 #if (mode & stat.S_ISUID) == 0: 45 # log.error("Tcpdump is not accessible from this user, " 46 # "network capture aborted") 47 # return 48 49 if not interface: 50 log.error("Network interface not defined, network capture aborted") 51 return 52 53 pargs = [tcpdump, "-U", "-q", "-s", "0", "-i", interface, "-n"] 54 55 # Trying to save pcap with the same user which cuckoo is running. 56 try: 57 user = getpass.getuser() 58 except: 59 pass 60 else: 61 pargs.extend(["-Z", user]) 62 63 pargs.extend(["-w", file_path]) 64 pargs.extend(["host", host]) 65 # Do not capture XMLRPC agent traffic. 66 pargs.extend(["and", "not", "(", "dst", "host", host, "and", "dst", "port", 67 str(CUCKOO_GUEST_PORT), ")", "and", "not", "(", "src", "host", 68 host, "and", "src", "port", str(CUCKOO_GUEST_PORT), ")"]) 69 70 # Do not capture ResultServer traffic. 71 pargs.extend(["and", "not", "(", "dst", "host", resultserver_ip, 72 "and", "dst", "port", resultserver_port, ")", "and", 73 "not", "(", "src", "host", resultserver_ip, "and", 74 "src", "port", resultserver_port, ")"]) 75 76 if bpf: 77 pargs.extend(["and", bpf]) 78 79 try: 80 self.proc = subprocess.Popen(pargs, stdout=subprocess.PIPE, 81 stderr=subprocess.PIPE) 82 except (OSError, ValueError): 83 log.exception("Failed to start sniffer (interface=%s, host=%s, " 84 "dump path=%s)", interface, host, file_path) 85 return 86 87 log.info("Started sniffer with PID %d (interface=%s, host=%s, " 88 "dump path=%s)", self.proc.pid, interface, host, file_path)
89
90 - def stop(self):
91 """Stop sniffing. 92 @return: operation status. 93 """ 94 if self.proc and not self.proc.poll(): 95 try: 96 self.proc.terminate() 97 except: 98 try: 99 if not self.proc.poll(): 100 log.debug("Killing sniffer") 101 self.proc.kill() 102 except OSError as e: 103 log.debug("Error killing sniffer: %s. Continue", e) 104 pass 105 except Exception as e: 106 log.exception("Unable to stop the sniffer with pid %d: %s", 107 self.proc.pid, e)
108