1111from decimal import Decimal
1212from io import StringIO
1313from itertools import zip_longest
14+ from uuid import UUID
1415
1516import array
1617import argparse
@@ -1646,7 +1647,8 @@ class RawPcapNgReader(RawPcapReader):
16461647 PacketMetadata = collections .namedtuple ("PacketMetadataNg" , # type: ignore
16471648 ["linktype" , "tsresol" ,
16481649 "tshigh" , "tslow" , "wirelen" ,
1649- "comment" , "ifname" , "direction" ])
1650+ "comment" , "ifname" , "direction" ,
1651+ "process_information" ])
16501652
16511653 def __init__ (self , filename , fdesc = None , magic = None ): # type: ignore
16521654 # type: (str, IO[bytes], bytes) -> None
@@ -1668,8 +1670,10 @@ def __init__(self, filename, fdesc=None, magic=None): # type: ignore
16681670 3 : self ._read_block_spb ,
16691671 6 : self ._read_block_epb ,
16701672 10 : self ._read_block_dsb ,
1673+ 0x80000001 : self ._read_block_pib ,
16711674 }
16721675 self .endian = "!" # Will be overwritten by first SHB
1676+ self .process_information = [] # type: List[Dict[str, Any]]
16731677
16741678 if magic != b"\x0a \x0d \x0d \x0a " : # PcapNg:
16751679 raise Scapy_Exception (
@@ -1868,6 +1872,18 @@ def _read_block_epb(self, block, size):
18681872
18691873 # Parse options
18701874 options = self ._read_options (block [opt_offset :])
1875+
1876+ process_information = {}
1877+ for code , value in options .items ():
1878+ if code in [0x8001 , 0x8003 ]: # PCAPNG_EPB_PIB_INDEX, PCAPNG_EPB_E_PIB_INDEX
1879+ proc_index = struct .unpack (self .endian + "I" , value )[0 ]
1880+ if proc_index < len (self .process_information ):
1881+ key = "proc" if code == 0x8001 else "eproc"
1882+ process_information [key ] = self .process_information [proc_index ]
1883+ else :
1884+ warning ("PcapNg: EPB invalid process information index "
1885+ "(%d/%d) !" % (proc_index , len (self .process_information )))
1886+
18711887 comment = options .get (1 , None )
18721888 epb_flags_raw = options .get (2 , None )
18731889 if epb_flags_raw :
@@ -1884,6 +1900,7 @@ def _read_block_epb(self, block, size):
18841900
18851901 self ._check_interface_id (intid )
18861902 ifname = self .interfaces [intid ][2 ].get ('name' , None )
1903+
18871904 return (block [20 :20 + caplen ][:size ],
18881905 RawPcapNgReader .PacketMetadata (linktype = self .interfaces [intid ][0 ], # noqa: E501
18891906 tsresol = self .interfaces [intid ][2 ]['tsresol' ], # noqa: E501
@@ -1892,7 +1909,8 @@ def _read_block_epb(self, block, size):
18921909 wirelen = wirelen ,
18931910 comment = comment ,
18941911 ifname = ifname ,
1895- direction = direction ))
1912+ direction = direction ,
1913+ process_information = process_information ))
18961914
18971915 def _read_block_spb (self , block , size ):
18981916 # type: (bytes, int) -> Tuple[bytes, RawPcapNgReader.PacketMetadata]
@@ -1918,7 +1936,8 @@ def _read_block_spb(self, block, size):
19181936 wirelen = wirelen ,
19191937 comment = None ,
19201938 ifname = None ,
1921- direction = None ))
1939+ direction = None ,
1940+ process_information = {}))
19221941
19231942 def _read_block_pkt (self , block , size ):
19241943 # type: (bytes, int) -> Tuple[bytes, RawPcapNgReader.PacketMetadata]
@@ -1941,7 +1960,8 @@ def _read_block_pkt(self, block, size):
19411960 wirelen = wirelen ,
19421961 comment = None ,
19431962 ifname = None ,
1944- direction = None ))
1963+ direction = None ,
1964+ process_information = {}))
19451965
19461966 def _read_block_dsb (self , block , size ):
19471967 # type: (bytes, int) -> None
@@ -1995,6 +2015,35 @@ def _read_block_dsb(self, block, size):
19952015 else :
19962016 warning ("PcapNg: Unknown DSB secrets type (0x%x)!" , secrets_type )
19972017
2018+ def _read_block_pib (self , block , _ ):
2019+ # type: (bytes, int) -> None
2020+ """Apple Process Information Block"""
2021+
2022+ # Get the Process ID
2023+ try :
2024+ dpeb_pid = struct .unpack (self .endian + "I" , block [:4 ])[0 ]
2025+ process_information = {"id" : dpeb_pid }
2026+ block = block [4 :]
2027+ except struct .error :
2028+ warning ("PcapNg: DPEB is too small (%d). Cannot get PID!" ,
2029+ len (block ))
2030+ raise EOFError
2031+
2032+ # Get Options
2033+ options = self ._read_options (block )
2034+ for code , value in options .items ():
2035+ if code == 2 :
2036+ process_information ["name" ] = value .decode ("ascii" , "backslashreplace" )
2037+ elif code == 4 :
2038+ if len (value ) == 16 :
2039+ process_information ["uuid" ] = str (UUID (bytes = value ))
2040+ else :
2041+ warning ("PcapNg: DPEB UUID length is invalid (%d)!" ,
2042+ len (value ))
2043+
2044+ # Store process information
2045+ self .process_information .append (process_information )
2046+
19982047
19992048class PcapNgReader (RawPcapNgReader , PcapReader ):
20002049
@@ -2013,7 +2062,7 @@ def read_packet(self, size=MTU, **kwargs):
20132062 rp = super (PcapNgReader , self )._read_packet (size = size )
20142063 if rp is None :
20152064 raise EOFError
2016- s , (linktype , tsresol , tshigh , tslow , wirelen , comment , ifname , direction ) = rp
2065+ s , (linktype , tsresol , tshigh , tslow , wirelen , comment , ifname , direction , process_information ) = rp # noqa: E501
20172066 try :
20182067 cls = conf .l2types .num2layer [linktype ] # type: Type[Packet]
20192068 p = cls (s , ** kwargs ) # type: Packet
@@ -2031,6 +2080,7 @@ def read_packet(self, size=MTU, **kwargs):
20312080 p .wirelen = wirelen
20322081 p .comment = comment
20332082 p .direction = direction
2083+ p .process_information = process_information .copy ()
20342084 if ifname is not None :
20352085 p .sniffed_on = ifname .decode ('utf-8' , 'backslashreplace' )
20362086 return p
0 commit comments