Package modules :: Package auxiliary :: Module sniffer
[hide private]
[frames] | no frames]

Source Code for Module modules.auxiliary.sniffer

 1  # Copyright (C) 2010-2014 Cuckoo Foundation. 
 2  # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 
 3  # See the file 'docs/LICENSE' for copying permission. 
 4   
 5  import os 
 6  import stat 
 7  import getpass 
 8  import logging 
 9  import subprocess 
10   
11  from lib.cuckoo.common.abstracts import Auxiliary 
12  from lib.cuckoo.common.config import Config 
13  from lib.cuckoo.common.constants import CUCKOO_ROOT, CUCKOO_GUEST_PORT 
14   
15  log = logging.getLogger(__name__) 
16   
17 -class Sniffer(Auxiliary):
18 - def start(self):
19 tcpdump = self.options.get("tcpdump", "/usr/sbin/tcpdump") 20 bpf = self.options.get("bpf", "") 21 file_path = os.path.join(CUCKOO_ROOT, "storage", "analyses", str(self.task.id), "dump.pcap") 22 host = self.machine.ip 23 # Selects per-machine interface if available. 24 if self.machine.interface: 25 interface = self.machine.interface 26 else: 27 interface = self.options.get("interface") 28 29 if not os.path.exists(tcpdump): 30 log.error("Tcpdump does not exist at path \"%s\", network " 31 "capture aborted", tcpdump) 32 return 33 34 mode = os.stat(tcpdump)[stat.ST_MODE] 35 if mode and stat.S_ISUID != 2048: 36 log.error("Tcpdump is not accessible from this user, " 37 "network capture aborted") 38 return 39 40 if not interface: 41 log.error("Network interface not defined, network capture aborted") 42 return 43 44 pargs = [tcpdump, "-U", "-q", "-s", "0", "-i", interface, "-n"] 45 46 # Trying to save pcap with the same user which cuckoo is running. 47 try: 48 user = getpass.getuser() 49 except: 50 pass 51 else: 52 pargs.extend(["-Z", user]) 53 54 pargs.extend(["-w", file_path]) 55 pargs.extend(["host", host]) 56 # Do not capture XMLRPC agent traffic. 57 pargs.extend(["and", "not", "(", "dst host", host, "and", "dst port", 58 str(CUCKOO_GUEST_PORT), ")"]) 59 # Do not capture ResultServer traffic. 60 pargs.extend(["and", "not", "(", "host", 61 str(Config().resultserver.ip), "and", "port", 62 str(Config().resultserver.port), ")"]) 63 64 if bpf: 65 pargs.extend(["and", bpf]) 66 67 try: 68 self.proc = subprocess.Popen(pargs, stdout=subprocess.PIPE, 69 stderr=subprocess.PIPE) 70 except (OSError, ValueError): 71 log.exception("Failed to start sniffer (interface=%s, host=%s, " 72 "dump path=%s)", interface, host, file_path) 73 return 74 75 log.info("Started sniffer with PID %d (interface=%s, host=%s, " 76 "dump path=%s)", self.proc.pid, interface, host, file_path)
77
78 - def stop(self):
79 """Stop sniffing. 80 @return: operation status. 81 """ 82 if self.proc and not self.proc.poll(): 83 try: 84 self.proc.terminate() 85 except: 86 try: 87 if not self.proc.poll(): 88 log.debug("Killing sniffer") 89 self.proc.kill() 90 except OSError as e: 91 log.debug("Error killing sniffer: %s. Continue", e) 92 pass 93 except Exception as e: 94 log.exception("Unable to stop the sniffer with pid %d: %s", 95 self.proc.pid, e)
96