Package modules :: Package auxiliary :: Module sniffer
[hide private]
[frames] | no frames]

Source Code for Module modules.auxiliary.sniffer

 1  # Copyright (C) 2010-2014 Cuckoo Sandbox Developers. 
 2  # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 
 3  # See the file 'docs/LICENSE' for copying permission. 
 4   
 5  import os 
 6  import stat 
 7  import getpass 
 8  import logging 
 9  import subprocess 
10   
11  from lib.cuckoo.common.abstracts import Auxiliary 
12  from lib.cuckoo.common.config import Config 
13  from lib.cuckoo.common.constants import CUCKOO_ROOT, CUCKOO_GUEST_PORT 
14   
15  log = logging.getLogger(__name__) 
16   
17 -class Sniffer(Auxiliary):
18 - def start(self):
19 tcpdump = self.options.get("tcpdump", "/usr/sbin/tcpdump") 20 interface = self.options.get("interface") 21 bpf = self.options.get("bpf", "") 22 file_path = os.path.join(CUCKOO_ROOT, "storage", "analyses", str(self.task.id), "dump.pcap") 23 host = self.machine.ip 24 25 if not os.path.exists(tcpdump): 26 log.error("Tcpdump does not exist at path \"%s\", network " 27 "capture aborted", tcpdump) 28 return 29 30 mode = os.stat(tcpdump)[stat.ST_MODE] 31 if mode and stat.S_ISUID != 2048: 32 log.error("Tcpdump is not accessible from this user, " 33 "network capture aborted") 34 return 35 36 if not interface: 37 log.error("Network interface not defined, network capture aborted") 38 return 39 40 pargs = [tcpdump, "-U", "-q", "-s", "0", "-i", interface, "-n"] 41 42 # Trying to save pcap with the same user which cuckoo is running. 43 try: 44 user = getpass.getuser() 45 except: 46 pass 47 else: 48 pargs.extend(["-Z", user]) 49 50 pargs.extend(["-w", file_path]) 51 pargs.extend(["host", host]) 52 # Do not capture XMLRPC agent traffic. 53 pargs.extend(["and", "not", "(", "host", host, "and", "port", 54 str(CUCKOO_GUEST_PORT), ")"]) 55 # Do not capture ResultServer traffic. 56 pargs.extend(["and", "not", "(", "host", 57 str(Config().resultserver.ip), "and", "port", 58 str(Config().resultserver.port), ")"]) 59 60 if bpf: 61 pargs.extend(["and", bpf]) 62 63 try: 64 self.proc = subprocess.Popen(pargs, stdout=subprocess.PIPE, 65 stderr=subprocess.PIPE) 66 except (OSError, ValueError): 67 log.exception("Failed to start sniffer (interface=%s, host=%s, " 68 "dump path=%s)", interface, host, file_path) 69 return 70 71 log.info("Started sniffer with PID %d (interface=%s, host=%s, " 72 "dump path=%s)", self.proc.pid, interface, host, file_path)
73
74 - def stop(self):
75 """Stop sniffing. 76 @return: operation status. 77 """ 78 if self.proc and not self.proc.poll(): 79 try: 80 self.proc.terminate() 81 except: 82 try: 83 if not self.proc.poll(): 84 log.debug("Killing sniffer") 85 self.proc.kill() 86 except OSError as e: 87 log.debug("Error killing sniffer: %s. Continue", e) 88 pass 89 except Exception as e: 90 log.exception("Unable to stop the sniffer with pid %d: %s", 91 self.proc.pid, e)
92