Menu
I am trying to parse multiple pcap files using the pynids library, but can get to parse only the 1st file. I saw that there was a function nids_unregister_tcp in libnids, will that help? I can't find that function in pynids though.
import nids
def handle_tcp_stream(tcp):
print "In handle_tcp_stream"
def extract(pcap_file):
nids.param("tcp_workarounds", 1)
nids.param("pcap_filter", "tcp") # bpf restrict to TCP only, note
nids.param("scan_num_hosts", 0) # disable portscan detection
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming
nids.param("filename", pcap_file)
nids.init()
nids.register_tcp(handle_tcp_stream)
try:
nids.run()
except Exception, e:
print "Exception ", pcap_file + " ", e
def main():
extract("a.pcap")
print "Done"
extract("a.pcap")
if __name__ == "__main__":
main()
Here's the output:
In handle_tcp_stream
In handle_tcp_stream
In handle_tcp_stream
In handle_tcp_stream
Done
476
The binding is written incorrectly it seems.
The Perl counterpart had also had this issue in the past: https://rt.cpan.org/Public/Bug/Display.html?id=51107
Basically it can be summed up by:
...libnids cleans up and removes its callback once run() is finished.
The error seems to be similar in here https://github.com/MITRECND/pynids/blob/master/nidsmodule.c#L533
I may be mistaken, but the else there makes it miss the actual registration when an FP was defined earlier. That else body should always be executed. So a quick fix is:
https://github.com/soulseekah/pynids/commit/8d420e88dbdc340f309db9db7c3b9c2508b1cb80
I'm a bit rusty on my Python API, but I think that PyObject_Del should be Py_DECREF instead. Although it works with deletion as well.
Watch https://github.com/MITRECND/pynids/pull/2 for more developments, I'm sure they'll figure out a more correct way to fix this. Meanwhile, what I did should work fine for the time being.
Too bad there aren't any unit tests to see if all is fine.
99
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
