xnih
commented
4 years ago In satori.py I am definitely hard coding the assumption of an ethernet header in the packets: eth = ethernet.Ethernet(buf)
This also follows through into the modules such as TCP: def tcpProcess(eth, ts, sExactList, saExactList, sPartialList, saPartialList): #instead of pushing the fingerprint files in each time would it make sense to make them globals? Does it matter? ip4 = eth.upper_layer tcp1 = eth.upper_layer.upper_layer
... print("%s;%s;%s;TCP;%s;%s;%s" % (timeStamp, eth[ip.IP].src_s, eth[ethernet.Ethernet].src_s, tcpFlags, tcpSignature, tcpFingerprint))
pypacker does understand linuxcc, so initial modifications made for reading in of saved pcaps right now for testing this in: tcp, http and smb, but not dhcp (as dhcp didn't have some of the same hard coded assumptions, though updates made to it too).
Waiting on feedback from original notifier to understand if my quick changes appear to have fixed it for him and if this also needs to be added to live capture as well. I don't have enough background on lcc to know if I need it there too, but testing based on the one file for reading in a pcap appears to work fine on at least TCP and HTTP!
Reported by 3rd party via email.
"I've run into some problems when I tried to use Satori on my data. It doesn't output anything. I'm guessing it might be due to the link layer used in my captures is "linux cooked", in which there is no Ethernet layer. Is there any way to get Satori to read it anyway?"