From 244e353bb6a788e5f76ed999abf3149704dea754 Mon Sep 17 00:00:00 2001
From: Mike Crute <mcrute@gmail.com>
Date: Wed, 27 Jul 2016 19:33:47 -0700
Subject: Reassemble fragmented packets

---
 inform.py     | 14 ++++-------
 parse_pcap.py | 74 +++++++++++++++++++++--------------------------------------
 2 files changed, 30 insertions(+), 58 deletions(-)

diff --git a/inform.py b/inform.py
index 6741415..9877f45 100644
--- a/inform.py
+++ b/inform.py
@@ -163,16 +163,10 @@ class InformSerializer(object):
 
             decrypted = Cryptor(key, packet.iv).decrypt(packet.raw_payload)
 
-            try:
-                json.loads(decrypted.decode("latin-1"))
-                packet.raw_payload = decrypted
-                packet._used_key = key
-                break
-            except ValueError as err:
-                if err.message == "No JSON object could be decoded":
-                    continue
-                else:
-                    raise
+            json.loads(decrypted.decode("latin-1"))
+            packet.raw_payload = decrypted
+            packet._used_key = key
+            break
 
     def parse(self, input):
         input_stream = BinaryDataStream(input)
diff --git a/parse_pcap.py b/parse_pcap.py
index 3214f15..bcc3e69 100644
--- a/parse_pcap.py
+++ b/parse_pcap.py
@@ -1,61 +1,39 @@
 import dpkt
+import json
 import binascii
-from keystore import KEYSTORE
 from cStringIO import StringIO
 from inform import InformSerializer, Cryptor
 
 
+d = json.load(open("devices.json"))
+KEYSTORE = { i['mac']: i['x_authkey'] for i in d }
+
+
 def add_colons_to_mac(mac_addr):
     mac_addr = binascii.hexlify(mac_addr)
     return ":".join([mac_addr[i*2:i*2+2] for i in range(12/2)]).lower()
 
 
-for ts, buf in dpkt.pcap.Reader(open("/Users/mcrute/Desktop/http_fast.pcap")):
-    eth = dpkt.ethernet.Ethernet(buf)
-    data = eth.data.tcp.data.split("\r\n")
-    header, data = data[0], data[-1]
-
-    keys = [
-        KEYSTORE.get(add_colons_to_mac(eth.src)),
-        KEYSTORE.get(add_colons_to_mac(eth.dst)),
-        KEYSTORE.get("00:00:00:00:00:00")
-    ]
+records = []
+buffer = StringIO()
 
-    if not data.startswith("TNBU"):
+for ts, buf in dpkt.pcap.Reader(open("mfi.out")):
+    eth = dpkt.ethernet.Ethernet(buf)
+    data = eth.data.tcp.data.split("\r\n")[-1]
+
+    if data.startswith("TNBU") and buffer.tell() != 0:
+        records.append(buffer.getvalue())
+        buffer.seek(0)
+        buffer.write(data)
+    else:
+        buffer.write(data)
+
+
+ser = InformSerializer("", KEYSTORE)
+for data in records:
+    try:
+        packet = ser.parse(StringIO(data))
+        print packet.raw_payload
+    except:
+        print "BAD"
         continue
-
-    for key in keys:
-        if key is None:
-            continue
-
-        ser = InformSerializer(key)
-
-        try:
-            packet = ser.parse(StringIO(data))
-            ser._decrypt_payload(packet)
-
-            if not packet.raw_payload.startswith("{"):
-                continue
-            else:
-                break
-        except ValueError as err:
-            if '16' in err.message:
-                #to_add = 16 - (len(data[40:]) % 16)
-                #decrypted = Cryptor(KEY, packet.iv).decrypt(data[40:] + ("\x00" * to_add))
-                continue
-            else:
-                raise
-
-        packet = None
-
-
-        if not packet:
-            print "Bad Packet"
-            continue
-        else:
-            print packet.raw_payload
-
-        #type = packet.payload.get('_type', None)
-
-        #if type and (not type == 'noop'):
-        #    print packet.raw_payload
-- 
cgit v1.2.3