Merge pull request #7 from Arcopix/alpha4

Arcopix · web-flow · commit be860684dee1 · 2023-03-08T19:58:16.000+02:00
Alpha4
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
 .remoteShark.py.swp
 remoteShark.spec
 __pycache__
+ssh.debug
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,15 @@
 # CHANGELOG
 
+## Alpha 4
+* Host validation no longer accepts hosts starting with '-'
+* Implemented experimental support for reading pcap file on the remote system
+  * Also supports packet captures compressed with gz (if extension is .gz)
+  * Also supports packet captures compressed with gz (if extension is .bz2)
+* Validation methods of AppConfig are now private
+* Implemented --port|-p argument which specifies the SSH port
+* Implemented compression on SSH level (enabled by -c|--compression)
+* Fixed support for ampersand symbol for packet capture filter 
+
 ## Alpha 3
 
 * Implemented a check if the remote host key is in _known_hosts_
diff --git a/README.md b/README.md
@@ -11,9 +11,13 @@ A set of utilities allowing the user to capture traffic in real-time from remote
 
 ## HOWTO
 
+### Listing interfaces
+
 Listing interfaces on remote system `10.20.30.40`:
 > `remoteShark.py 10.20.30.40 --list-interfaces`
 
+### Live packet captures
+
 Capture any traffic on remote system `10.20.30.40`:
 > `remoteShark.py 10.20.30.40`
 
@@ -29,6 +33,22 @@ Capture SIP traffic (`port 5060 or 5061`) for 100 packets on any interface on re
 Capture SMTP traffic (`port 25`) for 5 minutes (300 seconds) on eth0.44 interface on remote system `10.20.30.40`:
 > `remoteShark.py 10.20.30.40 -f "port 25" -t 300 -i eth0.44`
 
+### Processing remote PCAP files
+
+Load file `/tmp/capture.pcap` from the remote system into Wireshark
+> `remoteShark.py 10.20.30.40:/tmp/capture.pcap`
+
+Load file `/tmp/capture.pcap` and filter HTTP traffic from it:
+> `remoteShark.py 10.20.30.40:/tmp/capture.pcap -f "port 80"`
+
+Load the first 100 packets from file `/tmp/capture.pcap`:
+> `remoteShark.py 10.20.30.40:/tmp/capture.pcap -c 100`
+
+Load from file `/tmp/capture.pcap` for 5 seconds:
+> `remoteShark.py 10.20.30.40:/tmp/capture.pcap -t 5`
+
+**Note:** this means that the system will be loading it for 5 seconds, and not the first 5 seconds of the remote packet capture
+
 ## TODO
 
 Current TODO/DONE list is available in [TODO](TODO.md)
diff --git a/TODO.md b/TODO.md
@@ -2,8 +2,10 @@
 
 2. Fully test (and bugfix) for Mac
 5. Fully test and bugfix
-7. Work with remote pcap files
 8. Split remoteShark.py into a library and have basic scripts which execute the behavior _(?)_
+9. Support for display filter in local Wireshark
+11. Update project dir tree (remove win/linux dirs, move sources to src)
+12. Build system for compiling via pyinstaller
 
 ## DONE
 
@@ -14,4 +16,7 @@
 5. Implement -i|--interface options to select correct interface
 6. Check if the remote host key is in _known_hosts_  
 7. Detection of *HOST* between *FQDN* and *IP* address
-8. Detached Wireshark in Linux _(?)_
+8. Detached Wireshark in Linux _(?)_
+9. Work with remote pcap files
+10. Support for non-standard SSH port
+11. Implement compression of the data stream
diff --git a/linux/remote-pcap-compress b/linux/remote-pcap-compress
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+ssh root@$1 "tcpdump -ni $2 -s 0 -w - $3 2>/dev/null | gzip -9 -c -f" | gzip -d | wireshark -k -i -
+
+
diff --git a/ms-version.py b/ms-version.py
@@ -0,0 +1,43 @@
+# UTF-8
+#
+# For more details about fixed file info 'ffi' see:
+# http://msdn.microsoft.com/en-us/library/ms646997.aspx
+VSVersionInfo(
+  ffi=FixedFileInfo(
+# filevers and prodvers should be always a tuple with four items: (1, 2, 3, 4)
+# Set not needed items to zero 0.
+filevers=(1, 0, 0, 0),
+prodvers=(1, 0, 0, 0),
+# Contains a bitmask that specifies the valid bits 'flags'r
+mask=0x3f,
+# Contains a bitmask that specifies the Boolean attributes of the file.
+flags=0x0,
+# The operating system for which this file was designed.
+# 0x4 - NT and there is no need to change it.
+OS=0x4,
+# The general type of file.
+# 0x1 - the file is an application.
+fileType=0x1,
+# The function of the file.
+# 0x0 - the function is not defined for this fileType
+subtype=0x0,
+# Creation date and time stamp.
+date=(0, 0)
+),
+  kids=[
+StringFileInfo(
+  [
+  StringTable(
+    u'040904B0',
+    [StringStruct(u'CompanyName', u'Devhex Ltd'),
+    StringStruct(u'FileDescription', u'remoteShark utility'),
+    StringStruct(u'FileVersion', u'1.0.0.0'),
+    StringStruct(u'InternalName', u'remoteShark'),
+    StringStruct(u'LegalCopyright', u'GPLv3'),
+    StringStruct(u'OriginalFilename', u'remoteShark.exe'),
+    StringStruct(u'ProductName', u'remoteShark'),
+    StringStruct(u'ProductVersion', u'1.0.0 (alpha4)')])
+  ]),
+VarFileInfo([VarStruct(u'Translation', [1033, 1200])])
+  ]
+)
diff --git a/remoteShark.py b/remoteShark.py

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +#!/bin/bash
++
 +ssh root@$1 "tcpdump -ni $2 -s 0 -w - $3 2>/dev/null | gzip -9 -c -f" | gzip -d | wireshark -k -i -
++
++