Geek Answers Handbook

Using pynids on multiple pcaps

I am trying to parse multiple pcap files using the pynids library, but can only parse the 1st file. I saw that libnids has a nids_unregister_tcp function, will this help? However, I cannot find this feature in pynids.

 import nids def handle_tcp_stream(tcp): print "In handle_tcp_stream" def extract(pcap_file): nids.param("tcp_workarounds", 1) nids.param("pcap_filter", "tcp") # bpf restrict to TCP only, note nids.param("scan_num_hosts", 0) # disable portscan detection nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming nids.param("filename", pcap_file) nids.init() nids.register_tcp(handle_tcp_stream) try: nids.run() except Exception, e: print "Exception ", pcap_file + " ", e def main(): extract("a.pcap") print "Done" extract("a.pcap") if __name__ == "__main__": main()

Here's the conclusion:

 In handle_tcp_stream In handle_tcp_stream In handle_tcp_stream In handle_tcp_stream Done
+7
python tcp libnids
source share
1 answer

The binding is spelled incorrectly.

There was also a problem with Perl: https://rt.cpan.org/Public/Bug/Display.html?id=51107

Basically this can be summarized:

... libnids clears and removes the callback after running () finished.

It seems like the error here is similar to https://github.com/MITRECND/pynids/blob/master/nidsmodule.c#L533

I may be wrong, but else there skips the actual registration when the FP was previously defined. This else body should always be executed. So quick fix:

https://github.com/soulseekah/pynids/commit/8d420e88dbdc340f309db9db7c3b9c2508b1cb80

I'm a little rusty on my Python API, but I think PyObject_Del should be Py_DECREF . Although it also works with deletion.

See https://github.com/MITRECND/pynids/pull/2 for more information, I'm sure they will find a more correct way to fix this. Meanwhile, what I did should work fine at the moment.

Too bad, there are no unit tests to check if everything is in order.

+4
source share

More articles:


All Articles