8.2. steelscript.packets.core.inetpkt API¶

The inetpkt defines the basic set of steelscript.packets packet classes

8.2.1. `PKT` Class¶

PKT serves as the base class for all steelscript packet classes. In addition to the functions detailed below it also provides stub implementations of two class methods and an instance function required to support PcapQuery:

PKT.query_info():” Returns a two element tuple. The first element is the PKT protocol type ID. The second element is a tuple of field names supported by this PKT type’s get_field_val(field) function.
PKT.default_ports(): Returns a list of layer 4 ports and is used by PcapQuery to build a l7_ports argument when decoding packets. Returns an empty list if not implemented by a PKT subclass
Instance.get_field_val(field): Returns this packet’s value for the field name passed in. Returned as an object. PKT class instances return None.

In addition PKT supports pkt2net(**kwargs). Each PKT class subclass must implement this method. It provides a way for PKT classes to write themselves in network order either to sockets or PCAP files.

class steelscript.packets.core.inetpkt.PKT¶

__init__(*args, dict l7_ports={}, **kwargs)¶

Initialize a PKT object

Args:

l7_ports (dict):
args (list):	pass through to sub classes.
kwargs (dict):	pass through to sub classes excepting ‘l7_ports’.
	A dictionary of <port>: <class>. Used by sub classes like TCP and UDP to determine what class to use in decoding their payload.

get_layer(name, instance=1, found=0)¶

Used to get sub ‘layers’ of a PKT class based on the name of the desired layer.

Args:

name (bytes):	Class name of the desired layer (‘IP’, ‘UDP’, ...)
instance (int):	The Nth instance of the class you want. Useful for PKT types that can exist multiple times in a single packet. Examples include MPLS or Ethernet.
found (int):	Used in recursive calls to get_layer when instance is > 1

Returns:

PKT: The PKT instance OR an empty NullPkt instance if not found.

get_layer_by_type(pq_type, instance=1, found=0)¶

Used to get sub ‘layers’ of a PKT class based on the PKT type ID of the desired layer.

Args:

pq_type (uint16_t):
	Class type ID of the desired layer. For example PQTYPES.t_ip, PQTYPES.t_udp, ...
instance (int):	The Nth instance of the class you want. Useful for PKT types that can exist multiple times in a single packet. Examples include MPLS or Ethernet.
found (int):	Used in recursive calls to get_layer when instance is > 1

Returns:

PKT:	The PKT instance OR an empty NullPkt instance if not found.

from_buffer(*args, **kwargs)¶

Used to determine if the instance is being initialized from data or from keyword arguments. If args[0] is an array, bytes, or a string OR if a ‘data’ keyword argument is then the PKT instance is initialized from an array of Unsigned chars.

Args:

args (list):	array of initialization arguments
kwargs (dict):	dictionary of keyword arguments

Returns:

tuple:	First element contains 1 or 0 specifying if the instance is or is not initializing from data. The second element of the tuple contains the data as an array of unsigned chars if data is present. Otherwise an empty array.

8.2.2. `Ethernet` Class¶

class steelscript.packets.core.inetpkt.Ethernet¶

Bases: steelscript.packets.core.inetpkt.PKT

Implements Ethernet II frame without CRC.

__init__(*args, **kwargs)¶

Initialize a Ethernet II object.

Args:

src_mac (bytes):
args (list):	Optional one element list containing network order bytes of an Ethernet packet
data (bytes):	Optional keyword argument containing network order bytes of an Ethernet packet
	Layer 2 source address in colon notation. For example the layer 2 broadcast MAC would be ‘ff:ff:ff:ff:ff:ff’
dst_mac (bytes):
	Layer 2 destination address in colon notation.
type (uint16_t):
	EtherType of the payload. Common values are 0x0800 for IPv4 and 0x0806 for ARP.
payload (PKT or bytes):
	The payload of this packet. Payload can be a PKT sub class or a byte string.
l7_ports (dict):
	A dictionary where the keys are layer 4 port numbers and the values are PKT subclass packet classes. Used by app_layer to determine what class should be used to decode the payload string or byte array.

query_info()¶

Provides pcap_query with the query fields Ethernet supports and Ethernet’s PKT type ID.

Returns:

tuple:	PQTYPES.t_eth and a tuple of the supported field names.

get_field_val(field)¶

Returns the value of the Wireshark format field name. Implemented as an if, elif, else set because Cython documentation shows that this form is turned that into an efficient case switch.

Args:

field (bytes):	name of the desired field in Wireshark format. For example: arp.proto.type or tcp.flags.urg

Returns:

object:	the value of the field.

pkt2net(**kwargs)¶

Used to export a Ethernet packet class instance in network order for writing to a socket or into a pcap file.

Args:

kwargs (dict):	list of arguments defined by PKT sub classes. Passed along by Ethernet to payload classes. Ethernet has no options that it directly supports.

Returns:

bytes:	network order byte string representation of this Ethernet instance.

Ethernet PcapQuery supported fields:

eth.type: returns Ethernet.type
eth.src: returns Ethernet.src_mac
eth.dst: returns Ethernet.dst_mac

8.2.3. `IP` Class¶

RFC 791 Internet Protocol with flag bit zero implemented as x or ‘evil’ bit.:

+0                   1                   2                   3  +
+0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version|  IHL  |Type of Service|          Total Length         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|         Identification        |Flags|      Fragment Offset    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Time to Live |    Protocol   |         Header Checksum       |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                       Source Address                          |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Destination Address                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Options                    |    Padding    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

class steelscript.packets.core.inetpkt.IP¶

Bases: steelscript.packets.core.inetpkt.PKT

__init__(*args, **kwargs)¶

Initialize a IP object.

Args:

version (unsigned char):
args (list):	Optional one element list containing network order bytes of an IP packet
data (bytes):	Optional keyword argument containing network order bytes of an IP packet
	IP version of this packet. Only 4 is supported. Default is 4.
iphl (unsigned char):
	Internet Protocol Header Length in 32-bit ‘words’. Minimum valid value is 5. Default is 5.
tos (unsigned char):
	IP type of service. Now primarily used to store DSCP values and ECN values. ECN is the low 2 bits.
total_len (uint16_t):
	The total lenght of the IP packet including the header and data.
ident (uint16_t):
	Primarily used for uniquely identifying the group of fragments of a single IP datagram. Used with frag_offset and flag_m.
flag_x (1 or 0):
	Flag bit zero implemented as x bit. See RFC 3514 for appropriate use ;-)
flag_d (1 or 0):
	Don’t fragment flag.
flag_m (1 or 0):
	More fragments flag.
frag_offset (uint16_t):
	This IP packet fragment offset from the beginning of the original un-fragmented IP datagram measured in units of eight-byte blocks.
ttl (unsigned char):
	The time to live for the IP datagram. Decremented by routers as a method to prevent endless circular routes. Default is 64.
checksum (uint16_t):
	The 16-bit checksum field.
src (bytes):	IPv4 src address in dot notation. Default is ‘0.0.0.0’.
dst (bytes):	IPv4 dst address in dot notation Default is ‘0.0.0.0’.
payload (bytes or PKT):
	The payload of this packet. Payload can be a PKT sub class or a byte string.
l7_ports (dict):
	A dictionary where the keys are layer 4 port numbers and the values are PKT subclass packet classes. Used by app_layer to determine what class should be used to decode the payload string or byte array.

query_info()¶

Provides pcap_query with the query fields IP supports and IP’s PKT type ID.

Returns:

tuple:	PQTYPES.t_ip and a tuple of the supported field names.

get_field_val(field)¶

Returns the value of the Wireshark format field name. Implemented as an if, elif, else set because Cython documentation shows that this form is turned that into an efficient case switch.

Args:

field (bytes):	name of the desired field in Wireshark format. For example: arp.proto.type or tcp.flags.urg

Returns:

object:	the value of the field.

pkt2net(csum=0, update=0, ipv4_pheader=None)¶

Used to export a IP packet class instance in network order for writing to a socket or into a pcap file.

Args:

update (0 or 1):
kwargs (dict):	list of arguments defined by PKT sub classes. Passed along by IP to payload classes. IP supports the following keyword arguments:
csum (0 or 1):	Determines if this IP instance should re-calculate its checksum.
	Determines if this IP instance and any sub layers should update size counters. For IP this means updating the total_len variable.
for_icmp (0 or 1):
	Return on the 64 bits of the header needed for ICMP packets.
ipv4_pheader (Ip4Ph):
	IPv4 pseudo header used in checksum calculation.

Returns:

bytes:	network order byte string representation of this IP instance.

IP PcapQuery supported fields:

ip.version: returns IP.version
ip.hdr_len: returns IP.iphl
ip.tos: returns IP.tos
ip.len: returns IP.total_len
ip.id: returns IP.ident
ip.flags: returns IP.flags
ip.flags.df: returns IP.flag_d
ip.flags.mf: returns IP.flag_m
ip.frag_offset: returns IP.frag_offset
ip.ttl: returns IP.ttl
ip.proto: returns IP.proto
ip.src: returns IP.src
ip.dst: returns IP.dst
ip.checksum: returns IP.checksum

8.2.4. `ARP` Class¶

Implements RFC 826 Address Resolution Protocol. See schematic to follow:

+0                   1                   2                   3  +
+0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|          Hardware Type        |         Protocol Type         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Hardware Len |    Proto Len  |           Operation           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Sender Hardware Addr (Hardware Len Bytes)           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|            Sender Protocol Addr (Proto Len Bytes)             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Target Hardware Addr (Hardware Len Bytes)           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|            Target Protocol Addr (Proto Len Bytes)             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

class steelscript.packets.core.inetpkt.ARP¶

Bases: steelscript.packets.core.inetpkt.PKT

__init__(*args, **kwargs)¶

Initialize an ARP object.

Args:

data (bytes or array.arry):
args (list):	Optional one element list containing network order bytes of an ARP packet
	Optional keyword argument containing network order bytes of an ARP packet
hardware_type (uint16_t):
	Network Protocol Type. For example: Ethernet is hardware_type 1.
proto_type (uint16_t):
	Network protocol for this ARP request. For example this field would be set to 0x800 if this is a IPv4 ARP. Valid values for this field are shared with the IEEE 802.3 EtherType specification used by Ethernet.
hardware_len (unsigned char):
	Length in bytes (octets) for the hardware type specified in hardware_type above.
proto_len (unsigned char):
	Length in octets for the proto_type specified above. IPv4 has a length of 4 for example.
operation (unsigned char):
	1 for request and 2 for response.
sender_hw_addr (bytes):
	bytes representation of the senders hardware address. For example with hardware_type 1 this would be: ‘xx:xx:xx:xx:xx:xx’
sender_proto_addr (bytes):
	bytes representation of the senders hardware address. For example with proto_type 0x800 this would be ‘xxx.xxx.xxx.xxx’
target_hw_addr (bytes):
	bytes representation of the targets hardware address.
target_proto_addr (bytes):
	bytes representation of the targets hardware address.

query_info()¶

classmethod - provides pcap_query with the query fields ARP supports and ARP’s PKT type ID.

Returns:

tuple:	2 elements: PQTYPES.t_arp and a tuple of the supported field names.

get_field_val(field)¶

Returns the value of the Wireshark format field name. Implemented as an if, elif, else set because Cython documentation shows that this form is turned that into an efficient case switch.

Args:

field (bytes):	name of the desired field in Wireshark format. For example: arp.proto.type or tcp.flags.urg

Returns:

object:	the value of the field.

pkt2net(**kwargs)¶

Used to export a ARP packet class instance in network order for writing to a socket or into a pcap file. At present this function only works Ethernet/IPv4 ARP packets OR if buffer was set. If this is not a self.hardware_type == ARP_CONST.hwt_ether, self.proto_type == ETHERTYPES.ipv4 packet BUT buffer is set then the packet in will simply be repeated from the buffer. Any changes are lost.

Args:

kwargs (dict):	list of arguments defined by PKT sub classes. ARP does not support any key work arguments and does not have a payload so any args passed will be ignored.

Returns:

bytes:	network order byte string representation of the ARP instance.

ARP PcapQuery supported fields:

arp.hw.type: returns ARP.hardware_type
arp.proto.type: returns ARP.proto_type
arp.hw.size: returns ARP.hardware_len
arp.proto.size: returns ARP.proto_len
arp.opcode: returns ARP.operation
arp.src.hw_mac: returns ARP.sender_hw_addr
arp.src.proto_ipv4: returns ARP.sender_proto_addr
arp.dst.hw_mac: returns ARP.target_hw_addr
arp.dst.proto_ipv4: returns ARP.target_proto_addr

8.2.5. `UDP` Class¶

Implements RFC 768 User Datagram Protocol. See schematic to follow:

+0      7 8     15 16    23 24    31+
+--------+--------+--------+--------+
|     Source      |   Destination   |
|      Port       |      Port       |
+--------+--------+--------+--------+
|                 |                 |
|     Length      |    Checksum     |
+--------+--------+--------+--------+
|
|          data octets ...
+---------------- ...

class steelscript.packets.core.inetpkt.UDP¶

Bases: steelscript.packets.core.inetpkt.PKT

__init__(*args, **kwargs)¶

Initialize a UDP object.

Args:

sport (uint16_t):
args (list):	Optional one element list containing network order bytes of an UDP packet
data (bytes):	Optional keyword argument containing network order bytes of an UDP packet
	Layer 4 source port of this packet
dport (uint16_t):
	Layer 4 destination port of this packet
ulen (uint16_t):
	UDP Length - Total length of the UDP header plus data in bytes
checksum (uint16_t):
	The checksum value for this packet. Optional with IPv4 and must be 0 if not used.
payload (PKT or bytes):
	The payload of this packet.
l7_ports:	A dictionary where the keys are layer 4 port numbers and the values are PKT subclass packet classes. Used by UDP.app_layer() to determine what class should be used to decode the payload string or byte array.

query_info()¶

Provides pcap_query with the query fields UDP supports and UDP’s PKT type ID.

Returns:

tuple:	PQTYPES.t_udp and a tuple of the supported field names.

get_field_val(field)¶

Returns the value of the Wireshark format field name. Implemented as an if, elif, else set because Cython documentation shows that this form is turned that into an efficient case switch. Also handles udp.payload.offset[x:y] field.

Args:

field (bytes):	name of the desired field in Wireshark format. For example: arp.proto.type or tcp.flags.urg

Returns:

object:	value of the field.

pkt2net(**kwargs)¶

Used to export a UDP packet class instance in network order for writing to a socket or into a pcap file.

Args:

update (0 or 1):
kwargs (dict):	list of arguments defined by PKT sub classes. Passed along by UDP to payload classes. UDP supports the following keyword arguments:
csum (0 or 1):	Determines if this UDP instance should re-calculate its checksum.
	Determines if this UDP instance and any sub layers should update size counters. For UDP this means updating the ulen variable.
ipv4_pheader (Ip4Ph):
	IPv4 pseudo header used in checksum calculation.

Returns:

bytes:	network order byte string representation of this UDP instance.

UDP PcapQuery supported fields:

udp.srcport: returns UDP.sport
udp.dstport: returns UDP.dport
udp.length: returns UDP.ulen
udp.checksum: returns UDP.checksum
udp.payload: returns UDP.payload as bytes
udp.payload.offset[x:y]: returns UDP.payload bytes x to y as bytes

8.2.6. `TCP` Class¶

Implements RFC 793 Transmission Control Protocol with some additions and limited options support. See schematic to follow:

+0                   1                   2                   3  +
+0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|          Source Port          |       Destination Port        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                        Sequence Number                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Acknowledgment Number                      |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Data |     |N|C|E|U|A|P|R|S|F|                               |
| Offset| Res |S|W|C|R|C|S|S|Y|I|            Window             |
|       |     | |R|E|G|K|H|T|N|N|                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Checksum            |         Urgent Pointer        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Options                    |    Padding    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                             data                              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

class steelscript.packets.core.inetpkt.TCP¶

Bases: steelscript.packets.core.inetpkt.PKT

__init__(*args, **kwargs)¶

Initialize a TCP object.

Args:

sport (uint16_t):
args (list):	Optional one element list containing network order bytes of an TCP packet
data (bytes):	Optional keyword argument containing network order bytes of an TCP packet
	Layer 4 source port of this packet
dport (uint16_t):
	Layer 4 destination port of this packet
sequence (uint32_t):
	TCP sequence number.
acknowledgment (uint32_t):
	Acknowledgment number.
data_offset (uint16_t):
	Size of the TCP header in 32-bit ‘words’. Min is 5.
flag_ns (0 or 1):
	ECN-nonce concealment protection (RFC 3540).
flag_cwr (0 or 1):
	Congestion Window Reduced flag (RFC 3168).
flag_ece (0 or 1):
	ECN-Echo flag (RFC 3168).
flag_urg (0 or 1):
	flag that the Urgent pointer field is significant.
flag_ack (0 or 1):
	flag that Acknowledgment field is significant.
flag_psh (0 or 1):
	flag requesting buffered data be pushed to the receiving application.
flag_rst (0 or 1):
	Reset the connection
flag_syn (0 or 1):
	Synchronize sequence numbers. Starts TCP handshake.
flag_fin (0 or 1):
	Flag as the last package from src of this packet.
window (uint16_t):
	Size of the receive window (default in bytes).
checksum (uint16_t):
	The 16-bit checksum field.
urg_ptr (uint16_t):
	Offset from the sequence number indicating the last urgent data byte. Use urg flag if set.
options (bytes):
	Array of bytes to use as the TCP options. The user must update data_offset and make these bytes align to 32bit words. This is not fully implemented in this PKT class.
payload (PKT or bytes):
	The payload of this packet.
l7_ports (dict):
	A dictionary where the keys are layer 4 port numbers and the values are PKT subclass packet classes. Used by TCP.app_layer() to determine what class should be used to decode the payload string or byte array.

query_info()¶

Provides pcap_query with the query fields UDP supports and TCP’s PKT type ID.

Returns:

tuple:	PQTYPES.t_tcp and a tuple of the supported field names.

get_field_val(field)¶

Returns the value of the Wireshark format field name. Implemented as an if, elif, else set because Cython documentation shows that this form is turned that into an efficient case switch. Also handles tcp.payload.offset[x:y] field.

Args:

field (bytes):	name of the desired field in Wireshark format. For example: arp.proto.type or tcp.flags.urg

Returns:

object:	value of the field.

pkt2net(**kwargs)¶

Used to export a TCP packet class instance in network order for writing to a socket or into a pcap file.

Args:

ipv4_pheader (Ip4Ps):
kwargs (dict):	list of arguments defined by PKT sub classes. TCP supports the following keyword arguments:
csum (0 or 1):	Determines if this TCP instance should re-calculate its checksum.
	IPv4 psuedo header used in checksum calculation.

Returns:

bytes:	network order byte string representation of this TCP instance.

TCP PcapQuery supported fields:

tcp.srcport: returns TCP.sport
tcp.dstcport: returns TCP.dport
tcp.seq: returns TCP.sequence
tcp.ack: returns TCP.acknowledgment
tcp.hdr_len: returns TCP.data_offset
tcp.len: returns TCP.ws_len
tcp.flags: returns TCP.flags
tcp.flags.urg: returns TCP.flag_urg
tcp.flags.ack: returns TCP.flag_ack
tcp.flags.push: returns TCP.flag_psh
tcp.flags.reset: returns TCP.flag_rst
tcp.flags.syn: returns TCP.flag_syn
tcp.flags.fin: returns TCP.flag_fin
tcp.window_size_va: returns TCP.window
tcp.checksum: returns TCP.checksum
tcp.urgent_pointer: returns TCP.urg_ptr
tcp.payload: returns TCP.payload as bytes
tcp.payload.offset[x:y: returns TCP.payload bytes x to y as bytes

8.2.7. `MPLS` Class¶

class steelscript.packets.core.inetpkt.MPLS¶

Bases: steelscript.packets.core.inetpkt.PKT

Very limited implementation of MPLS (RFC 3031). Supports only IPv4 and Ethernet payloads. And only detects the difference by looking at the first nibble of the payload bytes.

__init__(*args, **kwargs)¶

Initialize a MPLS object. Note on data types for Args. Only the stack bit and the TTL use the full size of the data types specified below. label used only 20 bits and the traffic class uses 3 bits.

Args:

label (uint32_t):
args (list):	Optional one element list containing network order bytes of an MPLS packet
data (bytes):	Optional keyword argument containing network order bytes of an MPLS packet
	20 bit MPLS label value.
tc (unsigned char):
	Traffic Class (QoS and ECN). 3 bits used
s (0 or 1):	Bottom of label stack bit.
ttl (unsigned char):
	Time to live for this label.
payload (PKT or bytes):
	The payload of this packet.
l7_ports (dict):
	Keys are layer 4 port numbers and the values are PKT subclass packet classes. Used by the app_layer() in layer 7 protocols to determine what class should be used to decode the payload string or byte array. MPLS only passes this option on to subsequent packet layers.

query_info()¶

Provides pcap_query with the query fields MPLS supports and MPLS’s PKT type ID.

Returns:

tuple:	PQTYPES.t_mpls and a tuple of the supported field names.

default_ports()¶

Used by pcap_query to automatically decode layer 7 protocols.

Returns:

list:	list of layer 4 ports for ‘this’ protocol.

get_field_val(field)¶

Returns the value of the Wireshark format field name. Implemented as an if, elif, else set because Cython documentation shows that this form is turned that into an efficient case switch. This function is different from other protocols in that it detects if this is or is not the botton of stack MPLS label.

Args:

field (bytes):	name of the desired field in Wireshark format. For example: arp.proto.type or tcp.flags.urg

Returns:

object:	value of the field.

pkt2net(**kwargs)¶

Used to export a MPLS packet class instance in network order for writing to a socket or into a pcap file.

Args:

kwargs (dict):	list of arguments defined by PKT sub classes. Passed along by MPLS to payload classes. MPLS has no options that it directly supports.

Returns:

bytes:	network order byte string representation of this MPLS instance.

MPLS PcapQuery supported fields:

mpls.top.label: returns first MPLS.label where MPLS.s is 0
mpls.top.tc: returns first MPLS.tc where MPLS.s is 0
mpls.top.stack_bit: returns first MPLS.s where MPLS.s is 0
mpls.top.ttl: returns first MPLS.ttl where MPLS.s is 0
mpls.bottom.label: returns MPLS.label where MPLS.s is 1
mpls.bottom.tc: returns MPLS.tc where MPLS.s is 1
mpls.bottom.stack_bit: returns MPLS.s where MPLS.s is 1
mpls.bottom.ttl: returns MPLS.ttl where MPLS.s is 1

NOTE: There should only ever be a single MPLS layer in a packet with the s bit set to 1. There can be a number with bottom of stack bit set to 0

8.2.8. `NullPkt` Class¶

class steelscript.packets.core.inetpkt.NullPkt¶

Bases: steelscript.packets.core.inetpkt.PKT

NullPkt is a catch all packet type that can be used to simply store packet bytes without any decode.

__init__(*args, data=b'')¶

Initialize an NullPkt object.

Args: :args (list): Optional one element list containing network order bytes

of an ARP packet

Data (bytes):	Optional keyword argument containing network order bytes of an ARP packet

query_info()¶

pseudo pcap_query support for query_info.

Returns:

tuple:	PQTYPES.t_nullpkt and an empty field list

get_field_val(field)¶: pseudo pcap_query support for get_field_val.

pkt2net(**kwargs)¶

Used to export a NullPkt object for writing to a socket or into a pcap file. Data is exactly as it came in.

Args:

kwargs (dict):	Ignored

Returns:

bytes:	The NullPkt data exactly as it came into __init__

8.2.9. `Ip4Ph` Class¶

class steelscript.packets.core.inetpkt.Ip4Ph¶

Class to encapsulate an IPv4 pseudo header. Used in pkt2net functions for TCP and UDP. Part of checksum calculation. Automatically passed in to pkt2net by IP if its payload is TCP or UDP

__init__(src, dst, reserved, proto, payload_len)¶

Initialize a new Ip4Ph object. Actual initialization is done by the classes Cython __cinit__ function. __init__ exists to support documentation generation.

Args:

reserved (unsigned char):
src (bytes):	IPv4 src address for parent IP Object
dst (bytes ):	IPv4 dst address for parent IP Object
	unused 8 bits in pseudo header. Should be 0
proto (unsigned char):
	Proto of parent IP object.
payload_len (uint16_t):
	Total length of IP payload in octets.

8.2.10. `NetflowSimple` Class¶

class steelscript.packets.core.inetpkt.NetflowSimple¶

Bases: steelscript.packets.core.inetpkt.PKT

A Netflow decoder used by Riverbed’s QA group to replay captured netflow data. This packet type only decodes enough of a Netflow version 1-9 packet to allow the timestamps to be altered. Useful to make previously captured flows appear to a Netflow analyzer to have happened ‘now’. Be aware that the field unix_nano_seconds in this packet type is not accurately defined if the version is 9.

__init__(*args, **kwargs)¶

Initialize a NetflowSimple object.

Args:

version (uint16_t):
args (list):	Optional one element list containing network order bytes of an ARP packet
data (bytes):	Optional keyword argument containing network order bytes of an ARP packet
	Netflow version (1-9)
count (uint16_t):
	Count of records if version is 1-8 or count of flow sets if version is 9
sys_uptime (uint32_t):
	Current time in milliseconds since the export device started at the moment the netflow packet was sent.
unix_secs (uint32_t):
	Seconds since the start of the epoch
unix_nano_seconds (uint32_t):
	nanoseconds remaining from unix_secs. This field will not be correct IF the version is 9
payload (bytes):
	The rest of the netflow packet as bytes.

query_info()¶

classmethod - provides pcap_query with the query fields NetflowSimple supports and NetflowSimple’s PKT type ID.

Returns:

tuple:	PQTYPES.t_netflow_simple and a tuple of the supported

field names.

default_ports()¶

Used by pcap_query to automatically decode layer 7 protocols. The default Layer 4 ports for netflow are 2005 and 2055.

Returns:

list:	layer 4 ports for NetflowSimple.

get_field_val(field)¶

Returns the value of the Wireshark format field name. Implemented as an if, elif, else set because Cython documentation shows that this form is turned that into an efficient case switch.

Args:

field (bytes):	name of the desired field in Wireshark format. For example: arp.proto.type or tcp.flags.urg

Returns:

object:	the value of the field.

pkt2net(**kwargs)¶

Used to export a NetflowSimple packet class instance in network order for writing to a socket or into a pcap file.

Args:

kwargs (dict):	list of arguments defined by PKT sub classes. NetflowSimple does not support any key work arguments and does not have a PKT class payload so any args passed will be ignored.

Returns:

bytes:	network order byte string representation of the NetflowSimple instance.

NetflowSimple PcapQuery supported fields:

netflow.version: returns NetflowSimple.version
netflow.count: returns NetflowSimple.count
netflow.sys_uptime: returns NetflowSimple.sys_uptime
netflow.unix_secs: returns NetflowSimple.unix_secs
netflow.unix_nano_seconds: returns NetflowSimple.unix_nano_seconds

8.2. steelscript.packets.core.inetpkt API¶

8.2.1. PKT Class¶

8.2.2. Ethernet Class¶

8.2.3. IP Class¶

8.2.4. ARP Class¶

8.2.5. UDP Class¶

8.2.6. TCP Class¶

8.2.7. MPLS Class¶

8.2.8. NullPkt Class¶

8.2.9. Ip4Ph Class¶

8.2.10. NetflowSimple Class¶

8.2.1. `PKT` Class¶

8.2.2. `Ethernet` Class¶

8.2.3. `IP` Class¶

8.2.4. `ARP` Class¶

8.2.5. `UDP` Class¶

8.2.6. `TCP` Class¶

8.2.7. `MPLS` Class¶

8.2.8. `NullPkt` Class¶

8.2.9. `Ip4Ph` Class¶

8.2.10. `NetflowSimple` Class¶