Using pynids on multiple pcaps

1.1k views Asked by At

I am trying to parse multiple pcap files using the pynids library, but can get to parse only the 1st file. I saw that there was a function nids_unregister_tcp in libnids, will that help? I can't find that function in pynids though.

import nids


def handle_tcp_stream(tcp):
    print "In handle_tcp_stream"


def extract(pcap_file):
    nids.param("tcp_workarounds", 1)
    nids.param("pcap_filter", "tcp")         # bpf restrict to TCP only, note
    nids.param("scan_num_hosts", 0)          # disable portscan detection
    nids.chksum_ctl([('0.0.0.0/0', False)])  # disable checksumming

    nids.param("filename", pcap_file)
    nids.init()
    nids.register_tcp(handle_tcp_stream)

    try:
        nids.run()
    except Exception, e:
        print "Exception ", pcap_file + " ", e


def main():
    extract("a.pcap")
    print "Done"
    extract("a.pcap")


if __name__ == "__main__":
    main()

Here's the output:

In handle_tcp_stream
In handle_tcp_stream
In handle_tcp_stream
In handle_tcp_stream
Done
1

There are 1 answers

2
soulseekah On BEST ANSWER

The binding is written incorrectly it seems.

The Perl counterpart had also had this issue in the past: https://rt.cpan.org/Public/Bug/Display.html?id=51107

Basically it can be summed up by:

...libnids cleans up and removes its callback once run() is finished.

The error seems to be similar in here https://github.com/MITRECND/pynids/blob/master/nidsmodule.c#L533

I may be mistaken, but the else there makes it miss the actual registration when an FP was defined earlier. That else body should always be executed. So a quick fix is:

https://github.com/soulseekah/pynids/commit/8d420e88dbdc340f309db9db7c3b9c2508b1cb80

I'm a bit rusty on my Python API, but I think that PyObject_Del should be Py_DECREF instead. Although it works with deletion as well.

Watch https://github.com/MITRECND/pynids/pull/2 for more developments, I'm sure they'll figure out a more correct way to fix this. Meanwhile, what I did should work fine for the time being.

Too bad there aren't any unit tests to see if all is fine.