I am trying to parse multiple pcap files using the pynids library, but can get to parse only the 1st file. I saw that there was a function nids_unregister_tcp in libnids, will that help? I can't find that function in pynids though.
import nids
def handle_tcp_stream(tcp):
print "In handle_tcp_stream"
def extract(pcap_file):
nids.param("tcp_workarounds", 1)
nids.param("pcap_filter", "tcp") # bpf restrict to TCP only, note
nids.param("scan_num_hosts", 0) # disable portscan detection
nids.chksum_ctl([('0.0.0.0/0', False)]) # disable checksumming
nids.param("filename", pcap_file)
nids.init()
nids.register_tcp(handle_tcp_stream)
try:
nids.run()
except Exception, e:
print "Exception ", pcap_file + " ", e
def main():
extract("a.pcap")
print "Done"
extract("a.pcap")
if __name__ == "__main__":
main()
Here's the output:
In handle_tcp_stream
In handle_tcp_stream
In handle_tcp_stream
In handle_tcp_stream
Done
The binding is written incorrectly it seems.
The Perl counterpart had also had this issue in the past: https://rt.cpan.org/Public/Bug/Display.html?id=51107
Basically it can be summed up by:
The error seems to be similar in here https://github.com/MITRECND/pynids/blob/master/nidsmodule.c#L533
I may be mistaken, but the
elsethere makes it miss the actual registration when anFPwas defined earlier. Thatelsebody should always be executed. So a quick fix is:https://github.com/soulseekah/pynids/commit/8d420e88dbdc340f309db9db7c3b9c2508b1cb80
I'm a bit rusty on my Python API, but I think that
PyObject_Delshould bePy_DECREFinstead. Although it works with deletion as well.Watch https://github.com/MITRECND/pynids/pull/2 for more developments, I'm sure they'll figure out a more correct way to fix this. Meanwhile, what I did should work fine for the time being.
Too bad there aren't any unit tests to see if all is fine.