Store IP addresses (v4 + v6) as strings rather than ints
As mentioned by @pR0Ps in 6b9d20c8a6/analyze_json.py (L83)
IP addresses, especially in IPv6, should better be stored as parsed
strings instead of their raw integer values. Implemented.
This commit is contained in:
parent
6b9d20c8a6
commit
1646a52f17
|
@ -80,14 +80,9 @@ class Connection:
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_ips(flow):
|
def get_ips(flow):
|
||||||
# TODO: These values should be parsed into strings in the collection phase.
|
|
||||||
# The floating point representation of an IPv6 address in JSON
|
|
||||||
# could lose precision.
|
|
||||||
|
|
||||||
# IPv4
|
# IPv4
|
||||||
if flow.get('IP_PROTOCOL_VERSION') == 4 \
|
if flow.get('IP_PROTOCOL_VERSION') == 4 or \
|
||||||
or 'IPV4_SRC_ADDR' in flow \
|
'IPV4_SRC_ADDR' in flow or 'IPV4_DST_ADDR' in flow:
|
||||||
or 'IPV4_DST_ADDR' in flow:
|
|
||||||
return Pair(
|
return Pair(
|
||||||
ipaddress.ip_address(flow['IPV4_SRC_ADDR']),
|
ipaddress.ip_address(flow['IPV4_SRC_ADDR']),
|
||||||
ipaddress.ip_address(flow['IPV4_DST_ADDR'])
|
ipaddress.ip_address(flow['IPV4_DST_ADDR'])
|
||||||
|
|
|
@ -13,6 +13,7 @@ Copyright 2017, 2018 Dominik Pataky <dev@bitkeks.eu>
|
||||||
Licensed under MIT License. See LICENSE.
|
Licensed under MIT License. See LICENSE.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
import ipaddress
|
||||||
import struct
|
import struct
|
||||||
|
|
||||||
|
|
||||||
|
@ -200,7 +201,6 @@ class DataFlowSet:
|
||||||
for field in template.fields:
|
for field in template.fields:
|
||||||
flen = field.field_length
|
flen = field.field_length
|
||||||
fkey = FIELD_TYPES[field.field_type]
|
fkey = FIELD_TYPES[field.field_type]
|
||||||
fdata = None
|
|
||||||
|
|
||||||
# The length of the value byte slice is defined in the template
|
# The length of the value byte slice is defined in the template
|
||||||
dataslice = data[offset:offset+flen]
|
dataslice = data[offset:offset+flen]
|
||||||
|
@ -210,7 +210,16 @@ class DataFlowSet:
|
||||||
for idx, byte in enumerate(reversed(bytearray(dataslice))):
|
for idx, byte in enumerate(reversed(bytearray(dataslice))):
|
||||||
fdata += byte << (idx * 8)
|
fdata += byte << (idx * 8)
|
||||||
|
|
||||||
new_record.data[fkey] = fdata
|
# Special handling of IP addresses to convert integers to strings to not lose precision in dump
|
||||||
|
if fkey in ["IPV4_SRC_ADDR", "IPV4_DST_ADDR", "IPV6_SRC_ADDR", "IPV6_DST_ADDR"]:
|
||||||
|
try:
|
||||||
|
ip = ipaddress.ip_address(fdata)
|
||||||
|
except ValueError:
|
||||||
|
print("IP address could not be parsed: {}".format(fdata))
|
||||||
|
continue
|
||||||
|
new_record.data[fkey] = ip.compressed
|
||||||
|
else:
|
||||||
|
new_record.data[fkey] = fdata
|
||||||
|
|
||||||
offset += flen
|
offset += flen
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue