From eae9efdaf95b227ad988324eb3c8442bbd1ab46b Mon Sep 17 00:00:00 2001
From: Jon Erickson <jon.erickson@fireeye.com>
Date: Thu, 27 Feb 2020 16:24:21 -0500
Subject: [PATCH 1/2] Changed pcap format to pcapng and added PID as a comment
 to each packet

---
 fakenet/diverters/diverterbase.py | 27 ++++++++++++++++++++++-----
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/fakenet/diverters/diverterbase.py b/fakenet/diverters/diverterbase.py
index dbfb334..e46e0e9 100644
--- a/fakenet/diverters/diverterbase.py
+++ b/fakenet/diverters/diverterbase.py
@@ -1022,7 +1022,7 @@ def parse_diverter_config(self):
                 'dumppacketsfileprefix', 'packets'),
                 time.strftime('%Y%m%d_%H%M%S'))
             self.logger.info('Capturing traffic to %s', self.pcap_filename)
-            self.pcap = dpkt.pcap.Writer(open(self.pcap_filename, 'wb'),
+            self.pcap = dpkt.pcapng.Writer(open(self.pcap_filename, 'wb'),
                                          linktype=dpkt.pcap.DLT_RAW)
             self.pcap_lock = threading.Lock()
 
@@ -1104,7 +1104,7 @@ def parse_diverter_config(self):
                 self.logger.debug('Blacklisted UDP ports: %s', ', '.join(
                     [str(p) for p in self.getconfigval('BlackListPortsUDP')]))
 
-    def write_pcap(self, pkt):
+    def write_pcap(self, pkt, pid=None):
         """Writes a packet to the pcap.
 
         Args:
@@ -1121,7 +1121,24 @@ def write_pcap(self, pkt):
                 mangled = 'mangled' if pkt.mangled else 'initial'
                 self.pdebug(DPCAP, 'Writing %s packet %s' %
                             (mangled, pkt.hdrToStr2()))
-                self.pcap.writepkt(pkt.octets)
+                comment = ''
+                opts = []
+                if pid is not None:
+                    comment = 'PID: %d' % pid
+                    opts = [
+                        dpkt.pcapng.PcapngOptionLE(code = dpkt.pcapng.PCAPNG_OPT_COMMENT, text=comment ),
+                        dpkt.pcapng.PcapngOptionLE(code = dpkt.pcapng.PCAPNG_OPT_ENDOFOPT, len=0 ),
+                    ]
+
+                ebp = dpkt.pcapng.EnhancedPacketBlockLE(
+                    ts_high=0,
+                    ts_low=0,
+                    caplen = len(pkt.octets),
+                    pktlen= len(pkt.octets),
+                    pkt_data=pkt.octets,
+                    opts=opts
+                )
+                self.pcap.writepkt(ebp)
 
     def handle_pkt(self, pkt, callbacks3, callbacks4):
         """Generic packet hook.
@@ -1159,7 +1176,8 @@ def handle_pkt(self, pkt, callbacks3, callbacks4):
         """
 
         # 1: Unconditionally write unmangled packet to pcap
-        self.write_pcap(pkt)
+        pid, comm = self.get_pid_comm(pkt)
+        self.write_pcap(pkt, pid)
 
         no_further_processing = False
 
@@ -1171,7 +1189,6 @@ def handle_pkt(self, pkt, callbacks3, callbacks4):
             crit = DivertParms(self, pkt)
 
             # fnpacket has parsed all that can be parsed, so
-            pid, comm = self.get_pid_comm(pkt)
             if self.pdebug_level & DGENPKTV:
                 logline = self.formatPkt(pkt, pid, comm)
                 self.pdebug(DGENPKTV, logline)

From f1fc78c472928ba9478493fd28ab8f89499e5931 Mon Sep 17 00:00:00 2001
From: Jon Erickson <jon.erickson@fireeye.com>
Date: Fri, 28 Feb 2020 11:07:05 -0500
Subject: [PATCH 2/2] added process name to packet comment.

---
 fakenet/diverters/diverterbase.py | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/fakenet/diverters/diverterbase.py b/fakenet/diverters/diverterbase.py
index e46e0e9..03cc132 100644
--- a/fakenet/diverters/diverterbase.py
+++ b/fakenet/diverters/diverterbase.py
@@ -1104,7 +1104,7 @@ def parse_diverter_config(self):
                 self.logger.debug('Blacklisted UDP ports: %s', ', '.join(
                     [str(p) for p in self.getconfigval('BlackListPortsUDP')]))
 
-    def write_pcap(self, pkt, pid=None):
+    def write_pcap(self, pkt, pid=None, comm=None):
         """Writes a packet to the pcap.
 
         Args:
@@ -1123,12 +1123,17 @@ def write_pcap(self, pkt, pid=None):
                             (mangled, pkt.hdrToStr2()))
                 comment = ''
                 opts = []
-                if pid is not None:
+                if pid is not None and comm is not None:
+                    comment = 'Process: %s, PID: %d' % (comm, pid)
+                elif pid is not None:
                     comment = 'PID: %d' % pid
-                    opts = [
-                        dpkt.pcapng.PcapngOptionLE(code = dpkt.pcapng.PCAPNG_OPT_COMMENT, text=comment ),
-                        dpkt.pcapng.PcapngOptionLE(code = dpkt.pcapng.PCAPNG_OPT_ENDOFOPT, len=0 ),
-                    ]
+                elif comm is not None:
+                    comment = 'Process: %s' % comm
+
+                opts = [
+                    dpkt.pcapng.PcapngOptionLE(code = dpkt.pcapng.PCAPNG_OPT_COMMENT, text=comment ),
+                    dpkt.pcapng.PcapngOptionLE(code = dpkt.pcapng.PCAPNG_OPT_ENDOFOPT, len=0 ),
+                ]
 
                 ebp = dpkt.pcapng.EnhancedPacketBlockLE(
                     ts_high=0,
@@ -1177,7 +1182,7 @@ def handle_pkt(self, pkt, callbacks3, callbacks4):
 
         # 1: Unconditionally write unmangled packet to pcap
         pid, comm = self.get_pid_comm(pkt)
-        self.write_pcap(pkt, pid)
+        self.write_pcap(pkt, pid, comm)
 
         no_further_processing = False