fatt.py

#!/usr/bin/env python3
# Copyright (c) 2019, Adel "0x4d31" Karimi.
# All rights reserved.
# Licensed under the BSD 3-Clause license.
# For full license text, see the LICENSE file in the repo root
# or https://opensource.org/licenses/BSD-3-Clause

# fatt. Fingerprint All The Things
# Supported protocols: SSL/TLS, SSH, RDP, HTTP, gQUIC

import argparse
import pyshark
import os
import json
import logging
import struct
from hashlib import md5
from collections import defaultdict

__author__ = "Adel '0x4D31' Karimi"
__version__ = "1.0"


CAP_BPF_FILTER = (
    'tcp port 22 or tcp port 2222 or tcp port 3389 or '
    'tcp port 443 or tcp port 993 or tcp port 995 or '
    'tcp port 636 or tcp port 990 or tcp port 992 or '
    'tcp port 989 or tcp port 563 or tcp port 614 or '
    'tcp port 3306 or tcp port 80 or udp port 80 or '
    'udp port 443')
DISPLAY_FILTER = (
    'tls.handshake.type == 1 || tls.handshake.type == 2 ||'
    'ssh.message_code == 20 || ssh.protocol || rdp ||'
    '(quic && tls.handshake.type == 1) || gquic.tag == "CHLO" ||'
    'http.request.method || data-text-lines'
)
DECODE_AS = {
    'tcp.port==2222': 'ssh', 'tcp.port==3389': 'tpkt',
     'tcp.port==993': 'tls', 'tcp.port==995': 'tls',
     'tcp.port==990': 'tls', 'tcp.port==992': 'tls',
     'tcp.port==989': 'tls', 'tcp.port==563': 'tls',
     'tcp.port==614': 'tls', 'tcp.port==636': 'tls'}
HASSH_VERSION = '1.0'
RDFP_VERSION = '0.3'


class ProcessPackets:

    def __init__(self, fingerprint, jlog, pout):
        self.logger = logging.getLogger()
        self.fingerprint = fingerprint
        self.jlog = jlog
        self.pout = pout
        self.protocol_dict = {}
        self.rdp_dict = defaultdict(dict)

    def process(self, packet):
        record = None
        proto = packet.highest_layer
        sourceIp = packet.ipv6.src if 'ipv6' in packet else packet.ip.src
        destinationIp = packet.ipv6.dst if 'ipv6' in packet else packet.ip.dst

        # Clear the dictionary used for extracting ssh protocol strings
        # and rdp cookies/negotiateRequests
        if len(self.protocol_dict) > 100 and proto != 'SSH':
            self.protocol_dict.clear()
        if len(self.rdp_dict) > 100 and proto != 'RDP':
            self.rdp_dict.clear()

        # [ SSH ]
        if proto == 'SSH' and ('ssh' in self.fingerprint or
                               self.fingerprint == 'all'):
            # Extract SSH identification string and correlate with KEXINIT msg
            if 'protocol' in packet.ssh.field_names:
                key = '{}:{}_{}:{}'.format(
                    sourceIp,
                    packet.tcp.srcport,
                    destinationIp,
                    packet.tcp.dstport)
                self.protocol_dict[key] = packet.ssh.protocol
            if 'message_code' not in packet.ssh.field_names:
                return
            if packet.ssh.message_code != '20':
                return
            # log the anomalous / retransmission packets
            if ("analysis_retransmission" in packet.tcp.field_names or
                    "analysis_spurious_retransmission" in packet.tcp.field_names):
                event = event_log(packet, event="retransmission")
                if record and self.jlog:
                    self.logger.info(json.dumps(event))
                return
            # Client HASSH
            if int(packet.tcp.srcport) > int(packet.tcp.dstport):
                record = self.client_hassh(packet)
                # Print the result
                if self.pout:
                    tmp = ('{sip}:{sp} -> {dip}:{dp} [SSH] hassh={hassh} client={client}')
                    tmp = tmp.format(
                        sip=record['sourceIp'],
                        sp=record['sourcePort'],
                        dip=record['destinationIp'],
                        dp=record['destinationPort'],
                        client=record['ssh']['client'],
                        hassh=record['ssh']['hassh'],
                    )
                    print(tmp)
            # Server HASSH
            elif int(packet.tcp.srcport) < int(packet.tcp.dstport):
                record = self.server_hassh(packet)
                # Print the result
                if self.pout:
                    tmp = ('{sip}:{sp} -> {dip}:{dp} [SSH] hasshS={hasshs} server={server}')
                    tmp = tmp.format(
                        sip=record['sourceIp'],
                        sp=record['sourcePort'],
                        dip=record['destinationIp'],
                        dp=record['destinationPort'],
                        server=record['ssh']['server'],
                        hasshs=record['ssh']['hasshServer'],
                    )
                    print(tmp)
            if record and self.jlog:
                self.logger.info(json.dumps(record))
            return

        # [ TLS ]
        # TODO: extract tls certificates
        elif proto == 'TLS' and ('tls' in self.fingerprint or
                                 self.fingerprint == 'all'):
            if 'record_content_type' not in packet.tls.field_names:
                return
            # Content Type: Handshake (22)
            if packet.tls.record_content_type != '22':
                return
            # Handshake Type: Client Hello (1) / Server Hello (2)
            if 'handshake_type' not in packet.tls.field_names:
                return
            htype = packet.tls.handshake_type
            if not (htype == '1' or htype == '2'):
                return
            # log the anomalous / retransmission packets
            if ("analysis_retransmission" in packet.tcp.field_names or
                    "analysis_spurious_retransmission" in packet.tcp.field_names):
                event = event_log(packet, event="retransmission")
            # JA3
            if htype == '1':
                record = self.client_ja3(packet)
                # Print the result
                if self.pout:
                    tmp = ('{sip}:{sp} -> {dip}:{dp} [TLS] ja3={ja3} serverName={sname}')
                    tmp = tmp.format(
                        sip=record['sourceIp'],
                        sp=record['sourcePort'],
                        dip=record['destinationIp'],
                        dp=record['destinationPort'],
                        sname=record['tls']['serverName'],
                        ja3=record['tls']['ja3'],
                    )
                    print(tmp)
            elif htype == '2':
                record = self.server_ja3(packet)
                # Print the result
                if self.pout:
                    tmp = (
                        '{sip}:{sp} -> {dip}:{dp} [TLS] ja3s={ja3s}')
                    tmp = tmp.format(
                        sip=record['sourceIp'],
                        sp=record['sourcePort'],
                        dip=record['destinationIp'],
                        dp=record['destinationPort'],
                        ja3s=record['tls']['ja3s'],
                    )
                    print(tmp)
            if record and self.jlog:
                self.logger.info(json.dumps(record))
            return

        # [ RDP ]
        elif proto == 'RDP' and ('rdp' in self.fingerprint or
                                 self.fingerprint == 'all'):
            # Extract RDP cookie & negotiate request and correlate with ClientData msg
            key = None
            if 'rt_cookie' or 'negreq_requestedprotocols':
                key = '{}:{}_{}:{}'.format(
                    sourceIp,
                    packet.tcp.srcport,
                    destinationIp,
                    packet.tcp.dstport)
                if 'rt_cookie' in packet.rdp.field_names:
                    cookie = packet.rdp.rt_cookie.replace('Cookie: ', '')
                    self.rdp_dict[key]["cookie"] = cookie
                if 'negreq_requestedprotocols' in packet.rdp.field_names:
                    req_protos = packet.rdp.negreq_requestedprotocols
                    self.rdp_dict[key]["req_protos"] = req_protos
                    # TLS/CredSSP (not standard RDP security protocols)
                    if req_protos != "0x00000000":
                        record = {
                            "timestamp": packet.sniff_time.isoformat(),
                            "sourceIp": sourceIp,
                            "destinationIp": destinationIp,
                            "sourcePort": packet.tcp.srcport,
                            "destinationPort": packet.tcp.dstport,
                            "protocol": "rdp",
                            "rdp": {
                                "requestedProtocols": req_protos
                            }
                        }
                        if self.pout:
                            tmp = (
                                '{sip}:{sp} -> {dip}:{dp} [RDP] req_protocols={proto}')
                            tmp = tmp.format(
                                sip=record['sourceIp'],
                                sp=record['sourcePort'],
                                dip=record['destinationIp'],
                                dp=record['destinationPort'],
                                proto=record['rdp']['requestedProtocols']
                            )
                            print(tmp)
                        if self.jlog:
                            self.logger.info(json.dumps(record))
            if 'clientdata' not in packet.rdp.field_names:
                return
            if ("analysis_retransmission" in packet.tcp.field_names or
                    "analysis_spurious_retransmission" in packet.tcp.field_names):
                event = event_log(packet, event="retransmission")
                if self.jlog:
                    self.logger.info(json.dumps(event))
                return
            # Client RDFP
            record = self.client_rdfp(packet)
            # Print the result
            if self.pout:
                tmp = ('{sip}:{sp} -> {dip}:{dp} [RDP] rdfp={rdfp} cookie="{cookie}" req_protocols={proto}')
                tmp = tmp.format(
                    sip=record['sourceIp'],
                    sp=record['sourcePort'],
                    dip=record['destinationIp'],
                    dp=record['destinationPort'],
                    rdfp=record['rdp']['rdfp'],
                    cookie=record['rdp']['cookie'],
                    proto=record['rdp']['requestedProtocols']
                )
                print(tmp)
            if record and self.jlog:
                self.logger.info(json.dumps(record))
            return

        # [ HTTP ]
        elif (proto == 'HTTP' or proto == 'DATA-TEXT-LINES') and \
                ('http' in self.fingerprint or self.fingerprint == 'all'):
            if 'request' in packet.http.field_names:
                record = self.client_http(packet)
                # Print the result
                if self.pout:
                    tmp = ('{sip}:{sp} -> {dip}:{dp} [HTTP] hash={hash} userAgent="{ua}"')
                    tmp = tmp.format(
                        sip=record['sourceIp'],
                        sp=record['sourcePort'],
                        dip=record['destinationIp'],
                        dp=record['destinationPort'],
                        hash=record['http']['clientHeaderHash'],
                        ua=record['http']['userAgent'],
                    )
                    print(tmp)
            elif 'response' in packet.http.field_names:
                record = self.server_http(packet)
                # Print the result
                if self.pout:
                    tmp = ('{sip}:{sp} -> {dip}:{dp} [HTTP] hash={hash} server={server}')
                    tmp = tmp.format(
                        sip=record['sourceIp'],
                        sp=record['sourcePort'],
                        dip=record['destinationIp'],
                        dp=record['destinationPort'],
                        hash=record['http']['serverHeaderHash'],
                        server=record['http']['server'],
                    )
                    print(tmp)
            if record and self.jlog:
                self.logger.info(json.dumps(record))
            return

        # [ GQUIC ]
        elif proto == 'GQUIC' and ('gquic' in self.fingerprint or 
                                    self.fingerprint == 'all'):
            if 'tag' in packet.gquic.field_names:
                if packet.gquic.tag == 'CHLO':
                    record = self.client_gquic(packet)
                    # Print the result
                    if self.pout:
                        tmp = ('{sip}:{sp} -> {dip}:{dp} [GQUIC] UAID="{ua}" SNI={sn} AEAD={ea} KEXS={kex}')
                        tmp = tmp.format(
                            sip=record['sourceIp'],
                            sp=record['sourcePort'],
                            dip=record['destinationIp'],
                            dp=record['destinationPort'],
                            ua=record['gquic']['uaid'],
                            sn=record['gquic']['sni'],
                            ea=record['gquic']['aead'],
                            kex=record['gquic']['kexs']
                        )
                        print(tmp)
                if record and self.jlog:
                    self.logger.info(json.dumps(record))
                return
            
        # [ QUIC ]
        elif proto == 'QUIC' and ('quic' in self.fingerprint or 
                                  self.fingerprint == 'all'):

            if packet.quic.tls_handshake_type == '1':
                record = self.client_quic(packet)

                if self.pout:
                    tmp = ('{sip}:{sp} -> {dip}:{dp} [QUIC] serverName="{sn}" VER={ver}')
                    tmp = tmp.format(
                        sip=record['sourceIp'], 
                        sp=record['sourcePort'],    
                        dip=record['destinationIp'],
                        dp=record['destinationPort'],
                        ver=record['quic']['ver'],
                        sn=record['quic']['sni']
                    )
                    print(tmp)
                if record and self.jlog:
                    self.logger.info(json.dumps(record))
                return
 
        return

    def client_hassh(self, packet):
        """returns HASSH (i.e. SSH Client Fingerprint)
        HASSH = md5(KEX;EACTS;MACTS;CACTS)
        """
        protocol = None
        sourceIp = packet.ipv6.src if 'ipv6' in packet else packet.ip.src
        destinationIp = packet.ipv6.dst if 'ipv6' in packet else packet.ip.dst
        key = '{}:{}_{}:{}'.format(
            sourceIp,
            packet.tcp.srcport,
            destinationIp,
            packet.tcp.dstport)
        if key in self.protocol_dict:
            protocol = self.protocol_dict[key]
        # hassh fields
        ckex = ceacts = cmacts = ccacts = ""
        if 'kex_algorithms' in packet.ssh.field_names:
            ckex = packet.ssh.kex_algorithms
        if 'encryption_algorithms_client_to_server' in packet.ssh.field_names:
            ceacts = packet.ssh.encryption_algorithms_client_to_server
        if 'mac_algorithms_client_to_server' in packet.ssh.field_names:
            cmacts = packet.ssh.mac_algorithms_client_to_server
        if 'compression_algorithms_client_to_server' in packet.ssh.field_names:
            ccacts = packet.ssh.compression_algorithms_client_to_server
        # Log other kexinit fields (only in JSON)
        clcts = clstc = ceastc = cmastc = ccastc = cshka = ""
        if 'languages_client_to_server' in packet.ssh.field_names:
            clcts = packet.ssh.languages_client_to_server
        if 'languages_server_to_client' in packet.ssh.field_names:
            clstc = packet.ssh.languages_server_to_client
        if 'encryption_algorithms_server_to_client' in packet.ssh.field_names:
            ceastc = packet.ssh.encryption_algorithms_server_to_client
        if 'mac_algorithms_server_to_client' in packet.ssh.field_names:
            cmastc = packet.ssh.mac_algorithms_server_to_client
        if 'compression_algorithms_server_to_client' in packet.ssh.field_names:
            ccastc = packet.ssh.compression_algorithms_server_to_client
        if 'server_host_key_algorithms' in packet.ssh.field_names:
            cshka = packet.ssh.server_host_key_algorithms
        # Create hassh
        hassh_str = ';'.join([ckex, ceacts, cmacts, ccacts])
        hassh = md5(hassh_str.encode()).hexdigest()
        record = {
            "timestamp": packet.sniff_time.isoformat(),
            "sourceIp": sourceIp,
            "destinationIp": destinationIp,
            "sourcePort": packet.tcp.srcport,
            "destinationPort": packet.tcp.dstport,
            "protocol": 'ssh',
            "ssh": {
                "client": protocol,
                "hassh": hassh,
                "hasshAlgorithms": hassh_str,
                "hasshVersion": HASSH_VERSION,
                "ckex": ckex,
                "ceacts": ceacts,
                "cmacts": cmacts,
                "ccacts": ccacts,
                "clcts": clcts,
                "clstc": clstc,
                "ceastc": ceastc,
                "cmastc": cmastc,
                "ccastc": ccastc,
                "cshka": cshka
            }
        }
        return record

    def server_hassh(self, packet):
        """returns HASSHServer (i.e. SSH Server Fingerprint)
        HASSHServer = md5(KEX;EASTC;MASTC;CASTC)
        """
        protocol = None
        sourceIp = packet.ipv6.src if 'ipv6' in packet else packet.ip.src
        destinationIp = packet.ipv6.dst if 'ipv6' in packet else packet.ip.dst
        key = '{}:{}_{}:{}'.format(
            sourceIp,
            packet.tcp.srcport,
            destinationIp,
            packet.tcp.dstport)
        if key in self.protocol_dict:
            protocol = self.protocol_dict[key]
        # hasshServer fields
        skex = seastc = smastc = scastc = ""
        if 'kex_algorithms' in packet.ssh.field_names:
            skex = packet.ssh.kex_algorithms
        if 'encryption_algorithms_server_to_client' in packet.ssh.field_names:
            seastc = packet.ssh.encryption_algorithms_server_to_client
        if 'mac_algorithms_server_to_client' in packet.ssh.field_names:
            smastc = packet.ssh.mac_algorithms_server_to_client
        if 'compression_algorithms_server_to_client' in packet.ssh.field_names:
            scastc = packet.ssh.compression_algorithms_server_to_client
        # Log other kexinit fields (only in JSON)
        slcts = slstc = seacts = smacts = scacts = sshka = ""
        if 'languages_client_to_server' in packet.ssh.field_names:
            slcts = packet.ssh.languages_client_to_server
        if 'languages_server_to_client' in packet.ssh.field_names:
            slstc = packet.ssh.languages_server_to_client
        if 'encryption_algorithms_client_to_server' in packet.ssh.field_names:
            seacts = packet.ssh.encryption_algorithms_client_to_server
        if 'mac_algorithms_client_to_server' in packet.ssh.field_names:
            smacts = packet.ssh.mac_algorithms_client_to_server
        if 'compression_algorithms_client_to_server' in packet.ssh.field_names:
            scacts = packet.ssh.compression_algorithms_client_to_server
        if 'server_host_key_algorithms' in packet.ssh.field_names:
            sshka = packet.ssh.server_host_key_algorithms
        # Create hasshServer
        hasshs_str = ';'.join([skex, seastc, smastc, scastc])
        hasshs = md5(hasshs_str.encode()).hexdigest()
        record = {
            "timestamp": packet.sniff_time.isoformat(),
            "sourceIp": sourceIp,
            "destinationIp": destinationIp,
            "sourcePort": packet.tcp.srcport,
            "destinationPort": packet.tcp.dstport,
            "protocol": 'ssh',
            "ssh": {
                "server": protocol,
                "hasshServer": hasshs,
                "hasshServerAlgorithms": hasshs_str,
                "hasshVersion": HASSH_VERSION,
                "skex": skex,
                "seastc": seastc,
                "smastc": smastc,
                "scastc": scastc,
                "slcts": slcts,
                "slstc": slstc,
                "seacts": seacts,
                "smacts": smacts,
                "scacts": scacts,
                "sshka": sshka
            }
        }
        return record

    def client_ja3(self, packet):
        # GREASE_TABLE Ref: https://tools.ietf.org/html/draft-davidben-tls-grease-00
        GREASE_TABLE = ['2570', '6682', '10794', '14906', '19018', '23130',
                        '27242', '31354', '35466', '39578', '43690', '47802',
                        '51914', '56026', '60138', '64250']
        # ja3 fields
        tls_version = ciphers = extensions = elliptic_curve = ec_pointformat = ""
        if 'handshake_version' in packet.tls.field_names:
            tls_version = int(packet.tls.handshake_version, 16)
            tls_version = str(tls_version)
        if 'handshake_ciphersuite' in packet.tls.field_names:
            cipher_list = [
                c.show for c in packet.tls.handshake_ciphersuite.fields
                if c.show not in GREASE_TABLE]
            ciphers = '-'.join(cipher_list)
        if 'handshake_extension_type' in packet.tls.field_names:
            extension_list = [
                e.show for e in packet.tls.handshake_extension_type.fields
                if e.show not in GREASE_TABLE]
            extensions = '-'.join(extension_list)
        if 'handshake_extensions_supported_group' in packet.tls.field_names:
            ec_list = [str(int(ec.show, 16)) for ec in
                       packet.tls.handshake_extensions_supported_group.fields
                       if str(int(ec.show, 16)) not in GREASE_TABLE]
            elliptic_curve = '-'.join(ec_list)
        if 'handshake_extensions_ec_point_format' in packet.tls.field_names:
            ecpf_list = [ecpf.show for ecpf in
                         packet.tls.handshake_extensions_ec_point_format.fields
                         if ecpf.show not in GREASE_TABLE]
            ec_pointformat = '-'.join(ecpf_list)
        # TODO: log other non-ja3 fields
        server_name = ""
        if 'handshake_extensions_server_name' in packet.tls.field_names:
            server_name = packet.tls.handshake_extensions_server_name
        # Create ja3
        ja3_string = ','.join([
            tls_version, ciphers, extensions, elliptic_curve, ec_pointformat])
        ja3 = md5(ja3_string.encode()).hexdigest()
        sourceIp = packet.ipv6.src if 'ipv6' in packet else packet.ip.src
        destinationIp = packet.ipv6.dst if 'ipv6' in packet else packet.ip.dst
        record = {
            "timestamp": packet.sniff_time.isoformat(),
            "sourceIp": sourceIp,
            "destinationIp": destinationIp,
            "sourcePort": packet.tcp.srcport,
            "destinationPort": packet.tcp.dstport,
            "protocol": "tls",
            "tls": {
                "serverName": server_name,
                "ja3": ja3,
                "ja3Algorithms": ja3_string,
                "ja3Version": tls_version,
                "ja3Ciphers": ciphers,
                "ja3Extensions": extensions,
                "ja3Ec": elliptic_curve,
                "ja3EcFmt": ec_pointformat
            }
        }
        return record

    def server_ja3(self, packet):
        # GREASE_TABLE Ref: https://tools.ietf.org/html/draft-davidben-tls-grease-00
        GREASE_TABLE = ['2570', '6682', '10794', '14906', '19018', '23130',
                        '27242', '31354', '35466', '39578', '43690', '47802',
                        '51914', '56026', '60138', '64250']
        # ja3s fields
        tls_version = ciphers = extensions = ""
        if 'handshake_version' in packet.tls.field_names:
            tls_version = int(packet.tls.handshake_version, 16)
            tls_version = str(tls_version)
        if 'handshake_ciphersuite' in packet.tls.field_names:
            cipher_list = [
                c.show for c in packet.tls.handshake_ciphersuite.fields
                if c.show not in GREASE_TABLE]
            ciphers = '-'.join(cipher_list)
        if 'handshake_extension_type' in packet.tls.field_names:
            extension_list = [
                e.show for e in packet.tls.handshake_extension_type.fields
                if e.show not in GREASE_TABLE]
            extensions = '-'.join(extension_list)
        # TODO: log other non-ja3s fields
        # Create ja3s
        ja3s_string = ','.join([
            tls_version, ciphers, extensions])
        ja3s = md5(ja3s_string.encode()).hexdigest()
        sourceIp = packet.ipv6.src if 'ipv6' in packet else packet.ip.src
        destinationIp = packet.ipv6.dst if 'ipv6' in packet else packet.ip.dst
        record = {
            "timestamp": packet.sniff_time.isoformat(),
            "sourceIp": sourceIp,
            "destinationIp": destinationIp,
            "sourcePort": packet.tcp.srcport,
            "destinationPort": packet.tcp.dstport,
            "protocol": "tls",
            "tls": {
                "ja3s": ja3s,
                "ja3sAlgorithms": ja3s_string,
                "ja3sVersion": tls_version,
                "ja3sCiphers": ciphers,
                "ja3sExtensions": extensions
            }
        }
        return record

    def client_rdfp(self, packet):
        """returns ClientData message fields and RDFP (experimental fingerprint)
        RDFP = md5(verMajor,verMinor,clusterFlags,encryptionMethods,extEncMethods,channelDef)
        """
        # RDP fields
        verMajor = verMinor = desktopWidth = desktopHeight = colorDepth = \
            sasSequence = keyboardLayout = clientBuild = clientName = \
            keyboardSubtype = keyboardType = keyboardFuncKey = postbeta2ColorDepth \
            = clientProductId = serialNumber = highColorDepth = \
            supportedColorDepths = earlyCapabilityFlags = clientDigProductId = \
            connectionType = pad1Octet = clusterFlags = encryptionMethods = \
            extEncMethods = channelCount = channelDef = cookie = req_protos = ""

        sourceIp = packet.ipv6.src if 'ipv6' in packet else packet.ip.src
        destinationIp = packet.ipv6.dst if 'ipv6' in packet else packet.ip.dst
        key = '{}:{}_{}:{}'.format(
            sourceIp,
            packet.tcp.srcport,
            destinationIp,
            packet.tcp.dstport)
        if key in self.rdp_dict and "cookie" in self.rdp_dict[key]:
            cookie = self.rdp_dict[key]["cookie"]
        if key in self.rdp_dict and "req_protos" in self.rdp_dict[key]:
            req_protos = self.rdp_dict[key]["req_protos"]

        # Client Core Data
        # https://msdn.microsoft.com/en-us/library/cc240510.aspx
        if 'version_major' in packet.rdp.field_names:
            verMajor = packet.rdp.version_major
        if 'version_minor' in packet.rdp.field_names:
            verMinor = packet.rdp.version_minor
        if 'desktop_width' in packet.rdp.field_names:
            desktopWidth = packet.rdp.desktop_width
        if 'desktop_height' in packet.rdp.field_names:
            desktopHeight = packet.rdp.desktop_height
        if 'colordepth' in packet.rdp.field_names:
            colorDepth = packet.rdp.colordepth
        if 'sassequence' in packet.rdp.field_names:
            sasSequence = packet.rdp.sassequence
        if 'keyboardlayout' in packet.rdp.field_names:
            keyboardLayout = packet.rdp.keyboardlayout
        if 'client_build' in packet.rdp.field_names:
            clientBuild = packet.rdp.client_build
        if 'client_name' in packet.rdp.field_names:
            clientName = packet.rdp.client_name
        if 'keyboard_subtype' in packet.rdp.field_names:
            keyboardSubtype = packet.rdp.keyboard_subtype
        if 'keyboard_type' in packet.rdp.field_names:
            keyboardType = packet.rdp.keyboard_type
        if 'keyboard_functionkey' in packet.rdp.field_names:
            keyboardFuncKey = packet.rdp.keyboard_functionkey
        if 'postbeta2colordepth' in packet.rdp.field_names:
            postbeta2ColorDepth = packet.rdp.postbeta2colordepth
        if 'client_productid' in packet.rdp.field_names:
            clientProductId = packet.rdp.client_productid
        if 'serialnumber' in packet.rdp.field_names:
            serialNumber = packet.rdp.serialnumber
        if 'highcolordepth' in packet.rdp.field_names:
            highColorDepth = packet.rdp.highcolordepth
        if 'supportedcolordepths' in packet.rdp.field_names:
            supportedColorDepths = packet.rdp.supportedcolordepths
        if 'earlycapabilityflags' in packet.rdp.field_names:
            earlyCapabilityFlags = packet.rdp.earlycapabilityflags
        if 'client_digproductid' in packet.rdp.field_names:
            clientDigProductId = packet.rdp.client_digproductid
        if 'connectiontype' in packet.rdp.field_names:
            connectionType = packet.rdp.connectiontype
        if 'pad1octet' in packet.rdp.field_names:
            pad1Octet = packet.rdp.pad1octet.raw_value

        # Client Cluster Data
        # https://msdn.microsoft.com/en-us/library/cc240514.aspx
        if 'clusterflags' in packet.rdp.field_names:
            clusterFlags_raw = packet.rdp.clusterflags.raw_value
            # convert to little-endian
            clusterFlags = struct.pack('<L', int(clusterFlags_raw, base=16))
            clusterFlags = clusterFlags.hex()

        # Client Security Data
        # Only for "Standard RDP Security mechanisms"
        # https://msdn.microsoft.com/en-us/library/cc240511.aspx
        if 'encryptionmethods' in packet.rdp.field_names:
            encryptionMethods_raw = packet.rdp.encryptionmethods.raw_value
            # convert to little-endian
            encryptionMethods = struct.pack('<L', int(encryptionMethods_raw, base=16))
            encryptionMethods = encryptionMethods.hex()
        # In French locale clients, encryptionMethods MUST be set to zero and
        # extEncryptionMethods MUST be set to the value to which encryptionMethods
        # would have been set.
        if 'extencryptionmethods' in packet.rdp.field_names:
            extEncMethods_raw = packet.rdp.extencryptionmethods.raw_value
            # convert to little-endian
            extEncMethods = struct.pack('<L', int(extEncMethods_raw, base=16))
            extEncMethods = extEncMethods.hex()

        # Client Network Data
        # https://msdn.microsoft.com/en-us/library/cc240512.aspx
        channelDefArray = {}
        if 'channelcount' in packet.rdp.field_names:
            channelCount = packet.rdp.channelcount
            channelDef_temp = []
            for i in range(int(channelCount)):
                name = packet.rdp.name.all_fields[i].show
                options_raw = packet.rdp.options.all_fields[i].raw_value
                # convert to little-endian
                options = struct.pack('<L', int(options_raw, base=16))
                options = options.hex()

                channelDefArray[i] = {
                    "name": name,
                    "options": options
                }
                channelDef_temp.append("{}:{}".format(name, options))
            channelDef = '-'.join(channelDef_temp)

        # Create RDFP
        rdfp_str = ','.join(str(x) for x in [
            verMajor, verMinor, clusterFlags, encryptionMethods, extEncMethods,
            channelDef])

        rdfp = md5(rdfp_str.encode()).hexdigest()
        record = {
            "timestamp": packet.sniff_time.isoformat(),
            "sourceIp": sourceIp,
            "destinationIp": destinationIp,
            "sourcePort": packet.tcp.srcport,
            "destinationPort": packet.tcp.dstport,
            "protocol": "rdp",
            "rdp": {
                "cookie": cookie,
                "requestedProtocols": req_protos,
                "rdfp": rdfp,
                "rdfpAlgorithms": rdfp_str,
                "rdfpVersion": RDFP_VERSION,
                "verMajor": verMajor,
                "verMinor": verMinor,
                "desktopWidth": desktopWidth,
                "desktopHeight": desktopHeight,
                "colorDepth": colorDepth,
                "sasSequence": sasSequence,
                "keyboardLayout": keyboardLayout,
                "clientBuild": clientBuild,
                "clientName": clientName,
                "keyboardSubtype": keyboardSubtype,
                "keyboardType": keyboardType,
                "keyboardFuncKey": keyboardFuncKey,
                "postbeta2ColorDepth": postbeta2ColorDepth,
                "clientProductId": clientProductId,
                "serialNumber": serialNumber,
                "highColorDepth": highColorDepth,
                "supportedColorDepths": supportedColorDepths,
                "earlyCapabilityFlags": earlyCapabilityFlags,
                "clientDigProductId": clientDigProductId,
                "connectionType": connectionType,
                "pad1Octet": pad1Octet,
                "clusterFlags": clusterFlags,
                "encryptionMethods": encryptionMethods,
                "extEncMethods": extEncMethods,
                "channelDefArray": channelDefArray
            }
        }
        return record

    def client_http(self, packet):
        # TODO: log full http req header
        REQ_WL = ['', '_ws_expert', 'chat', '_ws_expert_message',
                  '_ws_expert_severity', '_ws_expert_group', 'request_method',
                  'request_uri', 'request_version', 'request_line',
                  'request_full_uri',
                  'request', 'request_number', 'prev_request_in']
        req_headers = [i for i in packet.http.field_names if i not in REQ_WL]
        ua = requestURI = requestFullURI = requestVersion = requestMethod = ""
        if 'user_agent' in packet.http.field_names:
            ua = packet.http.user_agent
        if 'request_uri' in packet.http.field_names:
            requestURI = packet.http.request_uri
        if 'request_full_uri' in packet.http.field_names:
            requestFullURI = packet.http.request_full_uri
        if 'request_version' in packet.http.field_names:
            requestVersion = packet.http.request_version
        if 'request_method' in packet.http.field_names:
            requestMethod = packet.http.request_method
        client_header_ordering = ','.join(req_headers)
        client_header_hash = md5(client_header_ordering.encode('utf-8')).hexdigest()
        sourceIp = packet.ipv6.src if 'ipv6' in packet else packet.ip.src
        destinationIp = packet.ipv6.dst if 'ipv6' in packet else packet.ip.dst
        record = {
            "timestamp": packet.sniff_time.isoformat(),
            "sourceIp": sourceIp,
            "destinationIp": destinationIp,
            "sourcePort": packet.tcp.srcport,
            "destinationPort": packet.tcp.dstport,
            "protocol": "http",
            "http": {
                "requestURI": requestURI,
                "requestFullURI": requestFullURI,
                "requestVersion": requestVersion,
                "requestMethod": requestMethod,
                "userAgent": ua,
                "clientHeaderOrder": client_header_ordering,
                "clientHeaderHash": client_header_hash
            }
        }
        return record

    def server_http(self, packet):
        # TODO: log full http resp header
        RESP_WL = ['', '_ws_expert', 'chat', '_ws_expert_message',
                   '_ws_expert_severity', '_ws_expert_group',
                   'response_version',
                   'response_code', 'response_code_desc', 'response_phrase',
                   'response_line', 'content_length_header', 'response',
                   'response_number', 'time', 'request_in', 'response_for_uri',
                   'file_data', 'prev_request_in', 'prev_response_in']
        resp_headers = [i for i in packet.http.field_names if i not in RESP_WL]
        server_header_ordering = ','.join(resp_headers)
        server_header_hash = md5(
            server_header_ordering.encode('utf-8')).hexdigest()
        server = responseVersion = responseCode = contentLength = ""
        if 'server' in packet.http.field_names:
            server = packet.http.server
        if 'response_version' in packet.http.field_names:
            responseVersion = packet.http.response_version
        if 'response_code' in packet.http.field_names:
            responseCode = packet.http.response_code
        if 'content_length' in packet.http.field_names:
            contentLength = packet.http.content_length
        sourceIp = packet.ipv6.src if 'ipv6' in packet else packet.ip.src
        destinationIp = packet.ipv6.dst if 'ipv6' in packet else packet.ip.dst
        record = {
            "timestamp": packet.sniff_time.isoformat(),
            "sourceIp": sourceIp,
            "destinationIp": destinationIp,
            "sourcePort": packet.tcp.srcport,
            "destinationPort": packet.tcp.dstport,
            "protocol": "http",
            "http": {
                "server": server,
                "responseVersion": responseVersion,
                "responseCode": responseCode,
                "contentLength": contentLength,
                "serverHeaderOrder": server_header_ordering,
                "serverHeaderHash": server_header_hash
            }
        }
        return record

    def client_quic(self, packet):

        ver = sni = None
        print(packet.quic.pretty_print())

        if 'version' in packet.quic.field_names:
            ver = packet.quic.version
        if 'tls_handshake_extensions_server_name' in packet.quic.field_names:
            sni = packet.quic.tls_handshake_extensions_server_name

        sourceIp = packet.ipv6.src if 'ipv6' in packet else packet.ip.src
        destinationIp = packet.ipv6.dst if 'ipv6' in packet else packet.ip.dst
        record = {
            "timestamp": packet.sniff_time.isoformat(),
            "sourceIp": sourceIp,
            "destinationIp": destinationIp,
            "sourcePort": packet.udp.srcport,
            "destinationPort": packet.udp.dstport,
            "protocol": "quic",
            "quic": {
                "ver": ver,
                "sni": sni
            }
        }
        return record


    def client_gquic(self, packet):
        # https://tools.ietf.org/html/draft-ietf-quic-transport-20
        sni = uaid = ver = stk = pdmd = ccs = ccrt = aead = scid = smhl = mids \
            = kexs = xlct = copt = ccrt = None
        if 'tag_sni' in packet.gquic.field_names:
            sni = packet.gquic.tag_sni
        if 'tag_uaid' in packet.gquic.field_names:
            uaid = packet.gquic.tag_uaid
        if 'tag_version' in packet.gquic.field_names:
            ver = packet.gquic.tag_version
        if 'tag_stk' in packet.gquic.field_names:
            stk = packet.gquic.tag_stk.raw_value
        if 'tag_pdmd' in packet.gquic.field_names:
            pdmd = packet.gquic.tag_pdmd
        if 'tag_ccs' in packet.gquic.field_names:
            ccs = packet.gquic.tag_ccs.raw_value
        if 'tag_ccrt' in packet.gquic.field_names:
            ccrt = packet.gquic.tag_ccrt.raw_value
        if 'tag_aead' in packet.gquic.field_names:
            aead = packet.gquic.tag_aead
        if 'tag_scid' in packet.gquic.field_names:
            scid = packet.gquic.tag_scid.raw_value
        if 'tag_smhl' in packet.gquic.field_names:
            smhl = packet.gquic.tag_smhl
        if 'tag_mids' in packet.gquic.field_names:
            mids = packet.gquic.tag_mids
        if 'tag_kexs' in packet.gquic.field_names:
            kexs = packet.gquic.tag_kexs
        if 'tag_xlct' in packet.gquic.field_names:
            xlct = packet.gquic.tag_xlct.raw_value
        if 'tag_copt' in packet.gquic.field_names:
            copt = packet.gquic.tag_copt
        if 'tag_ccrt' in packet.gquic.field_names:
            ccrt = packet.gquic.tag_ccrt.raw_value
        sourceIp = packet.ipv6.src if 'ipv6' in packet else packet.ip.src
        destinationIp = packet.ipv6.dst if 'ipv6' in packet else packet.ip.dst
        record = {
            "timestamp": packet.sniff_time.isoformat(),
            "sourceIp": sourceIp,
            "destinationIp": destinationIp,
            "sourcePort": packet.udp.srcport,
            "destinationPort": packet.udp.dstport,
            "protocol": "gquic",
            "gquic": {
                "tagNumber": packet.gquic.tag_number,
                "sni": sni,
                "uaid": uaid,
                "ver": ver,
                "aead": aead,
                "smhl": smhl,
                "mids": mids,
                "kexs": kexs,
                "xlct": xlct,
                "copt": copt,
                "ccrt": ccrt,
                # you can uncomment the following fields
                # TODO: cfcw, sfcw, irtt, csct, sclc, pubs, icsl, smhl, tcid, scid?!
                "stk": stk,
                "pdmd": pdmd,
                "ccs": ccs,
                "ccrt": ccrt,
                "scid": scid
            }
        }
        return record


def event_log(packet, event):
    """log the anomalous packets"""
    if event == "retransmission":
        event_message = "This packet is a (suspected) retransmission"
    # Report the event (only for JSON output)
    sourceIp = packet.ipv6.src if 'ipv6' in packet else packet.ip.src
    destinationIp = packet.ipv6.dst if 'ipv6' in packet else packet.ip.dst
    msg = {"timestamp": packet.sniff_time.isoformat(),
           "eventType": event,
           "eventMessage": event_message,
           "sourceIp": sourceIp,
           "destinationIp": destinationIp,
           "sourcePort": packet.tcp.srcport,
           "destinationPort": packet.tcp.dstport}
    return msg


def parse_cmd_args():
    """parse command line arguments"""
    desc = """A python script for extracting network fingerprints"""
    parser = argparse.ArgumentParser(description=(desc))
    helptxt = "pcap file to process"
    parser.add_argument('-r', '--read_file', type=str, help=helptxt)
    helptxt = "directory of pcap files to process"
    parser.add_argument('-d', '--read_directory', type=str, help=helptxt)
    helptxt = "listen on interface"
    parser.add_argument('-i', '--interface', type=str, help=helptxt)
    helptxt = "protocols to fingerprint. Default: all"
    parser.add_argument(
        '-fp',
        '--fingerprint',
        nargs='*',
        default='all',
        choices=['tls', 'ssh', 'rdp', 'http', 'gquic', 'quic'],
        help=helptxt)
    helptxt = "a dictionary of {decode_criterion_string: decode_as_protocol} \
        that is used to tell tshark to decode protocols in situations it \
        wouldn't usually."
    parser.add_argument(
        '-da', '--decode_as', type=json.loads, default=DECODE_AS, help=helptxt)
    helptxt = "BPF capture filter to use (for live capture only).'"
    parser.add_argument(
        '-f', '--bpf_filter', type=str, default=CAP_BPF_FILTER, help=helptxt)
    helptxt = "log the output in json format"
    parser.add_argument(
        '-j', '--json_logging', action="store_true", help=helptxt)
    helptxt = "specify the output log file. Default: fatt.log"
    parser.add_argument(
        '-o', '--output_file', default='fatt.log', type=str, help=helptxt)
    helptxt = "save the live captured packets to this file"
    parser.add_argument(
        '-w', '--write_pcap', default=None, type=str, help=helptxt)
    helptxt = "print the output"
    parser.add_argument(
        '-p', '--print_output', action="store_true", help=helptxt)
    return parser.parse_args()


def setup_logging(logfile):
    """setup logging"""
    logger = logging.getLogger()
    handler = logging.FileHandler(logfile)
    formatter = logging.Formatter('%(message)s')
    handler.setFormatter(formatter)
    logger.addHandler(handler)
    logger.setLevel(logging.INFO)
    return logger


def main():
    """intake arguments from the user and extract RDP client fingerprints."""
    global DISPLAY_FILTER
    args = parse_cmd_args()
    setup_logging(args.output_file)
    fingerprint = args.fingerprint
    jlog = args.json_logging
    pout = args.print_output

    pp = ProcessPackets(fingerprint, jlog, pout)

    # Process PCAP file
    if args.read_file:
        cap = pyshark.FileCapture(
            args.read_file,
            display_filter=DISPLAY_FILTER,
            keep_packets=False,
            decode_as=args.decode_as)
        try:
            for packet in cap:
                pp.process(packet)
            cap.close()
            cap.eventloop.stop()
        except Exception as e:
            print('Error: {}'.format(e))
            pass
    # Process directory of PCAP files
    elif args.read_directory:
        files = [f.path for f in os.scandir(args.read_directory)
                 if not f.name.startswith('.') and not f.is_dir() and
                 (f.name.endswith(".pcap") or f.name.endswith(".pcapng") or
                 f.name.endswith(".cap"))]
        for file in files:
            cap = pyshark.FileCapture(
                file,
                display_filter=DISPLAY_FILTER,
                keep_packets=False,
                decode_as=args.decode_as)
            try:
                for packet in cap:
                    pp.process(packet)
                cap.close()
                cap.eventloop.stop()
            except Exception as e:
                print('Error: {}'.format(e))
                pass

    # Capture live network traffic
    elif args.interface:
        if args.write_pcap:
            DISPLAY_FILTER = None
        # TODO: Use a Ring Buffer (LiveRingCapture), when the issue is fixed:
        # https://github.com/KimiNewt/pyshark/issues/299
        cap = pyshark.LiveCapture(
            interface=args.interface,
            decode_as=args.decode_as,
            display_filter=DISPLAY_FILTER,
            bpf_filter=args.bpf_filter,
            output_file=args.write_pcap)
        try:
            cap.apply_on_packets(pp.process)
        except (KeyboardInterrupt, SystemExit):
            print("Exiting..\nBYE o/\n")


if __name__ == '__main__':
    main()