Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Passive Network Sensor External Application

https://support.nagios.com/forum/viewtopic.php?t=11503

Page 2 of 2

Re: Passive Network Sensor External Application

Posted: Wed Aug 14, 2013 10:31 am
by tubosunedward
Can anyone help return a 0 or 2 with the code attached so I can intergrate it with nagios. The code listens passively to broadcast traffic either arp or udp and displays the ip address seen and the time intervals.

=========================

Code: Select all

import sys
import string
import datetime
import socket
from datetime import datetime
from scapy.all import *
m_iface = "eth0"
default_gw = "192.168.26.2"
COUNTER_SLOTS = 5
TIMEOUT = 20
SCREEN_REFRESH = 15
circular_counter = [0]*COUNTER_SLOTS
session_start = {}
session_stop = {}
host_names = {}
last_printed = 0

host_names ["196.168.26.254"]=u'macbook'
host_names ["192.167.26.237"]=u'testlocal'
host_names ["192.168.26.238"]=u'xp1'
host_names ["192.168.26.239"]=u'xp2'
host_names ["192.168.26.2"]=u'default gateway'


def arp_monitor_callback(pkt):
    if ARP in pkt and pkt[ARP].op in (1,2): #who-has or is-at
        addr = pkt[ARP].psrc
        arp_counter(addr) 
          return
# circular buffer for statistics, 1 slot for 
    if UDP in pkt and IP in pkt:
        ipdata = pkt[IP]
        addr = ipdata.getlayer(IP).src
        arp_counter(addr)
        return

def arp_counter(src):
    global last_printed
    tm = int(time.time())

    #print (pkt.psrc)
    #all_stats[src] = tm

    pos = src.find("192.168.26")
    if pos == -1:
        # print "wrong address"
        return
    
    if src in session_stop.keys():
        sess_stop = session_stop[src]
        if (tm - sess_stop)/60 > TIMEOUT:
            session_start[src] = tm   # start a new session
            session_stop[src] = tm   # start a new session
        else:
            session_stop[src] = tm   # start a new session
    
    else: # never saw the host
        session_start[src] = tm   # start a new session
        session_stop[src] = tm   # start a new session


    # print 
    if (tm - last_printed > SCREEN_REFRESH):
        print "-----------------------------------"
        last_printed = tm
        i = 1
    for k in sorted(session_start.keys(), cmp=lambda x, y: cmp(socket.inet_aton(x), socket.inet_aton(y))):
            if k in host_names.keys():
                hn = string.ljust(host_names[k], 40)
            else:
                hn = u'local_host_machine_ip'.ljust(40)
 
            last_hours = (tm - session_stop[k])/3600
            last_mins = ((tm - session_stop[k])/60) % 60
            
            s_start = (datetime.fromtimestamp(int(session_start[k])).strftime('%d/%m %H:%M'))
            s_stop = (datetime.fromtimestamp(int(session_stop[k])).strftime('%d/%m %H:%M'))

            pos = k.find("192.168.26")
            if pos != -1:
                print i, k,"\t", hn,"\t",last_hours,":",last_mins,"\t","(",s_start,"==",s_stop,")",(session_stop[k] - session_start[k])/60
                i = i + 1

    #sys.stdout.flush()


p = sniff(prn=arp_monitor_callback, store = 0)
Hi, can anyone try and edit this code to return a 0 when a packet a seen and a 3 there are no more packets. You can try and run the code as well.

Code: Select all

import sys
import string
import datetime
import socket
from datetime import datetime
from scapy.all import *
m_iface = "eth0"
default_gw = "192.168.26.2"
COUNTER_SLOTS = 5
TIMEOUT = 20
SCREEN_REFRESH = 15
circular_counter = [0]*COUNTER_SLOTS
session_start = {}
session_stop = {}
host_names = {}
last_printed = 0

host_names ["196.168.26.254"]=u'macbook'
host_names ["192.167.26.237"]=u'testlocal'
host_names ["192.168.26.238"]=u'xp1'
host_names ["192.168.26.239"]=u'xp2'
host_names ["192.168.26.2"]=u'default gateway'


def arp_monitor_callback(pkt):
    if ARP in pkt and pkt[ARP].op in (1,2): #who-has or is-at
        addr = pkt[ARP].psrc
        arp_counter(addr) 
          return
# circular buffer for statistics, 1 slot for 
    if UDP in pkt and IP in pkt:
        ipdata = pkt[IP]
        addr = ipdata.getlayer(IP).src
        arp_counter(addr)
        return

def arp_counter(src):
    global last_printed
    tm = int(time.time())

    #print (pkt.psrc)
    #all_stats[src] = tm

    pos = src.find("192.168.26")
    if pos == -1:
        # print "wrong address"
        return
    
    if src in session_stop.keys():
        sess_stop = session_stop[src]
        if (tm - sess_stop)/60 > TIMEOUT:
            session_start[src] = tm   # start a new session
            session_stop[src] = tm   # start a new session
        else:
            session_stop[src] = tm   # start a new session
    
    else: # never saw the host
        session_start[src] = tm   # start a new session
        session_stop[src] = tm   # start a new session


    # print 
    if (tm - last_printed > SCREEN_REFRESH):
        print "-----------------------------------"
        last_printed = tm
        i = 1
    for k in sorted(session_start.keys(), cmp=lambda x, y: cmp(socket.inet_aton(x), socket.inet_aton(y))):
            if k in host_names.keys():
                hn = string.ljust(host_names[k], 40)
            else:
                hn = u'local_host_machine_ip'.ljust(40)
 
            last_hours = (tm - session_stop[k])/3600
            last_mins = ((tm - session_stop[k])/60) % 60
            
            s_start = (datetime.fromtimestamp(int(session_start[k])).strftime('%d/%m %H:%M'))
            s_stop = (datetime.fromtimestamp(int(session_stop[k])).strftime('%d/%m %H:%M'))

            pos = k.find("192.168.26")
            if pos != -1:
                print i, k,"\t", hn,"\t",last_hours,":",last_mins,"\t","(",s_start,"==",s_stop,")",(session_stop[k] - session_start[k])/60
                i = i + 1

    #sys.stdout.flush()


p = sniff(prn=arp_monitor_callback, store = 0)

Re: Passive Network Sensor External Application

Posted: Thu Aug 15, 2013 9:52 am
by sreinhardt
If you wanted, you can certainly contact [email protected] for custom development, however development work is out of the scope of normal forum activities. You might find someone here that is willing to help, but more than likely the nagios-plugins mailing list would be a better alternative. In the end, you are going to have to come up with a fair chunk of logic to handle exit codes, modify the current output that you have to suite nagios, and a few other minor issues.
All times are UTC-05:00
Page 2 of 2

Powered by phpBB® Forum Software © phpBB Limited