diff --git a/caputre/ADFA-LD+Syscall+List.txt b/caputre/ADFA-LD+Syscall+List.txt
new file mode 100644
index 0000000000000000000000000000000000000000..b969770196c2194ae5f259228b2edce69418b3dd
--- /dev/null
+++ b/caputre/ADFA-LD+Syscall+List.txt
@@ -0,0 +1,886 @@
+#if !defined(_ASM_GENERIC_UNISTD_H) || defined(__SYSCALL)
+#define _ASM_GENERIC_UNISTD_H
+
+#include <asm/bitsperlong.h>
+
+/*
+ * This file contains the system call numbers, based on the
+ * layout of the x86-64 architecture, which embeds the
+ * pointer to the syscall in the table.
+ *
+ * As a basic principle, no duplication of functionality
+ * should be added, e.g. we don't use lseek when llseek
+ * is present. New architectures should use this file
+ * and implement the less feature-full calls in user space.
+ */
+
+#ifndef __SYSCALL
+#define __SYSCALL(x, y)
+#endif
+
+#if __BITS_PER_LONG == 32 || defined(__SYSCALL_COMPAT)
+#define __SC_3264(_nr, _32, _64) __SYSCALL(_nr, _32)
+#else
+#define __SC_3264(_nr, _32, _64) __SYSCALL(_nr, _64)
+#endif
+
+#define __NR_io_setup 0
+__SYSCALL(__NR_io_setup, sys_io_setup)
+#define __NR_io_destroy 1
+__SYSCALL(__NR_io_destroy, sys_io_destroy)
+#define __NR_io_submit 2
+__SYSCALL(__NR_io_submit, sys_io_submit)
+#define __NR_io_cancel 3
+__SYSCALL(__NR_io_cancel, sys_io_cancel)
+#define __NR_io_getevents 4
+__SYSCALL(__NR_io_getevents, sys_io_getevents)
+
+/* fs/xattr.c */
+#define __NR_setxattr 5
+__SYSCALL(__NR_setxattr, sys_setxattr)
+#define __NR_lsetxattr 6
+__SYSCALL(__NR_lsetxattr, sys_lsetxattr)
+#define __NR_fsetxattr 7
+__SYSCALL(__NR_fsetxattr, sys_fsetxattr)
+#define __NR_getxattr 8
+__SYSCALL(__NR_getxattr, sys_getxattr)
+#define __NR_lgetxattr 9
+__SYSCALL(__NR_lgetxattr, sys_lgetxattr)
+#define __NR_fgetxattr 10
+__SYSCALL(__NR_fgetxattr, sys_fgetxattr)
+#define __NR_listxattr 11
+__SYSCALL(__NR_listxattr, sys_listxattr)
+#define __NR_llistxattr 12
+__SYSCALL(__NR_llistxattr, sys_llistxattr)
+#define __NR_flistxattr 13
+__SYSCALL(__NR_flistxattr, sys_flistxattr)
+#define __NR_removexattr 14
+__SYSCALL(__NR_removexattr, sys_removexattr)
+#define __NR_lremovexattr 15
+__SYSCALL(__NR_lremovexattr, sys_lremovexattr)
+#define __NR_fremovexattr 16
+__SYSCALL(__NR_fremovexattr, sys_fremovexattr)
+
+/* fs/dcache.c */
+#define __NR_getcwd 17
+__SYSCALL(__NR_getcwd, sys_getcwd)
+
+/* fs/cookies.c */
+#define __NR_lookup_dcookie 18
+__SYSCALL(__NR_lookup_dcookie, sys_lookup_dcookie)
+
+/* fs/eventfd.c */
+#define __NR_eventfd2 19
+__SYSCALL(__NR_eventfd2, sys_eventfd2)
+
+/* fs/eventpoll.c */
+#define __NR_epoll_create1 20
+__SYSCALL(__NR_epoll_create1, sys_epoll_create1)
+#define __NR_epoll_ctl 21
+__SYSCALL(__NR_epoll_ctl, sys_epoll_ctl)
+#define __NR_epoll_pwait 22
+__SYSCALL(__NR_epoll_pwait, sys_epoll_pwait)
+
+/* fs/fcntl.c */
+#define __NR_dup 23
+__SYSCALL(__NR_dup, sys_dup)
+#define __NR_dup3 24
+__SYSCALL(__NR_dup3, sys_dup3)
+#define __NR3264_fcntl 25
+__SC_3264(__NR3264_fcntl, sys_fcntl64, sys_fcntl)
+
+/* fs/inotify_user.c */
+#define __NR_inotify_init1 26
+__SYSCALL(__NR_inotify_init1, sys_inotify_init1)
+#define __NR_inotify_add_watch 27
+__SYSCALL(__NR_inotify_add_watch, sys_inotify_add_watch)
+#define __NR_inotify_rm_watch 28
+__SYSCALL(__NR_inotify_rm_watch, sys_inotify_rm_watch)
+
+/* fs/ioctl.c */
+#define __NR_ioctl 29
+__SYSCALL(__NR_ioctl, sys_ioctl)
+
+/* fs/ioprio.c */
+#define __NR_ioprio_set 30
+__SYSCALL(__NR_ioprio_set, sys_ioprio_set)
+#define __NR_ioprio_get 31
+__SYSCALL(__NR_ioprio_get, sys_ioprio_get)
+
+/* fs/locks.c */
+#define __NR_flock 32
+__SYSCALL(__NR_flock, sys_flock)
+
+/* fs/namei.c */
+#define __NR_mknodat 33
+__SYSCALL(__NR_mknodat, sys_mknodat)
+#define __NR_mkdirat 34
+__SYSCALL(__NR_mkdirat, sys_mkdirat)
+#define __NR_unlinkat 35
+__SYSCALL(__NR_unlinkat, sys_unlinkat)
+#define __NR_symlinkat 36
+__SYSCALL(__NR_symlinkat, sys_symlinkat)
+#define __NR_linkat 37
+__SYSCALL(__NR_linkat, sys_linkat)
+#define __NR_renameat 38
+__SYSCALL(__NR_renameat, sys_renameat)
+
+/* fs/namespace.c */
+#define __NR_umount2 39
+__SYSCALL(__NR_umount2, sys_umount)
+#define __NR_mount 40
+__SYSCALL(__NR_mount, sys_mount)
+#define __NR_pivot_root 41
+__SYSCALL(__NR_pivot_root, sys_pivot_root)
+
+/* fs/nfsctl.c */
+#define __NR_nfsservctl 42
+__SYSCALL(__NR_nfsservctl, sys_nfsservctl)
+
+/* fs/open.c */
+#define __NR3264_statfs 43
+__SC_3264(__NR3264_statfs, sys_statfs64, sys_statfs)
+#define __NR3264_fstatfs 44
+__SC_3264(__NR3264_fstatfs, sys_fstatfs64, sys_fstatfs)
+#define __NR3264_truncate 45
+__SC_3264(__NR3264_truncate, sys_truncate64, sys_truncate)
+#define __NR3264_ftruncate 46
+__SC_3264(__NR3264_ftruncate, sys_ftruncate64, sys_ftruncate)
+
+#define __NR_fallocate 47
+__SYSCALL(__NR_fallocate, sys_fallocate)
+#define __NR_faccessat 48
+__SYSCALL(__NR_faccessat, sys_faccessat)
+#define __NR_chdir 49
+__SYSCALL(__NR_chdir, sys_chdir)
+#define __NR_fchdir 50
+__SYSCALL(__NR_fchdir, sys_fchdir)
+#define __NR_chroot 51
+__SYSCALL(__NR_chroot, sys_chroot)
+#define __NR_fchmod 52
+__SYSCALL(__NR_fchmod, sys_fchmod)
+#define __NR_fchmodat 53
+__SYSCALL(__NR_fchmodat, sys_fchmodat)
+#define __NR_fchownat 54
+__SYSCALL(__NR_fchownat, sys_fchownat)
+#define __NR_fchown 55
+__SYSCALL(__NR_fchown, sys_fchown)
+#define __NR_openat 56
+__SYSCALL(__NR_openat, sys_openat)
+#define __NR_close 57
+__SYSCALL(__NR_close, sys_close)
+#define __NR_vhangup 58
+__SYSCALL(__NR_vhangup, sys_vhangup)
+
+/* fs/pipe.c */
+#define __NR_pipe2 59
+__SYSCALL(__NR_pipe2, sys_pipe2)
+
+/* fs/quota.c */
+#define __NR_quotactl 60
+__SYSCALL(__NR_quotactl, sys_quotactl)
+
+/* fs/readdir.c */
+#define __NR_getdents64 61
+__SYSCALL(__NR_getdents64, sys_getdents64)
+
+/* fs/read_write.c */
+#define __NR3264_lseek 62
+__SC_3264(__NR3264_lseek, sys_llseek, sys_lseek)
+#define __NR_read 63
+__SYSCALL(__NR_read, sys_read)
+#define __NR_write 64
+__SYSCALL(__NR_write, sys_write)
+#define __NR_readv 65
+__SYSCALL(__NR_readv, sys_readv)
+#define __NR_writev 66
+__SYSCALL(__NR_writev, sys_writev)
+#define __NR_pread64 67
+__SYSCALL(__NR_pread64, sys_pread64)
+#define __NR_pwrite64 68
+__SYSCALL(__NR_pwrite64, sys_pwrite64)
+#define __NR_preadv 69
+__SYSCALL(__NR_preadv, sys_preadv)
+#define __NR_pwritev 70
+__SYSCALL(__NR_pwritev, sys_pwritev)
+
+/* fs/sendfile.c */
+#define __NR3264_sendfile 71
+__SC_3264(__NR3264_sendfile, sys_sendfile64, sys_sendfile)
+
+/* fs/select.c */
+#define __NR_pselect6 72
+__SYSCALL(__NR_pselect6, sys_pselect6)
+#define __NR_ppoll 73
+__SYSCALL(__NR_ppoll, sys_ppoll)
+
+/* fs/signalfd.c */
+#define __NR_signalfd4 74
+__SYSCALL(__NR_signalfd4, sys_signalfd4)
+
+/* fs/splice.c */
+#define __NR_vmsplice 75
+__SYSCALL(__NR_vmsplice, sys_vmsplice)
+#define __NR_splice 76
+__SYSCALL(__NR_splice, sys_splice)
+#define __NR_tee 77
+__SYSCALL(__NR_tee, sys_tee)
+
+/* fs/stat.c */
+#define __NR_readlinkat 78
+__SYSCALL(__NR_readlinkat, sys_readlinkat)
+#define __NR3264_fstatat 79
+__SC_3264(__NR3264_fstatat, sys_fstatat64, sys_newfstatat)
+#define __NR3264_fstat 80
+__SC_3264(__NR3264_fstat, sys_fstat64, sys_newfstat)
+
+/* fs/sync.c */
+#define __NR_sync 81
+__SYSCALL(__NR_sync, sys_sync)
+#define __NR_fsync 82
+__SYSCALL(__NR_fsync, sys_fsync)
+#define __NR_fdatasync 83
+__SYSCALL(__NR_fdatasync, sys_fdatasync)
+#ifdef __ARCH_WANT_SYNC_FILE_RANGE2
+#define __NR_sync_file_range2 84
+__SYSCALL(__NR_sync_file_range2, sys_sync_file_range2)
+#else
+#define __NR_sync_file_range 84
+__SYSCALL(__NR_sync_file_range, sys_sync_file_range)
+#endif
+
+/* fs/timerfd.c */
+#define __NR_timerfd_create 85
+__SYSCALL(__NR_timerfd_create, sys_timerfd_create)
+#define __NR_timerfd_settime 86
+__SYSCALL(__NR_timerfd_settime, sys_timerfd_settime)
+#define __NR_timerfd_gettime 87
+__SYSCALL(__NR_timerfd_gettime, sys_timerfd_gettime)
+
+/* fs/utimes.c */
+#define __NR_utimensat 88
+__SYSCALL(__NR_utimensat, sys_utimensat)
+
+/* kernel/acct.c */
+#define __NR_acct 89
+__SYSCALL(__NR_acct, sys_acct)
+
+/* kernel/capability.c */
+#define __NR_capget 90
+__SYSCALL(__NR_capget, sys_capget)
+#define __NR_capset 91
+__SYSCALL(__NR_capset, sys_capset)
+
+/* kernel/exec_domain.c */
+#define __NR_personality 92
+__SYSCALL(__NR_personality, sys_personality)
+
+/* kernel/exit.c */
+#define __NR_exit 93
+__SYSCALL(__NR_exit, sys_exit)
+#define __NR_exit_group 94
+__SYSCALL(__NR_exit_group, sys_exit_group)
+#define __NR_waitid 95
+__SYSCALL(__NR_waitid, sys_waitid)
+
+/* kernel/fork.c */
+#define __NR_set_tid_address 96
+__SYSCALL(__NR_set_tid_address, sys_set_tid_address)
+#define __NR_unshare 97
+__SYSCALL(__NR_unshare, sys_unshare)
+
+/* kernel/futex.c */
+#define __NR_futex 98
+__SYSCALL(__NR_futex, sys_futex)
+#define __NR_set_robust_list 99
+__SYSCALL(__NR_set_robust_list, sys_set_robust_list)
+#define __NR_get_robust_list 100
+__SYSCALL(__NR_get_robust_list, sys_get_robust_list)
+
+/* kernel/hrtimer.c */
+#define __NR_nanosleep 101
+__SYSCALL(__NR_nanosleep, sys_nanosleep)
+
+/* kernel/itimer.c */
+#define __NR_getitimer 102
+__SYSCALL(__NR_getitimer, sys_getitimer)
+#define __NR_setitimer 103
+__SYSCALL(__NR_setitimer, sys_setitimer)
+
+/* kernel/kexec.c */
+#define __NR_kexec_load 104
+__SYSCALL(__NR_kexec_load, sys_kexec_load)
+
+/* kernel/module.c */
+#define __NR_init_module 105
+__SYSCALL(__NR_init_module, sys_init_module)
+#define __NR_delete_module 106
+__SYSCALL(__NR_delete_module, sys_delete_module)
+
+/* kernel/posix-timers.c */
+#define __NR_timer_create 107
+__SYSCALL(__NR_timer_create, sys_timer_create)
+#define __NR_timer_gettime 108
+__SYSCALL(__NR_timer_gettime, sys_timer_gettime)
+#define __NR_timer_getoverrun 109
+__SYSCALL(__NR_timer_getoverrun, sys_timer_getoverrun)
+#define __NR_timer_settime 110
+__SYSCALL(__NR_timer_settime, sys_timer_settime)
+#define __NR_timer_delete 111
+__SYSCALL(__NR_timer_delete, sys_timer_delete)
+#define __NR_clock_settime 112
+__SYSCALL(__NR_clock_settime, sys_clock_settime)
+#define __NR_clock_gettime 113
+__SYSCALL(__NR_clock_gettime, sys_clock_gettime)
+#define __NR_clock_getres 114
+__SYSCALL(__NR_clock_getres, sys_clock_getres)
+#define __NR_clock_nanosleep 115
+__SYSCALL(__NR_clock_nanosleep, sys_clock_nanosleep)
+
+/* kernel/printk.c */
+#define __NR_syslog 116
+__SYSCALL(__NR_syslog, sys_syslog)
+
+/* kernel/ptrace.c */
+#define __NR_ptrace 117
+__SYSCALL(__NR_ptrace, sys_ptrace)
+
+/* kernel/sched.c */
+#define __NR_sched_setparam 118
+__SYSCALL(__NR_sched_setparam, sys_sched_setparam)
+#define __NR_sched_setscheduler 119
+__SYSCALL(__NR_sched_setscheduler, sys_sched_setscheduler)
+#define __NR_sched_getscheduler 120
+__SYSCALL(__NR_sched_getscheduler, sys_sched_getscheduler)
+#define __NR_sched_getparam 121
+__SYSCALL(__NR_sched_getparam, sys_sched_getparam)
+#define __NR_sched_setaffinity 122
+__SYSCALL(__NR_sched_setaffinity, sys_sched_setaffinity)
+#define __NR_sched_getaffinity 123
+__SYSCALL(__NR_sched_getaffinity, sys_sched_getaffinity)
+#define __NR_sched_yield 124
+__SYSCALL(__NR_sched_yield, sys_sched_yield)
+#define __NR_sched_get_priority_max 125
+__SYSCALL(__NR_sched_get_priority_max, sys_sched_get_priority_max)
+#define __NR_sched_get_priority_min 126
+__SYSCALL(__NR_sched_get_priority_min, sys_sched_get_priority_min)
+#define __NR_sched_rr_get_interval 127
+__SYSCALL(__NR_sched_rr_get_interval, sys_sched_rr_get_interval)
+
+/* kernel/signal.c */
+#define __NR_restart_syscall 128
+__SYSCALL(__NR_restart_syscall, sys_restart_syscall)
+#define __NR_kill 129
+__SYSCALL(__NR_kill, sys_kill)
+#define __NR_tkill 130
+__SYSCALL(__NR_tkill, sys_tkill)
+#define __NR_tgkill 131
+__SYSCALL(__NR_tgkill, sys_tgkill)
+#define __NR_sigaltstack 132
+__SYSCALL(__NR_sigaltstack, sys_sigaltstack)
+#define __NR_rt_sigsuspend 133
+__SYSCALL(__NR_rt_sigsuspend, sys_rt_sigsuspend) /* __ARCH_WANT_SYS_RT_SIGSUSPEND */
+#define __NR_rt_sigaction 134
+__SYSCALL(__NR_rt_sigaction, sys_rt_sigaction) /* __ARCH_WANT_SYS_RT_SIGACTION */
+#define __NR_rt_sigprocmask 135
+__SYSCALL(__NR_rt_sigprocmask, sys_rt_sigprocmask)
+#define __NR_rt_sigpending 136
+__SYSCALL(__NR_rt_sigpending, sys_rt_sigpending)
+#define __NR_rt_sigtimedwait 137
+__SYSCALL(__NR_rt_sigtimedwait, sys_rt_sigtimedwait)
+#define __NR_rt_sigqueueinfo 138
+__SYSCALL(__NR_rt_sigqueueinfo, sys_rt_sigqueueinfo)
+#define __NR_rt_sigreturn 139
+__SYSCALL(__NR_rt_sigreturn, sys_rt_sigreturn) /* sys_rt_sigreturn_wrapper, */
+
+/* kernel/sys.c */
+#define __NR_setpriority 140
+__SYSCALL(__NR_setpriority, sys_setpriority)
+#define __NR_getpriority 141
+__SYSCALL(__NR_getpriority, sys_getpriority)
+#define __NR_reboot 142
+__SYSCALL(__NR_reboot, sys_reboot)
+#define __NR_setregid 143
+__SYSCALL(__NR_setregid, sys_setregid)
+#define __NR_setgid 144
+__SYSCALL(__NR_setgid, sys_setgid)
+#define __NR_setreuid 145
+__SYSCALL(__NR_setreuid, sys_setreuid)
+#define __NR_setuid 146
+__SYSCALL(__NR_setuid, sys_setuid)
+#define __NR_setresuid 147
+__SYSCALL(__NR_setresuid, sys_setresuid)
+#define __NR_getresuid 148
+__SYSCALL(__NR_getresuid, sys_getresuid)
+#define __NR_setresgid 149
+__SYSCALL(__NR_setresgid, sys_setresgid)
+#define __NR_getresgid 150
+__SYSCALL(__NR_getresgid, sys_getresgid)
+#define __NR_setfsuid 151
+__SYSCALL(__NR_setfsuid, sys_setfsuid)
+#define __NR_setfsgid 152
+__SYSCALL(__NR_setfsgid, sys_setfsgid)
+#define __NR_times 153
+__SYSCALL(__NR_times, sys_times)
+#define __NR_setpgid 154
+__SYSCALL(__NR_setpgid, sys_setpgid)
+#define __NR_getpgid 155
+__SYSCALL(__NR_getpgid, sys_getpgid)
+#define __NR_getsid 156
+__SYSCALL(__NR_getsid, sys_getsid)
+#define __NR_setsid 157
+__SYSCALL(__NR_setsid, sys_setsid)
+#define __NR_getgroups 158
+__SYSCALL(__NR_getgroups, sys_getgroups)
+#define __NR_setgroups 159
+__SYSCALL(__NR_setgroups, sys_setgroups)
+#define __NR_uname 160
+__SYSCALL(__NR_uname, sys_newuname)
+#define __NR_sethostname 161
+__SYSCALL(__NR_sethostname, sys_sethostname)
+#define __NR_setdomainname 162
+__SYSCALL(__NR_setdomainname, sys_setdomainname)
+#define __NR_getrlimit 163
+__SYSCALL(__NR_getrlimit, sys_getrlimit)
+#define __NR_setrlimit 164
+__SYSCALL(__NR_setrlimit, sys_setrlimit)
+#define __NR_getrusage 165
+__SYSCALL(__NR_getrusage, sys_getrusage)
+#define __NR_umask 166
+__SYSCALL(__NR_umask, sys_umask)
+#define __NR_prctl 167
+__SYSCALL(__NR_prctl, sys_prctl)
+#define __NR_getcpu 168
+__SYSCALL(__NR_getcpu, sys_getcpu)
+
+/* kernel/time.c */
+#define __NR_gettimeofday 169
+__SYSCALL(__NR_gettimeofday, sys_gettimeofday)
+#define __NR_settimeofday 170
+__SYSCALL(__NR_settimeofday, sys_settimeofday)
+#define __NR_adjtimex 171
+__SYSCALL(__NR_adjtimex, sys_adjtimex)
+
+/* kernel/timer.c */
+#define __NR_getpid 172
+__SYSCALL(__NR_getpid, sys_getpid)
+#define __NR_getppid 173
+__SYSCALL(__NR_getppid, sys_getppid)
+#define __NR_getuid 174
+__SYSCALL(__NR_getuid, sys_getuid)
+#define __NR_geteuid 175
+__SYSCALL(__NR_geteuid, sys_geteuid)
+#define __NR_getgid 176
+__SYSCALL(__NR_getgid, sys_getgid)
+#define __NR_getegid 177
+__SYSCALL(__NR_getegid, sys_getegid)
+#define __NR_gettid 178
+__SYSCALL(__NR_gettid, sys_gettid)
+#define __NR_sysinfo 179
+__SYSCALL(__NR_sysinfo, sys_sysinfo)
+
+/* ipc/mqueue.c */
+#define __NR_mq_open 180
+__SYSCALL(__NR_mq_open, sys_mq_open)
+#define __NR_mq_unlink 181
+__SYSCALL(__NR_mq_unlink, sys_mq_unlink)
+#define __NR_mq_timedsend 182
+__SYSCALL(__NR_mq_timedsend, sys_mq_timedsend)
+#define __NR_mq_timedreceive 183
+__SYSCALL(__NR_mq_timedreceive, sys_mq_timedreceive)
+#define __NR_mq_notify 184
+__SYSCALL(__NR_mq_notify, sys_mq_notify)
+#define __NR_mq_getsetattr 185
+__SYSCALL(__NR_mq_getsetattr, sys_mq_getsetattr)
+
+/* ipc/msg.c */
+#define __NR_msgget 186
+__SYSCALL(__NR_msgget, sys_msgget)
+#define __NR_msgctl 187
+__SYSCALL(__NR_msgctl, sys_msgctl)
+#define __NR_msgrcv 188
+__SYSCALL(__NR_msgrcv, sys_msgrcv)
+#define __NR_msgsnd 189
+__SYSCALL(__NR_msgsnd, sys_msgsnd)
+
+/* ipc/sem.c */
+#define __NR_semget 190
+__SYSCALL(__NR_semget, sys_semget)
+#define __NR_semctl 191
+__SYSCALL(__NR_semctl, sys_semctl)
+#define __NR_semtimedop 192
+__SYSCALL(__NR_semtimedop, sys_semtimedop)
+#define __NR_semop 193
+__SYSCALL(__NR_semop, sys_semop)
+
+/* ipc/shm.c */
+#define __NR_shmget 194
+__SYSCALL(__NR_shmget, sys_shmget)
+#define __NR_shmctl 195
+__SYSCALL(__NR_shmctl, sys_shmctl)
+#define __NR_shmat 196
+__SYSCALL(__NR_shmat, sys_shmat)
+#define __NR_shmdt 197
+__SYSCALL(__NR_shmdt, sys_shmdt)
+
+/* net/socket.c */
+#define __NR_socket 198
+__SYSCALL(__NR_socket, sys_socket)
+#define __NR_socketpair 199
+__SYSCALL(__NR_socketpair, sys_socketpair)
+#define __NR_bind 200
+__SYSCALL(__NR_bind, sys_bind)
+#define __NR_listen 201
+__SYSCALL(__NR_listen, sys_listen)
+#define __NR_accept 202
+__SYSCALL(__NR_accept, sys_accept)
+#define __NR_connect 203
+__SYSCALL(__NR_connect, sys_connect)
+#define __NR_getsockname 204
+__SYSCALL(__NR_getsockname, sys_getsockname)
+#define __NR_getpeername 205
+__SYSCALL(__NR_getpeername, sys_getpeername)
+#define __NR_sendto 206
+__SYSCALL(__NR_sendto, sys_sendto)
+#define __NR_recvfrom 207
+__SYSCALL(__NR_recvfrom, sys_recvfrom)
+#define __NR_setsockopt 208
+__SYSCALL(__NR_setsockopt, sys_setsockopt)
+#define __NR_getsockopt 209
+__SYSCALL(__NR_getsockopt, sys_getsockopt)
+#define __NR_shutdown 210
+__SYSCALL(__NR_shutdown, sys_shutdown)
+#define __NR_sendmsg 211
+__SYSCALL(__NR_sendmsg, sys_sendmsg)
+#define __NR_recvmsg 212
+__SYSCALL(__NR_recvmsg, sys_recvmsg)
+
+/* mm/filemap.c */
+#define __NR_readahead 213
+__SYSCALL(__NR_readahead, sys_readahead)
+
+/* mm/nommu.c, also with MMU */
+#define __NR_brk 214
+__SYSCALL(__NR_brk, sys_brk)
+#define __NR_munmap 215
+__SYSCALL(__NR_munmap, sys_munmap)
+#define __NR_mremap 216
+__SYSCALL(__NR_mremap, sys_mremap)
+
+/* security/keys/keyctl.c */
+#define __NR_add_key 217
+__SYSCALL(__NR_add_key, sys_add_key)
+#define __NR_request_key 218
+__SYSCALL(__NR_request_key, sys_request_key)
+#define __NR_keyctl 219
+__SYSCALL(__NR_keyctl, sys_keyctl)
+
+/* arch/example/kernel/sys_example.c */
+#define __NR_clone 220
+__SYSCALL(__NR_clone, sys_clone) /* .long sys_clone_wrapper */
+#define __NR_execve 221
+__SYSCALL(__NR_execve, sys_execve) /* .long sys_execve_wrapper */
+
+#define __NR3264_mmap 222
+__SC_3264(__NR3264_mmap, sys_mmap2, sys_mmap)
+/* mm/fadvise.c */
+#define __NR3264_fadvise64 223
+__SYSCALL(__NR3264_fadvise64, sys_fadvise64_64)
+
+/* mm/, CONFIG_MMU only */
+#ifndef __ARCH_NOMMU
+#define __NR_swapon 224
+__SYSCALL(__NR_swapon, sys_swapon)
+#define __NR_swapoff 225
+__SYSCALL(__NR_swapoff, sys_swapoff)
+#define __NR_mprotect 226
+__SYSCALL(__NR_mprotect, sys_mprotect)
+#define __NR_msync 227
+__SYSCALL(__NR_msync, sys_msync)
+#define __NR_mlock 228
+__SYSCALL(__NR_mlock, sys_mlock)
+#define __NR_munlock 229
+__SYSCALL(__NR_munlock, sys_munlock)
+#define __NR_mlockall 230
+__SYSCALL(__NR_mlockall, sys_mlockall)
+#define __NR_munlockall 231
+__SYSCALL(__NR_munlockall, sys_munlockall)
+#define __NR_mincore 232
+__SYSCALL(__NR_mincore, sys_mincore)
+#define __NR_madvise 233
+__SYSCALL(__NR_madvise, sys_madvise)
+#define __NR_remap_file_pages 234
+__SYSCALL(__NR_remap_file_pages, sys_remap_file_pages)
+#define __NR_mbind 235
+__SYSCALL(__NR_mbind, sys_mbind)
+#define __NR_get_mempolicy 236
+__SYSCALL(__NR_get_mempolicy, sys_get_mempolicy)
+#define __NR_set_mempolicy 237
+__SYSCALL(__NR_set_mempolicy, sys_set_mempolicy)
+#define __NR_migrate_pages 238
+__SYSCALL(__NR_migrate_pages, sys_migrate_pages)
+#define __NR_move_pages 239
+__SYSCALL(__NR_move_pages, sys_move_pages)
+#endif
+
+#define __NR_rt_tgsigqueueinfo 240
+__SYSCALL(__NR_rt_tgsigqueueinfo, sys_rt_tgsigqueueinfo)
+#define __NR_perf_event_open 241
+__SYSCALL(__NR_perf_event_open, sys_perf_event_open)
+#define __NR_accept4 242
+__SYSCALL(__NR_accept4, sys_accept4)
+#define __NR_recvmmsg 243
+__SYSCALL(__NR_recvmmsg, sys_recvmmsg)
+
+/*
+ * Architectures may provide up to 16 syscalls of their own
+ * starting with this value.
+ */
+#define __NR_arch_specific_syscall 244
+
+#define __NR_wait4 260
+__SYSCALL(__NR_wait4, sys_wait4)
+#define __NR_prlimit64 261
+__SYSCALL(__NR_prlimit64, sys_prlimit64)
+#define __NR_fanotify_init 262
+__SYSCALL(__NR_fanotify_init, sys_fanotify_init)
+#define __NR_fanotify_mark 263
+__SYSCALL(__NR_fanotify_mark, sys_fanotify_mark)
+
+#undef __NR_syscalls
+#define __NR_syscalls 264
+
+/*
+ * All syscalls below here should go away really,
+ * these are provided for both review and as a porting
+ * help for the C library version.
+*
+ * Last chance: are any of these important enough to
+ * enable by default?
+ */
+#ifdef __ARCH_WANT_SYSCALL_NO_AT
+#define __NR_open 1024
+__SYSCALL(__NR_open, sys_open)
+#define __NR_link 1025
+__SYSCALL(__NR_link, sys_link)
+#define __NR_unlink 1026
+__SYSCALL(__NR_unlink, sys_unlink)
+#define __NR_mknod 1027
+__SYSCALL(__NR_mknod, sys_mknod)
+#define __NR_chmod 1028
+__SYSCALL(__NR_chmod, sys_chmod)
+#define __NR_chown 1029
+__SYSCALL(__NR_chown, sys_chown)
+#define __NR_mkdir 1030
+__SYSCALL(__NR_mkdir, sys_mkdir)
+#define __NR_rmdir 1031
+__SYSCALL(__NR_rmdir, sys_rmdir)
+#define __NR_lchown 1032
+__SYSCALL(__NR_lchown, sys_lchown)
+#define __NR_access 1033
+__SYSCALL(__NR_access, sys_access)
+#define __NR_rename 1034
+__SYSCALL(__NR_rename, sys_rename)
+#define __NR_readlink 1035
+__SYSCALL(__NR_readlink, sys_readlink)
+#define __NR_symlink 1036
+__SYSCALL(__NR_symlink, sys_symlink)
+#define __NR_utimes 1037
+__SYSCALL(__NR_utimes, sys_utimes)
+#define __NR3264_stat 1038
+__SC_3264(__NR3264_stat, sys_stat64, sys_newstat)
+#define __NR3264_lstat 1039
+__SC_3264(__NR3264_lstat, sys_lstat64, sys_newlstat)
+
+#undef __NR_syscalls
+#define __NR_syscalls (__NR3264_lstat+1)
+#endif /* __ARCH_WANT_SYSCALL_NO_AT */
+
+#ifdef __ARCH_WANT_SYSCALL_NO_FLAGS
+#define __NR_pipe 1040
+__SYSCALL(__NR_pipe, sys_pipe)
+#define __NR_dup2 1041
+__SYSCALL(__NR_dup2, sys_dup2)
+#define __NR_epoll_create 1042
+__SYSCALL(__NR_epoll_create, sys_epoll_create)
+#define __NR_inotify_init 1043
+__SYSCALL(__NR_inotify_init, sys_inotify_init)
+#define __NR_eventfd 1044
+__SYSCALL(__NR_eventfd, sys_eventfd)
+#define __NR_signalfd 1045
+__SYSCALL(__NR_signalfd, sys_signalfd)
+
+#undef __NR_syscalls
+#define __NR_syscalls (__NR_signalfd+1)
+#endif /* __ARCH_WANT_SYSCALL_NO_FLAGS */
+
+#if (__BITS_PER_LONG == 32 || defined(__SYSCALL_COMPAT)) && \
+ defined(__ARCH_WANT_SYSCALL_OFF_T)
+#define __NR_sendfile 1046
+__SYSCALL(__NR_sendfile, sys_sendfile)
+#define __NR_ftruncate 1047
+__SYSCALL(__NR_ftruncate, sys_ftruncate)
+#define __NR_truncate 1048
+__SYSCALL(__NR_truncate, sys_truncate)
+#define __NR_stat 1049
+__SYSCALL(__NR_stat, sys_newstat)
+#define __NR_lstat 1050
+__SYSCALL(__NR_lstat, sys_newlstat)
+#define __NR_fstat 1051
+__SYSCALL(__NR_fstat, sys_newfstat)
+#define __NR_fcntl 1052
+__SYSCALL(__NR_fcntl, sys_fcntl)
+#define __NR_fadvise64 1053
+#define __ARCH_WANT_SYS_FADVISE64
+__SYSCALL(__NR_fadvise64, sys_fadvise64)
+#define __NR_newfstatat 1054
+#define __ARCH_WANT_SYS_NEWFSTATAT
+__SYSCALL(__NR_newfstatat, sys_newfstatat)
+#define __NR_fstatfs 1055
+__SYSCALL(__NR_fstatfs, sys_fstatfs)
+#define __NR_statfs 1056
+__SYSCALL(__NR_statfs, sys_statfs)
+#define __NR_lseek 1057
+__SYSCALL(__NR_lseek, sys_lseek)
+#define __NR_mmap 1058
+__SYSCALL(__NR_mmap, sys_mmap)
+
+#undef __NR_syscalls
+#define __NR_syscalls (__NR_mmap+1)
+#endif /* 32 bit off_t syscalls */
+
+#ifdef __ARCH_WANT_SYSCALL_DEPRECATED
+#define __NR_alarm 1059
+#define __ARCH_WANT_SYS_ALARM
+__SYSCALL(__NR_alarm, sys_alarm)
+#define __NR_getpgrp 1060
+#define __ARCH_WANT_SYS_GETPGRP
+__SYSCALL(__NR_getpgrp, sys_getpgrp)
+#define __NR_pause 1061
+#define __ARCH_WANT_SYS_PAUSE
+__SYSCALL(__NR_pause, sys_pause)
+#define __NR_time 1062
+#define __ARCH_WANT_SYS_TIME
+#define __ARCH_WANT_COMPAT_SYS_TIME
+__SYSCALL(__NR_time, sys_time)
+#define __NR_utime 1063
+#define __ARCH_WANT_SYS_UTIME
+__SYSCALL(__NR_utime, sys_utime)
+
+#define __NR_creat 1064
+__SYSCALL(__NR_creat, sys_creat)
+#define __NR_getdents 1065
+#define __ARCH_WANT_SYS_GETDENTS
+__SYSCALL(__NR_getdents, sys_getdents)
+#define __NR_futimesat 1066
+__SYSCALL(__NR_futimesat, sys_futimesat)
+#define __NR_select 1067
+#define __ARCH_WANT_SYS_SELECT
+__SYSCALL(__NR_select, sys_select)
+#define __NR_poll 1068
+__SYSCALL(__NR_poll, sys_poll)
+#define __NR_epoll_wait 1069
+__SYSCALL(__NR_epoll_wait, sys_epoll_wait)
+#define __NR_ustat 1070
+__SYSCALL(__NR_ustat, sys_ustat)
+#define __NR_vfork 1071
+__SYSCALL(__NR_vfork, sys_vfork)
+#define __NR_oldwait4 1072
+__SYSCALL(__NR_oldwait4, sys_wait4)
+#define __NR_recv 1073
+__SYSCALL(__NR_recv, sys_recv)
+#define __NR_send 1074
+__SYSCALL(__NR_send, sys_send)
+#define __NR_bdflush 1075
+__SYSCALL(__NR_bdflush, sys_bdflush)
+#define __NR_umount 1076
+__SYSCALL(__NR_umount, sys_oldumount)
+#define __ARCH_WANT_SYS_OLDUMOUNT
+#define __NR_uselib 1077
+__SYSCALL(__NR_uselib, sys_uselib)
+#define __NR__sysctl 1078
+__SYSCALL(__NR__sysctl, sys_sysctl)
+
+#define __NR_fork 1079
+#ifdef CONFIG_MMU
+__SYSCALL(__NR_fork, sys_fork)
+#else
+__SYSCALL(__NR_fork, sys_ni_syscall)
+#endif /* CONFIG_MMU */
+
+#undef __NR_syscalls
+#define __NR_syscalls (__NR_fork+1)
+
+#endif /* __ARCH_WANT_SYSCALL_DEPRECATED */
+
+/*
+ * 32 bit systems traditionally used different
+ * syscalls for off_t and loff_t arguments, while
+ * 64 bit systems only need the off_t version.
+ * For new 32 bit platforms, there is no need to
+ * implement the old 32 bit off_t syscalls, so
+ * they take different names.
+ * Here we map the numbers so that both versions
+ * use the same syscall table layout.
+ */
+#if __BITS_PER_LONG == 64 && !defined(__SYSCALL_COMPAT)
+#define __NR_fcntl __NR3264_fcntl
+#define __NR_statfs __NR3264_statfs
+#define __NR_fstatfs __NR3264_fstatfs
+#define __NR_truncate __NR3264_truncate
+#define __NR_ftruncate __NR3264_ftruncate
+#define __NR_lseek __NR3264_lseek
+#define __NR_sendfile __NR3264_sendfile
+#define __NR_newfstatat __NR3264_fstatat
+#define __NR_fstat __NR3264_fstat
+#define __NR_mmap __NR3264_mmap
+#define __NR_fadvise64 __NR3264_fadvise64
+#ifdef __NR3264_stat
+#define __NR_stat __NR3264_stat
+#define __NR_lstat __NR3264_lstat
+#endif
+#else
+#define __NR_fcntl64 __NR3264_fcntl
+#define __NR_statfs64 __NR3264_statfs
+#define __NR_fstatfs64 __NR3264_fstatfs
+#define __NR_truncate64 __NR3264_truncate
+#define __NR_ftruncate64 __NR3264_ftruncate
+#define __NR_llseek __NR3264_lseek
+#define __NR_sendfile64 __NR3264_sendfile
+#define __NR_fstatat64 __NR3264_fstatat
+#define __NR_fstat64 __NR3264_fstat
+#define __NR_mmap2 __NR3264_mmap
+#define __NR_fadvise64_64 __NR3264_fadvise64
+#ifdef __NR3264_stat
+#define __NR_stat64 __NR3264_stat
+#define __NR_lstat64 __NR3264_lstat
+#endif
+#endif
+
+#ifdef __KERNEL__
+
+/*
+ * These are required system calls, we should
+ * invert the logic eventually and let them
+ * be selected by default.
+ */
+#if __BITS_PER_LONG == 32
+#define __ARCH_WANT_STAT64
+#define __ARCH_WANT_SYS_LLSEEK
+#endif
+#define __ARCH_WANT_SYS_RT_SIGACTION
+#define __ARCH_WANT_SYS_RT_SIGSUSPEND
+#define __ARCH_WANT_COMPAT_SYS_RT_SIGSUSPEND
+
+/*
+ * "Conditional" syscalls
+ *
+ * What we want is __attribute__((weak,alias("sys_ni_syscall"))),
+ * but it doesn't work on all toolchains, so we just do it by hand
+ */
+#ifndef cond_syscall
+#define cond_syscall(x) asm(".weak\t" #x "\n\t.set\t" #x ",sys_ni_syscall")
+#endif
+
+#endif /* __KERNEL__ */
+#endif /* _ASM_GENERIC_UNISTD_H */
diff --git a/caputre/__pycache__/capturetask.cpython-311.pyc b/caputre/__pycache__/capturetask.cpython-311.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..798deef3751d9768ee40140dbc6315739e931acb
Binary files /dev/null and b/caputre/__pycache__/capturetask.cpython-311.pyc differ
diff --git a/caputre/__pycache__/demoscapture.cpython-311.pyc b/caputre/__pycache__/demoscapture.cpython-311.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..32c4b1491070317d35957b9f7930721e12b43cd9
Binary files /dev/null and b/caputre/__pycache__/demoscapture.cpython-311.pyc differ
diff --git a/caputre/__pycache__/messagejobs.cpython-311.pyc b/caputre/__pycache__/messagejobs.cpython-311.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..f28f5d769c83b2ccfd186e19fda63282f809793c
Binary files /dev/null and b/caputre/__pycache__/messagejobs.cpython-311.pyc differ
diff --git a/caputre/__pycache__/safemap.cpython-311.pyc b/caputre/__pycache__/safemap.cpython-311.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..308a8241445f9b4d6a69bff86fc059d08149d139
Binary files /dev/null and b/caputre/__pycache__/safemap.cpython-311.pyc differ
diff --git a/caputre/capturetask.py b/caputre/capturetask.py
new file mode 100644
index 0000000000000000000000000000000000000000..e12bdfb8dca9ffcde25dde0c9a2ed2c7276345b8
--- /dev/null
+++ b/caputre/capturetask.py
@@ -0,0 +1,375 @@
+# -*- coding: utf-8 -*-
+import ctypes as ct
+import libpcap as pcap
+from concurrent.futures import ThreadPoolExecutor
+from scapy.all import *
+import threading
+import socket
+import json
+import msgpack # 使用 msgpack 替代 JSON
+from safemap import *
+from demoscapture import *
+local_ip = socket.gethostbyname(socket.gethostname())
+
+# 初始化错误缓冲区
+errbuf = ct.create_string_buffer(pcap.PCAP_ERRBUF_SIZE + 1)
+running = True
+selected_device = None
+clients = []
+packet_queue = Queue() # 全局队列,用于存储捕获的数据包
+# 获取所有网络设备
+def list_devices():
+ alldevs = ct.POINTER(pcap.pcap_if_t)()
+ if pcap.findalldevs(ct.byref(alldevs), errbuf) == -1:
+ print("Error finding devices: ", errbuf.value.decode())
+ return []
+
+ devices = []
+ dev = alldevs
+ while dev:
+ devices.append(dev.contents.name.decode())
+ dev = dev.contents.next
+
+ pcap.freealldevs(alldevs)
+ return devices
+
+# 打印并返回 Payload
+def print_payload(packet):
+ try:
+ if packet.haslayer(Raw):
+ payload = packet[Raw].load.decode(errors='ignore')
+ return payload
+ except Exception as e:
+ print(f"Error printing payload: {e}")
+ return "nodata"
+
+def compute_statistics(srcIp,destIp):
+ pass
+# 判断是否为 HTTP 报文
+def is_http_packet(packet):
+ try:
+ if packet.haslayer(Raw):
+ payload = packet[Raw].load.decode(errors='ignore')
+ if payload.startswith(('GET', 'POST', 'HEAD', 'PUT', 'DELETE', 'OPTIONS', 'PATCH')) or 'HTTP/' in payload:
+ return True, payload
+ except Exception:
+ pass
+ return False, None
+# 判断是否为 FTP 报文
+def is_ftp_packet(packet):
+ try:
+ if packet.haslayer(Raw):
+ payload = packet[Raw].load.decode(errors='ignore')
+ if payload.startswith(('USER', 'PASS', 'RETR', 'STOR', 'LIST', 'QUIT')):
+ return True, payload
+ except Exception:
+ pass
+ return False, None
+# 判断是否为 SSH 报文
+def is_ssh_packet(packet):
+ try:
+ if packet.haslayer(TCP):
+ # SSH 默认端口为 22
+ if packet[TCP].sport == 22 or packet[TCP].dport == 22:
+ return True
+ if packet.haslayer(Raw):
+ payload = packet[Raw].load.decode(errors='ignore')
+ if payload.startswith('SSH-'):
+ return True
+ except Exception:
+ pass
+ return False
+# 判断是否为 Telnet 报文
+def is_telnet_packet(packet):
+ try:
+ if packet.haslayer(TCP):
+ # Telnet 默认端口为 23
+ if packet[TCP].sport == 23 or packet[TCP].dport == 23:
+ return True
+ except Exception:
+ pass
+ return False
+# 判断是否为 ARP 报文
+def is_arp_packet(packet):
+ try:
+ if packet.haslayer(ARP):
+ return True
+ except Exception:
+ pass
+ return False
+
+# 检查报文类型
+def check_packet_type(packet):
+ """检测报文类型,并返回主要类型和协议详情"""
+ # HTTP 检测
+ is_http, http_payload = is_http_packet(packet)
+ if is_http:
+ return "HTTP", {"http_payload": http_payload}
+
+ # FTP 检测
+ is_ftp, ftp_payload = is_ftp_packet(packet)
+ if is_ftp:
+ return "FTP", {"ftp_payload": ftp_payload}
+
+ # SSH 检测
+ if is_ssh_packet(packet):
+ return "SSH", {}
+
+ # Telnet 检测
+ if is_telnet_packet(packet):
+ return "Telnet", {}
+
+ # ARP 检测
+ if packet.haslayer(ARP):
+ return "ARP", {
+ "hw_src": packet[ARP].hwsrc,
+ "hw_dst": packet[ARP].hwdst,
+ "p_src": packet[ARP].psrc,
+ "p_dst": packet[ARP].pdst,
+ }
+
+ # ICMP 检测
+ if packet.haslayer(ICMP):
+ return "ICMP", {
+ "icmp_type": packet[ICMP].type,
+ "icmp_code": packet[ICMP].code,
+ }
+
+ # DNS 检测
+ if packet.haslayer(DNS):
+ if packet[DNS].qd:
+ return "DNS", {
+ "query_name": packet[DNS].qd.qname.decode(),
+ "query_type": packet[DNS].qd.qtype,
+ }
+
+ # 普通 TCP 检测
+ if packet.haslayer(TCP):
+ return "TCP", {}
+
+ # 普通 UDP 检测
+ if packet.haslayer(UDP):
+ return "UDP", {}
+
+ return "Unknown", {}
+def packet_handler(packet):
+ global clients
+ try:
+ # 获取当前主机的 IP 地址
+ packet_data = {
+ "host_ip": local_ip, # 添加主机 IP 地址
+ "ip_src": None,
+ "ip_dst": None,
+ "chioce":"dataPacket",
+ "type": "Unknown",
+ "payload": None,
+ "protocol_details": {},
+ "Fwd_Header_Length": "N/A",
+ "Packet_length":"N/A",
+ "timestamp": packet.time,
+ "window_size":"N/A"
+ }
+ # 获取 IP 层信息
+ if packet.haslayer(IP):
+ packet_data["ip_src"] = packet[IP].src
+ packet_data["ip_dst"] = packet[IP].dst
+
+ # 获取 TCP 信息
+ if packet.haslayer(TCP):
+ packet_data["type"] = "TCP"
+ packet_data["src_port"] = packet[TCP].sport
+ packet_data["dst_port"] = packet[TCP].dport
+ ip_header_length = packet[IP].ihl * 4 # IP 头部长度(字节)
+ tcp_header_length = packet[TCP].dataofs * 4 # TCP 头部长度(字节)
+ packet_data["Fwd_Header_Length"] = ip_header_length + tcp_header_length
+ packet_data["window_size"] = packet[TCP].window # 提取 TCP 窗口大小字段
+ # 获取 UDP 信息
+ elif packet.haslayer(UDP):
+ packet_data["type"] = "UDP"
+ packet_data["src_port"] = packet[UDP].sport
+ packet_data["dst_port"] = packet[UDP].dport
+ ip_header_length = packet[IP].ihl * 4 # IP 头部长度(字节)
+ udp_header_length = 8 # UDP 头部长度固定为 8 字节
+ packet_data["Fwd_Header_Length"] = ip_header_length + udp_header_length
+ # 获取 ARP 信息
+ elif packet.haslayer(ARP):
+ packet_data["type"] = "ARP"
+ packet_data["protocol_details"] = {
+ "hw_src": packet[ARP].hwsrc,
+ "hw_dst": packet[ARP].hwdst,
+ "p_src": packet[ARP].psrc,
+ "p_dst": packet[ARP].pdst,
+ }
+ # 获取 ICMP 信息
+ elif packet.haslayer(ICMP):
+ packet_data["type"] = "ICMP"
+ packet_data["protocol_details"] = {
+ "icmp_type": packet[ICMP].type,
+ "icmp_code": packet[ICMP].code
+ }
+ ip_header_length = packet[IP].ihl * 4 # IP 头部长度(字节)
+ icmp_header_length = 8 # ICMP 通常固定为 8 字节(视 ICMP 类型而定)
+ packet_data["Fwd_Header_Length"] = ip_header_length + icmp_header_length
+ # 获取 DNS 信息
+ elif packet.haslayer(DNS):
+ packet_data["type"] = "DNS"
+ if packet[DNS].qd:
+ packet_data["protocol_details"] = {
+ "query_name": packet[DNS].qd.qname.decode(),
+ "query_type": packet[DNS].qd.qtype
+ }
+ # 检查其他协议类型
+ packet_type, protocol_details = check_packet_type(packet)
+ packet_data["type"] = packet_type
+ packet_data["protocol_details"].update(protocol_details)
+ packet_data["Packet_length"] = len(packet)
+ packs= print_payload(packet)
+ if packs!="nodata":
+ # 获取 Raw Payload
+ packet_data["payload"] = '{}'.format(packs)
+ else:
+ packet_data["payload"]=""
+ # 将数据发送给所有连接的客户端
+ if packet_data.get("ip_src")!=local_ip:
+ packet_queue.put(packet_data)
+ # 在控制台打印信息
+ if packet_data["type"]=="TCP":
+ print(f"Regular TCP Packet: From {packet_data['ip_src']}:{packet_data.get('src_port')} To {packet_data['ip_dst']}:{packet_data.get('dst_port')} (Host: {local_ip})")
+ if packet_data["type"]=="UDP":
+ print(f"Regular UDP Packet: From {packet_data['ip_src']}:{packet_data.get('src_port')} To {packet_data['ip_dst']}:{packet_data.get('dst_port')} (Host: {local_ip})")
+ if packet_data["type"] == "ICMP":
+ print(f"ICMP Packet: Type={packet_data['protocol_details']['icmp_type']} Code={packet_data['protocol_details']['icmp_code']} (Host: {local_ip})")
+ if packet_data["type"] == "DNS":
+ print(f"DNS Query: {packet_data['protocol_details']['query_name']} Type={packet_data['protocol_details']['query_type']} (Host: {local_ip})")
+ if packet_data["type"] == "ARP":
+ print(f"ARP Packet: Who has {packet_data['protocol_details']['p_dst']}? Tell {packet_data['protocol_details']['p_src']} (Host: {local_ip})")
+ if not packet_data["ip_src"] or not packet_data["ip_dst"]:
+ pass
+ else:
+ putPackect('{}:{}'.format(packet_data["ip_src"],packet_data.get('src_port')),
+ '{}:{}'.format( packet_data["ip_dst"],packet_data.get('dst_port')), packet_data)
+ except Exception as e:
+ print(f"Error parsing packet: {e}")
+# 捕获网络流量
+def capture_packets(interface):
+ global running
+ print(f"Starting capture on interface: {interface}")
+ try:
+ running = True # 启动捕获
+ sniff(iface=interface, prn=packet_handler, store=False, stop_filter=lambda x: not running)
+ except Exception as e:
+ print(f"Error capturing packets on {interface}: {e}")
+# 切换设备时停止捕获
+# 处理客户端连接
+def handle_client(client_socket):
+ global running, selected_device
+ try:
+ buffer = "" # 初始化一个空字符串缓冲区
+ while True:
+ data = client_socket.recv(4096) # 接收数据
+ if not data:
+ break # 如果数据为空,退出
+ buffer = data.decode("utf-8").strip() # 解码并去掉多余的空白字符
+ print(buffer)
+ command = json.loads(buffer, strict=False)
+ # 处理客户端的命令
+ if command.get("action") == "fetch_next":
+ # 从队列中取出一条数据并发送
+ if not packet_queue.empty():
+ next_packet = packet_queue.get() # 从队列中获取数据包
+ client_socket.sendall(json.dumps(next_packet).encode("utf-8")) # 发送数据包
+ else:
+ # 队列为空时通知客户端
+ client_socket.sendall(json.dumps({"chioce": "dataPacketNone", "status": "empty","message": "No packets available"}).encode("utf-8"))
+ elif command.get("action") == "stop":
+ print("Stopping packet capture...")
+ running = False
+ client_socket.sendall(json.dumps({"chioce": "stops", "ip": local_ip}).encode("utf-8"))
+ break
+ elif command.get("action") == "status":
+ client_socket.sendall(json.dumps(
+ {"chioce": "controlstatus", "status": "running", "ip": local_ip,
+ "device": selected_device}).encode("utf-8"))
+ elif command.get("action") == "list_devices":
+ # 返回可用设备列表
+ devices = list_devices()
+ client_socket.sendall(
+ json.dumps({"chioce": "controldevice", "ip": local_ip, "devices": devices}).encode("utf-8"))
+ elif command.get("action") == "switch_device":
+ # 切换捕获设备
+ new_device = command.get("device")
+ if new_device in list_devices():
+ print(f"Switching to device: {new_device}")
+ running = False
+ threading.Event().wait(1) # 简单延迟,确保当前线程完全停止
+ selected_device = new_device
+ running = True
+ threading.Thread(target=capture_packets, args=(selected_device,), daemon=True).start()
+ client_socket.sendall(json.dumps(
+ {"chioce": "controlswitch", "status": "switched", "ip": local_ip,
+ "device": new_device}).encode("utf-8"))
+ else:
+ client_socket.sendall(
+ json.dumps({"chioce": "controlerror", "error": "Invalid device"}).encode("utf-8"))
+ else:
+ # 如果命令未知,则返回错误信息
+ client_socket.sendall(
+ json.dumps({"chioce": "controlerror", "error": "Unknown command"}).encode("utf-8"))
+
+ except Exception as e:
+ print(f"Error handling client: {e}")
+ finally:
+ pass
+
+
+def tcp_server():
+ import socket
+ global clients
+ server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ server.bind(("0.0.0.0", 9999))
+ server.listen(5)
+ print("TCP server listening on port 9999...")
+ while True:
+ client_socket, addr = server.accept()
+ print(f"Accepted connection from {addr}")
+ clients.append(client_socket)
+ threading.Thread(target=handle_client, args=(client_socket,), daemon=True).start()
+def main():
+ global running, selected_device
+ # 启动 TCP 服务器线程
+ threading.Thread(target=tcp_server, daemon=True).start()
+
+ # 列出所有网络设备
+ devices = list_devices()
+ if not devices:
+ print("No devices found.")
+ return
+
+ print("Available devices:")
+ for i, dev in enumerate(devices):
+ print(f"{i}: {dev}")
+
+ # 选择初始设备
+ try:
+ choice = int(input("Select a device by index: "))
+ if choice < 0 or choice >= len(devices):
+ print("Invalid choice.")
+ return
+ except ValueError:
+ print("Invalid input.")
+ return
+
+ selected_device = devices[choice]
+ print(f"Selected device: {selected_device}")
+
+ # 开始捕获流量
+ threading.Thread(target=capture_packets, args=(selected_device,), daemon=True).start()
+ threading.Thread(target=monitor, args=(selected_device,), daemon=True).start()
+ try:
+ while True:
+ threading.Event().wait(1) # 每秒钟等待,避免高 CPU 占用
+ except KeyboardInterrupt:
+ print("\nStopping...")
+ running = False
+# if __name__ == "__main__":
+# main()
diff --git a/caputre/demoscapture.py b/caputre/demoscapture.py
new file mode 100644
index 0000000000000000000000000000000000000000..73d1ab38d6b8cbc51caf01675625c5c07391ac26
--- /dev/null
+++ b/caputre/demoscapture.py
@@ -0,0 +1,162 @@
+# -*- coding: utf-8 -*-
+
+
+# 配置网络接口
+ # 请根据您的系统更换网卡接口
+# Destination Port Flow Duration Total Fwd Packets
+# Total Backward Packets Total Length of Fwd Packets Total Length of Bwd Packets
+# Fwd Packet Length Max Fwd Packet Length Min Fwd Packet Length Mean Fwd Packet Length Std
+# Bwd Packet Length Max Bwd Packet Length Min Bwd Packet Length Mean Bwd Packet Length Std
+# Flow Bytes/s Flow Packets/s Flow IAT Mean Flow IAT Std Flow IAT Max Flow IAT Min Fwd IAT Total
+# Fwd IAT Mean Fwd IAT Std Fwd IAT Max Fwd IAT Min Bwd IAT Total Bwd IAT Mean Bwd IAT Std
+# Bwd IAT Max Bwd IAT Min Fwd PSH Flags Bwd PSH Flags Fwd URG Flags Bwd URG Flags Fwd Header Length
+# Bwd Header Length Fwd Packets/s Bwd Packets/s Min Packet Length Max Packet Length
+# Packet Length Mean Packet Length Std Packet Length Variance FIN Flag Count SYN Flag Count
+# RST Flag Count PSH Flag Count ACK Flag Count URG Flag Count CWE Flag Count ECE Flag Count
+# Down/Up Ratio Average Packet Size Avg Fwd Segment Size Avg Bwd Segment Size
+# Fwd Header Length Fwd Avg Bytes/Bulk Fwd Avg Packets/Bulk Fwd Avg Bulk Rate
+# Bwd Avg Bytes/Bulk Bwd Avg Packets/Bulk Bwd Avg Bulk Rate Subflow Fwd Packets
+# Subflow Fwd Bytes Subflow Bwd Packets Subflow Bwd Bytes Init_Win_bytes_forward
+# Init_Win_bytes_backward act_data_pkt_fwd min_seg_size_forward
+# Active Mean Active Std Active Max Active Min Idle Mean Idle Std Idle Max Idle Min
+
+
+from nfstream import NFStreamer
+from safemap import *
+# 配置网络接口
+INTERFACE = r"eth0" # 请根据您的系统更换网卡接口
+def format_nflow(flow):
+ """
+ 从 NFlow 对象提取特性并返回格式化的数据字典。
+ """
+ try:
+ total_fwd_packets = flow.src2dst_packets
+ total_bwd_packets = flow.dst2src_packets
+ total_fwd_bytes = flow.src2dst_bytes
+ total_bwd_bytes = flow.dst2src_bytes
+ total_packets = total_fwd_packets + total_bwd_packets
+ total_bytes = total_fwd_bytes + total_bwd_bytes
+
+ # 假设有计算 forward bulk 的辅助属性
+ # num_forward_bulks = flow.src2dst_bulk_count # 前向块数量
+ # total_bulk_duration = flow.src2dst_bulk_duration_ms / 1000.0
+
+ # 计算字段
+ down_up_ratio = round(total_bwd_bytes / total_fwd_bytes) if total_fwd_bytes > 0 else 0
+ average_packet_size = (total_bytes / total_packets) if total_packets > 0 else 0
+ avg_fwd_segment_size = (total_fwd_bytes / total_fwd_packets) if total_fwd_packets > 0 else 0
+ avg_bwd_segment_size = (total_bwd_bytes / total_bwd_packets) if total_bwd_packets > 0 else 0
+
+ subflow_fwd_packets = flow.src2dst_packets
+ subflow_fwd_bytes = flow.src2dst_bytes
+ subflow_bwd_packets = flow.dst2src_packets
+ subflow_bwd_bytes = flow.dst2src_bytes
+
+ # TCP 初始化窗口大小
+ init_win_bytes_forward = getattr(flow, "src2dst_init_window_size", "N/A")
+ init_win_bytes_backward = getattr(flow, "dst2src_init_window_size", "N/A")
+
+ formatted_data = {
+ "Destination Port": flow.dst_port,
+ "Source Port":flow.src_port,
+ "Flow Duration (ms)": flow.bidirectional_duration_ms,
+ "Total Fwd Packets": flow.src2dst_packets,
+ "Total Backward Packets": flow.dst2src_packets,
+ "Total Length of Fwd Packets": flow.src2dst_bytes,
+ "Total Length of Bwd Packets": flow.dst2src_bytes,
+ "Fwd Packet Length Max": getattr(flow, "src2dst_max_ps", "N/A"),
+ "Fwd Packet Length Min": getattr(flow, "src2dst_min_ps", "N/A"),
+ "Fwd Packet Length Mean": getattr(flow, "src2dst_mean_ps", "N/A"),
+ "Fwd Packet Length Stddev": getattr(flow, "src2dst_stddev_ps", "N/A"),
+ "Bwd Packet Length Max": getattr(flow, "dst2src_max_ps", "N/A"),
+ "Bwd Packet Length Min": getattr(flow, "dst2src_min_ps", "N/A"),
+ "Bwd Packet Length Mean": getattr(flow, "dst2src_mean_ps", "N/A"),
+ "Bwd Packet Length Stddev": getattr(flow, "dst2src_stddev_ps", "N/A"),
+ "Flow Bytes/s": flow.bidirectional_bytes / flow.bidirectional_duration_ms * 1000 if flow.bidirectional_duration_ms > 0 else 0,
+ "Flow Packets/s": flow.bidirectional_packets / flow.bidirectional_duration_ms * 1000 if flow.bidirectional_duration_ms > 0 else 0,
+ "Flow IAT Mean (ms)": getattr(flow, "bidirectional_mean_piat_ms", "N/A"),
+ "Flow IAT Stddev (ms)": getattr(flow, "bidirectional_stddev_piat_ms", "N/A"),
+ "Flow IAT Max (ms)": getattr(flow, "bidirectional_max_piat_ms", "N/A"),
+ "Flow IAT Min (ms)": getattr(flow, "bidirectional_min_piat_ms", "N/A"),
+ "Fwd IAT Mean (ms)": getattr(flow, "src2dst_mean_piat_ms", "N/A"),
+ "Fwd IAT Stddev (ms)": getattr(flow, "src2dst_stddev_piat_ms", "N/A"),
+ "Fwd IAT Max (ms)": getattr(flow, "src2dst_max_piat_ms", "N/A"),
+ "Fwd IAT Min (ms)": getattr(flow, "src2dst_min_piat_ms", "N/A"),
+ "Bwd IAT Mean (ms)": getattr(flow, "dst2src_mean_piat_ms", "N/A"),
+ "Bwd IAT Stddev (ms)": getattr(flow, "dst2src_stddev_piat_ms", "N/A"),
+ "Bwd IAT Max (ms)": getattr(flow, "dst2src_max_piat_ms", "N/A"),
+ "Bwd IAT Min (ms)": getattr(flow, "dst2src_min_piat_ms", "N/A"),
+ "Fwd PSH Flags": getattr(flow, "src2dst_psh_packets", "N/A"),
+ "Bwd PSH Flags": getattr(flow, "dst2src_psh_packets", "N/A"),
+ "Fwd URG Flags": getattr(flow, "src2dst_urg_packets", "N/A"),
+ "Bwd URG Flags": getattr(flow, "dst2src_urg_packets", "N/A"),
+
+ "Fwd Packets/s": flow.src2dst_packets / (
+ flow.bidirectional_duration_ms / 1000) if flow.bidirectional_duration_ms > 0 else 0,
+ "Bwd Packets/s": flow.dst2src_packets / (
+ flow.bidirectional_duration_ms / 1000) if flow.bidirectional_duration_ms > 0 else 0,
+ 'down_up_ratio':down_up_ratio,
+ 'average_packet_size':average_packet_size,
+ 'avg_fwd_segment_size':avg_fwd_segment_size,
+ 'avg_bwd_segment_size':avg_bwd_segment_size,
+ "Packet Length Mean": getattr(flow, "bidirectional_mean_ps", "N/A"),
+ "Packet Length Std": getattr(flow, "bidirectional_stddev_ps", "N/A"),
+ "FIN Flag Count": getattr(flow, "bidirectional_fin_packets", "N/A"),
+ "SYN Flag Count": getattr(flow, "bidirectional_syn_packets", "N/A"),
+ "RST Flag Count": getattr(flow, "bidirectional_rst_packets", "N/A"),
+ "PSH Flag Count": getattr(flow, "bidirectional_psh_packets", "N/A"),
+ "ACK Flag Count": getattr(flow, "bidirectional_ack_packets", "N/A"),
+ "URG Flag Count": getattr(flow, "bidirectional_urg_packets", "N/A"),
+ "CWE Flag Count": getattr(flow, "bidirectional_cwr_packets", "N/A"),
+ "ECE Flag Count": getattr(flow, "bidirectional_ece_packets", "N/A"),
+ "Subflow Fwd Packets": subflow_fwd_packets,
+ "Subflow Fwd Bytes": subflow_fwd_bytes,
+ "Subflow Bwd Packets": subflow_bwd_packets,
+ "Subflow Bwd Bytes": subflow_bwd_bytes,
+ "Application Name": flow.application_name,
+ "Application Category": flow.application_category_name,
+ "Protocol": flow.protocol,
+ "IP Version": flow.ip_version,
+ "Source IP": flow.src_ip,
+ "Destination IP": flow.dst_ip,
+ }
+ putPacketAnaylsy(formatted_data,"{}:{}".format(flow.src_ip,flow.src_port),
+ "{}:{}".format(
+ flow.dst_ip,flow.dst_port),flow.src_ip,flow.dst_ip)
+
+ return formatted_data
+ except AttributeError as e:
+ print(f"Error processing flow: {e}")
+ return None
+def print_nflow(flow):
+ """
+ 打印格式化的 NFlow 数据。
+ """
+ formatted_data = format_nflow(flow)
+ if formatted_data:
+ for key, value in formatted_data.items():
+ print(f"{key}: {value}")
+ print("\n" + "=" * 50 + "\n")
+
+# 使用 NFStreamer 实时监控
+def monitor(interface):
+ print(f"Starting real-time flow monitoring on interface: {interface}")
+ streamer = NFStreamer(
+ source=interface,
+ decode_tunnels=True,
+ promiscuous_mode=True,
+ snapshot_length=65535,
+ idle_timeout=10, # 等待 10 秒无新数据时输出流
+ active_timeout=30, # 最长 30 秒就强制输出流
+ statistical_analysis=True # 启用统计分析以生成额外字段
+ )
+ for flow in streamer:
+ print_nflow(flow)
+
+#
+# if __name__ == "__main__":
+# monitor(interface=INTERFACE) # 替换为您的网卡接口
+
+
+
+
diff --git a/caputre/ebpfdemos.py b/caputre/ebpfdemos.py
new file mode 100644
index 0000000000000000000000000000000000000000..847c3ecef974d416ce803fd2a94d730ec41d7db4
--- /dev/null
+++ b/caputre/ebpfdemos.py
@@ -0,0 +1,224 @@
+import re
+import subprocess
+import time
+from collections import defaultdict
+from concurrent.futures import ThreadPoolExecutor
+from messagejobs import *
+def parse_adfa_ld_file(file_path):
+ """
+ 解析 ADFA-LD 的 syscall 列表文件,并提取 syscall 定义。
+ :param file_path: 包含 ADFA-LD syscall 定义的文件路径
+ :return: 一个字典,key 是 syscall 名称,value 是对应的序号
+ """
+ syscall_mapping = {}
+
+ # 打开并读取文件内容
+ with open(file_path, "r") as file:
+ lines = file.readlines()
+
+ # 匹配 `#define __NR_` 和 `__SYSCALL` 的正则表达式
+ define_pattern = re.compile(r"#define\s+(__NR_\w+)\s+(\d+)")
+ syscall_pattern = re.compile(r"__SYSCALL\s*\(\s*(\S+)\s*,\s*(\w+)\s*\)")
+
+ # 遍历文件行,查找匹配
+ for line in lines:
+ define_match = define_pattern.match(line)
+ syscall_match = syscall_pattern.match(line)
+
+ # 如果匹配到 `#define` 定义
+ if define_match:
+ syscall_name = define_match.group(1) # `__NR_xxx`
+ syscall_num = int(define_match.group(2)) # syscall 序号
+ syscall_mapping[syscall_name] = syscall_num
+
+ # 如果匹配到 `__SYSCALL` 定义
+ elif syscall_match:
+ syscall_nr = syscall_match.group(1) # `__NR_xxx`
+ syscall_func = syscall_match.group(2) # `sys_xxx`
+ # 创建 syscall -> label 映射
+ if syscall_nr in syscall_mapping:
+ syscall_mapping[syscall_func] = syscall_mapping[syscall_nr]
+
+ return syscall_mapping
+
+
+def map_bpftrace_syscalls_to_adfa(bpf_syscalls, adfa_mapping):
+ """
+ 将 bpftrace 抓取到的 syscall 名称映射到 ADFA-LD 的 syscall 序号,基于后缀匹配。
+ :param bpf_syscalls: 从 bpftrace 抓取到的 syscall 名称列表
+ :param adfa_mapping: ADFA-LD 中的 syscall -> 序号映射表
+ :return: 一个列表,包含 bpftrace 的 syscall 对应的序号(未匹配的不添加到结果中)
+ """
+ syscall_to_sequence = []
+
+ for syscall in bpf_syscalls:
+ # 提取 syscall 名称中的后缀部分
+ # 例如 'sys_enter_epoll_wait' -> 'epoll_wait'
+ match = re.search(r"sys_enter_(\w+)$", syscall)
+ if match:
+ syscall_suffix = match.group(1)
+ else:
+ syscall_suffix = syscall # 如果提取失败,使用原始名称
+
+ # Debug: 检查提取后的后缀
+ # print(f"Original: {syscall}, Suffix: {syscall_suffix}")
+
+ # 直接匹配 adfa_mapping 中的 key 的后缀部分
+ matched = False
+ for key in adfa_mapping.keys():
+ if key.endswith(syscall_suffix): # 如果 key 的后缀匹配
+ syscall_to_sequence.append(adfa_mapping[key])
+ matched = True
+ break
+
+ # 如果匹配到了编号大于 1000 的 syscall,进行拆分匹配
+ if matched and syscall_to_sequence and syscall_to_sequence[-1] > 1000:
+ # 弹出之前错误的匹配
+ syscall_to_sequence.pop()
+ # 将后缀拆分为多个部分,例如 'epoll_wait' -> ['epoll', 'wait']
+ syscall_parts = syscall_suffix.split("_")
+
+ # 遍历 adfa_mapping 的所有 key,尝试匹配所有部分
+ for key in adfa_mapping.keys():
+ # 如果所有拆分的部分都在 key 中,认为匹配成功
+ if all(part in key for part in syscall_parts):
+ if adfa_mapping[key]<1000:
+ syscall_to_sequence.append(adfa_mapping[key])
+ matched = True
+ break
+ # 如果没有匹配,则跳过这个 syscall,不添加到结果中
+ if not matched:
+ continue
+
+ return syscall_to_sequence
+
+
+def process_syscall_sequences(syscall_data, adfa_mapping):
+ """
+ 处理抓取到的所有进程的 syscall 数据,将 syscall 名称映射为 ADFA-LD 的 label。
+ :param syscall_data: 包含每个进程 syscall 数据的字典
+ :param adfa_mapping: ADFA-LD 中的 syscall -> 序号映射表
+ :return: 映射后的进程 syscall 序列
+ """
+ labeled_sequences = {}
+
+ for pid, data in syscall_data.items():
+ comm = data["comm"]
+ syscalls = data["syscalls"]
+
+ # 将 syscalls 映射为 label
+ labeled_syscalls = map_bpftrace_syscalls_to_adfa(syscalls, adfa_mapping)
+
+ labeled_sequences[pid] = {
+ "comm": comm,
+ "labeled_syscalls": labeled_syscalls
+ }
+
+ return labeled_sequences
+
+# bpftrace 命令
+BPFTRACE_CMD = [
+ "sudo", "bpftrace", "-e",
+ 'tracepoint:syscalls:sys_enter_* /comm != "bpftrace" && comm != "sudo"/ { printf("Syscall: %s PID: %d COMM: %s\\n", probe, pid, comm); }'
+]
+
+# 滑动窗口参数
+WINDOW_SIZE = 10 # 窗口大小(秒)
+STEP_SIZE = 5 # 滑动步长(秒)
+
+
+def monitor_syscalls(adfa_mapping):
+ # 启动 bpftrace 进程
+ with subprocess.Popen(BPFTRACE_CMD, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True) as proc:
+ syscall_data = defaultdict(
+ lambda: {"comm": "", "syscalls": []}) # 数据结构: {pid: {"comm": process_name, "syscalls": [syscall1, ...]}}
+ window_start_time = time.time() # 当前窗口的起始时间
+
+ # 使用线程池进行非阻塞解析
+ with ThreadPoolExecutor(max_workers=4) as executor:
+ try:
+ while True:
+ # 读取 bpftrace 输出
+ line = proc.stdout.readline()
+ if not line:
+ break
+
+ # 示例输出: Syscall: tracepoint:syscalls:sys_enter_write PID: 1234 COMM: bash
+ if line.startswith("Syscall:"):
+ parts = line.split()
+ if len(parts) >= 6:
+ syscall_name = parts[1].replace("tracepoint:syscalls:", "") # 提取系统调用名称
+ pid = int(parts[3]) # 提取进程号
+ comm = parts[5] # 提取进程名
+
+ # 更新对应进程的调用序列和名称
+ syscall_data[pid]["comm"] = comm
+ syscall_data[pid]["syscalls"].append(syscall_name)
+
+ # 判断是否需要滑动窗口
+ current_time = time.time()
+ if current_time - window_start_time >= STEP_SIZE:
+ print(f"\n--- Syscall Sequences ({time.strftime('%Y-%m-%d %H:%M:%S')}) ---")
+ # 深拷贝当前 syscall 数据
+ syscall_data_snapshot = syscall_data.copy()
+
+ # 提交解析任务到线程池
+ future = executor.submit(process_syscall_sequences, syscall_data_snapshot, adfa_mapping)
+
+ # 打印原始 syscall 数据
+ for pid, data in syscall_data.items():
+ comm = data["comm"]
+ syscalls = data["syscalls"]
+ print(f"PID: {pid}, COMM: {comm}")
+
+ # 处理解析结果
+ labeled_sequences = future.result()
+ for pid, data in labeled_sequences.items():
+ message = {
+ "pid": int(pid),
+ "comm": data["comm"],
+ "syscall": data["labeled_syscalls"]
+ }
+ try:
+ produce_messages_ordered(producer, "syscall_topic", message, thread_pool)
+ print(f"✅ [Kafka Sent] {message}") # 发送成功日志
+ except Exception as e:
+ print(f"❌ [Kafka Error] 发送失败: {e}, 消息: {message}")
+ # 滑动窗口
+ syscall_data.clear() # 清空当前窗口数据
+ window_start_time = current_time # 更新窗口起始时间
+
+ except KeyboardInterrupt:
+ print("\nMonitoring stopped by user.")
+ finally:
+ # 终止 bpftrace 进程
+ proc.terminate()
+
+
+if __name__ == "__main__":
+
+ adfa_ld_file_path = "ADFA-LD+Syscall+List.txt"
+
+ # 解析 ADFA-LD 文件,生成 syscall -> label 映射
+ adfa_mapping = parse_adfa_ld_file(adfa_ld_file_path)
+ # print("ADFA-LD Syscall Mapping:", adfa_mapping)
+ #
+ # # 示例 bpftrace 抓取的 syscall 数据
+ # syscall_data = {
+ # 1234: {"comm": "python3", "syscalls": [
+ # 'sys_enter_epoll_wait', 'sys_enter_clock_nanosleep', 'sys_enter_clock_nanosleep',
+ # 'sys_enter_epoll_wait', 'sys_enter_close'
+ # ]},
+ # 5678: {"comm": "bash", "syscalls": [
+ # 'sys_enter_read', 'sys_enter_futex', 'sys_enter_futex', 'sys_enter_read'
+ # ]}
+ # }
+ # # 映射 bpftrace 的 syscall 到 ADFA-LD 的 label
+ # labeled_sequences = process_syscall_sequences(syscall_data, adfa_mapping)
+ # # 打印映射结果
+ # for pid, data in labeled_sequences.items():
+ # comm = data["comm"]
+ # labeled_syscalls = data["labeled_syscalls"]
+ # print(f"PID: {pid}, COMM: {comm}, Labeled Syscalls: {labeled_syscalls}")
+
+ monitor_syscalls(adfa_mapping)
diff --git a/caputre/jobentrance.py b/caputre/jobentrance.py
new file mode 100644
index 0000000000000000000000000000000000000000..fadbab1e0548aa70007401adf9a3e6a03b4e0277
--- /dev/null
+++ b/caputre/jobentrance.py
@@ -0,0 +1,4 @@
+from capturetask import *
+
+if __name__ == '__main__':
+ main()
\ No newline at end of file
diff --git a/caputre/messagejobs.py b/caputre/messagejobs.py
new file mode 100644
index 0000000000000000000000000000000000000000..1ef9d2a1caf83ab8c51aeb9304a21b853f56cebb
--- /dev/null
+++ b/caputre/messagejobs.py
@@ -0,0 +1,92 @@
+import socket
+
+from kafka import KafkaProducer
+from concurrent.futures import ThreadPoolExecutor
+import json
+import time
+import threading
+from queue import Queue
+
+# 配置 Kafka 参数
+BOOTSTRAP_SERVERS = "121.43.104.95:9092" # 替换为你的 Kafka Broker 地址
+def get_local_ip():
+ """
+ 自动获取当前主机的 IP 地址
+ """
+ try:
+ # 创建一个 UDP socket 并连接到公共地址,获取主机的本地 IP
+ with socket.socket(socket.AF_INET, socket.SOCK_DGRAM) as s:
+ s.connect(("8.8.8.8", 80)) # 使用 Google 公共 DNS 地址
+ local_ip = s.getsockname()[0]
+ return local_ip
+ except Exception as e:
+ print(f"Error fetching local IP address: {e}")
+ return "Unknown"
+
+# 当前主机 IP
+LOCAL_IP = get_local_ip()
+
+# 配置 Kafka Producer
+def configure_producer():
+ """
+ 配置 Kafka 生产者
+ """
+ try:
+ producer = KafkaProducer(
+ bootstrap_servers=BOOTSTRAP_SERVERS,
+ value_serializer=lambda v: json.dumps(v).encode('utf-8'), # 将数据序列化为 JSON 格式
+ )
+ return producer
+ except Exception as e:
+ print(f"Error configuring Kafka producer: {e}")
+ raise
+
+
+# 线程池单例
+class ThreadPoolSingleton:
+ """
+ 全局线程池单例
+ """
+ _instance = None
+ _lock = threading.Lock()
+
+ def __new__(cls, max_workers=5):
+ if not cls._instance:
+ with cls._lock:
+ if not cls._instance:
+ cls._instance = ThreadPoolExecutor(max_workers=max_workers)
+ return cls._instance
+
+
+# 异步发送数据到 Kafka
+def send_to_kafka(producer, topic, data):
+ """
+ 异步发送数据到 Kafka
+ """
+ try:
+ future = producer.send(topic, value=data)
+ future.add_callback(lambda metadata: print(
+ f"Sent to Kafka ({topic}) -> Partition: {metadata.partition}, Offset: {metadata.offset}"))
+ future.add_errback(lambda error: print(
+ f"Failed to send to Kafka ({topic}): {error}"))
+ except Exception as e:
+ print(f"Failed to send data to {topic}: {e}")
+
+# 顺序发送器:将消息加入线程池并按时间顺序发送
+def produce_messages_ordered(producer, topic, json_data, thread_pool):
+ """
+ 将单条 JSON 数据按时间顺序提交到 Kafka
+ :param producer: Kafka Producer 实例
+ :param topic: 目标 Kafka 主题
+ :param json_data: 要发送的 JSON 数据
+ :param thread_pool: 全局线程池
+ """
+ # 动态生成一个时间戳作为排序的 key
+ timestamp = int(time.time() * 1000)
+ json_data["timestamp"] = timestamp # 添加时间戳到消息中
+ json_data["cloudip"]=LOCAL_IP
+ # print(f"Producing data to {topic}: {json_data}")
+ # 将发送任务提交到线程池
+ thread_pool.submit(send_to_kafka, producer, topic, json_data)
+producer = configure_producer()
+thread_pool = ThreadPoolSingleton() # 创建线程池单例
\ No newline at end of file
diff --git a/caputre/safemap.py b/caputre/safemap.py
new file mode 100644
index 0000000000000000000000000000000000000000..fac841e55577f276c7d49ecb60fdac3df3577d96
--- /dev/null
+++ b/caputre/safemap.py
@@ -0,0 +1,201 @@
+import re
+import threading
+from messagejobs import *
+
+def string_words_spliting(str_input):
+ """
+ 将字符串中的特殊字符替换为空格,并去除多余空格
+ """
+ str_cleaned = re.sub(r'[?&=(){}<>/\\."\'@;~,:*]', ' ', str_input)
+ return ' '.join(str_cleaned.split()) # 去除多余空格
+
+
+def parse_http_packet(packet):
+ """
+ 解析 HTTP 数据,并转换成格式化字符串
+ """
+ http_data = []
+ # 提取 `protocol_details["http_payload"]`
+ if "protocol_details" in packet and "http_payload" in packet["protocol_details"]:
+ http_data.extend(packet["protocol_details"]["http_payload"].split("\r\n")) # 按 HTTP 换行符拆分
+
+ # 移除空行,并对每一行进行字符串清理
+ http_data = [string_words_spliting(line) for line in http_data if line.strip()]
+
+
+
+ return http_data
+class ThreadSafeMap:
+ def __init__(self):
+ self.map = {}
+ self.lock = threading.Lock()
+
+ def put(self, key, value):
+ with self.lock:
+ self.map[key] = value
+
+ def get(self, key):
+ with self.lock:
+ return self.map.get(key,[])
+
+ def remove(self, key):
+ with self.lock:
+ del self.map[key]
+datasmaps = ThreadSafeMap()
+
+
+
+
+def putPackect(srcIp, destIp, packet):
+ global datasmaps
+ key = "{},{}".format(srcIp, destIp)
+ reverse_key = "{},{}".format(destIp, srcIp)
+
+ # 尝试获取正向或反向的 key 对应的列表
+ result = datasmaps.get(key)
+ if not result:
+ result = datasmaps.get(reverse_key)
+
+ # 如果列表为空,初始化新的 key 和列表,并保存 Min 和 Max Packet Length
+ if not result:
+ # 初始化 Min 和 Max Packet Length
+ datasmaps.put(key, {
+ "packets": [packet],
+ "min_length": packet["Packet_length"], # 当前数据包长度作为初始最小长度
+ "max_length": packet["Packet_length"] # 当前数据包长度作为初始最大长度
+ })
+ else:
+ # 更新 Min 和 Max Packet Length
+ packet_list = result["packets"]
+ packet_list.append(packet)
+ current_length = packet["Packet_length"]
+ result["min_length"] = min(result["min_length"], current_length)
+ result["max_length"] = max(result["max_length"], current_length)
+ result["packets"]=packet_list
+ datasmaps.put(key, result) # 更新数据
+
+
+def putPacketAnaylsy(object,srcIp, destIp,src,dest):
+ global datasmaps
+ key = "{},{}".format(srcIp, destIp)
+ reverse_key = "{},{}".format(destIp, srcIp)
+
+ # 尝试获取正向或反向的 key 对应的数据
+ result = datasmaps.get(key)
+ if not result:
+ result = datasmaps.get(reverse_key)
+ if not result:
+ return # 没有找到对应的流
+
+ # 初始化前向和后向头部长度
+ fwd_header_length = 0
+ bwd_header_length = 0
+
+ # 获取 Min 和 Max Packet Length
+ min_packet_length = result["min_length"]
+ max_packet_length = result["max_length"]
+
+ # 计算所有数据包长度的均值和方差
+ packet_lengths = [packet["Packet_length"] for packet in result["packets"]]
+ mean_packet_length = sum(packet_lengths) / len(packet_lengths)
+ variance_packet_length = sum(
+ (length - mean_packet_length) ** 2 for length in packet_lengths
+ ) / len(packet_lengths)
+
+ # 遍历所有数据包,计算头部长度
+ for packet in result["packets"]:
+ total_header_length = packet["Fwd_Header_Length"]
+ # 判断方向
+ if packet["ip_src"] == src and packet["ip_dst"] == dest:
+ fwd_header_length += total_header_length
+ elif packet["ip_src"] == dest and packet["ip_dst"] == src:
+ bwd_header_length += total_header_length
+ object["Fwd Header Length"]=fwd_header_length
+ object["Bwd Header Length"]=bwd_header_length
+ object["Min Packet Length"]=min_packet_length
+ object["Max Packet Length"]=max_packet_length
+ object["Mean Packet Length"]=mean_packet_length
+ object["Packet Length Variance"]=variance_packet_length
+ # 从 map 中移除对应的键
+ produce_messages_ordered(producer,"stream_topic",object,thread_pool)
+ for packet in result["packets"]:
+ if packet["type"]=="HTTP":
+ print(f"enter this the http packet {packet}")
+ newpacket=parse_http_packet(packet)
+ print(f"after clean {newpacket}")
+ packet["payload"]=newpacket
+ packet["protocol_details"]["http_payload"]=newpacket
+ produce_messages_ordered(producer,"http_topic",packet,thread_pool)
+ try:
+ datasmaps.remove(key)
+ datasmaps.remove(reverse_key)
+ except KeyError as e:
+ pass
+def extract_initial_window_size(src_ip, dest_ip, objects, src, dest):
+ global datasmaps
+ key = "{},{}".format(src_ip, dest_ip)
+ reverse_key = "{},{}".format(dest_ip, src_ip)
+
+ # 尝试获取正向或反向的 key 对应的数据
+ result = datasmaps.get(key)
+ if not result:
+ result = datasmaps.get(reverse_key)
+ if not result:
+ return # 没有找到对应的流
+
+ # 确保 result["packets"] 有数据
+ packet_list = result.get("packets", [])
+ if not packet_list:
+ return # 没有数据包
+
+ # 提取第一个数据包
+ first_packet = packet_list[0]
+
+ # 初始化窗口大小
+ init_win_forward = 0
+ init_win_backward = 0
+
+ # 确保第一个包包含 TCP 信息
+ if first_packet.get("type") == "TCP":
+ if first_packet["ip_src"] == src and first_packet["ip_dst"] == dest:
+ # 前向窗口大小
+ init_win_forward = first_packet.get("window_size", 0)
+ elif first_packet["ip_src"] == dest and first_packet["ip_dst"] == src:
+ # 后向窗口大小
+ init_win_backward = first_packet.get("window_size", 0)
+
+ # 更新对象
+ objects["Init_Win_bytes_forward"] = init_win_forward
+ objects["Init_Win_bytes_backward"] = init_win_backward
+
+
+def extract_initial_window_size(src_ip, dest_ip, objects, src, dest):
+ global datasmaps
+ key = "{},{}".format(src_ip, dest_ip)
+ reverse_key = "{},{}".format(dest_ip, src_ip)
+ # 尝试获取正向或反向的 key 对应的数据
+ result = datasmaps.get(key)
+ if not result:
+ result = datasmaps.get(reverse_key)
+ if not result:
+ return # 没有找到对应的流
+ # 确保 result["packets"] 有数据
+ packet_list = result.get("packets", [])
+ if not packet_list:
+ return # 没有数据包
+ # 提取第一个数据包
+ first_packet = packet_list[0]
+ # 初始化窗口大小
+ init_win_forward = 0
+ init_win_backward = 0
+ # 确保第一个包包含 TCP 信息
+ if first_packet.get("type") == "TCP":
+ if first_packet["ip_src"] == src and first_packet["ip_dst"] == dest:
+ # 前向窗口大小
+ init_win_forward = first_packet.get("window_size", 0)
+ elif first_packet["ip_src"] == dest and first_packet["ip_dst"] == src:
+ # 后向窗口大小
+ init_win_backward = first_packet.get("window_size", 0)
+ # 更新对象
+ objects["Init_Win_bytes_forward"] = init_win_forward
+ objects["Init_Win_bytes_backward"] = init_win_backward