devbox
小蓝xlanll
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

【Python】测试dpkt解析pcap

作者:小蓝xlanll | 2024-03-06 18:40:09

dpkt

1、前言

本想借助dpkt解析mail、dns、http来辅助分析pcap包进行分析,查阅资料学习却发现并不如使用scapy那么方便。

dpkt是一个python模块,可以对简单的数据包创建/解析,以及基本TCP / IP协议的解析,速度很快。

dpkt 手册

https://dpkt.readthedocs.io/en/latest/
dpkt 下载

https://pypi.org/project/dpkt/

看官方手册发现DPKT是读取每个pcap包里的内容,用isinstance判断是不是有IP的包,再判断是属于哪个协议,对应的协议已经封装好API如果发现可以匹配某个协议API就输出来相关值。

想要扩展这个源码还需要去学习一下协议相关的字段含义。

API调用:

https://dpkt.readthedocs.io/en/latest/api/api_auto.html#module-dpkt.qq

在手册中找到了在Github中部分API的示例代码,具备参考价值。

https://github.com/jeffsilverm/dpkt_doc

2、手册例子

以下代码是手册中的例子,通过查询发现inet_pton无法直接使用,按照网络上的解决方法修改了一下。

打印数据包

使用DPKT读取pcap文件并打印出数据包的内容。打印出以太网帧和IP数据包中的字段。

python2测试代码:

  1. #!/usr/bin/env python
  2. """
  3. Use DPKT to read in a pcap file and print out the contents of the packets
  4. This example is focused on the fields in the Ethernet Frame and IP packet
  5. """
  6. import dpkt
  7. import datetime
  8. import socket
  9. from dpkt.compat import compat_ord
  10. import ctypes
  11. import os
  12.  
  13.  
  14. def mac_addr(address):
  15.     """Convert a MAC address to a readable/printable string
  17.        Args:
  18.            address (str): a MAC address in hex form (e.g. '\x01\x02\x03\x04\x05\x06')
  19.        Returns:
  20.            str: Printable/readable MAC address
  21.     """
  22.     return ':'.join('%02x' % compat_ord(b) for b in address)
  23.  
  24.  
  25. class sockaddr(ctypes.Structure):
  26.     _fields_ = [("sa_family", ctypes.c_short),
  27.                 ("__pad1", ctypes.c_ushort),
  28.                 ("ipv4_addr", ctypes.c_byte * 4),
  29.                 ("ipv6_addr", ctypes.c_byte * 16),
  30.                 ("__pad2", ctypes.c_ulong)]
  31.  
  32. if hasattr(ctypes, 'windll'):
  33.     WSAStringToAddressA = ctypes.windll.ws2_32.WSAStringToAddressA
  34.     WSAAddressToStringA = ctypes.windll.ws2_32.WSAAddressToStringA
  35. else:
  36.     def not_windows():
  37.         raise SystemError(
  38.             "Invalid platform. ctypes.windll must be available."
  39.         )
  40.     WSAStringToAddressA = not_windows
  41.     WSAAddressToStringA = not_windows
  42.  
  43.  
  44. def inet_pton(address_family, ip_string):
  45.     addr = sockaddr()
  46.     addr.sa_family = address_family
  47.     addr_size = ctypes.c_int(ctypes.sizeof(addr))
  48.  
  49.     if WSAStringToAddressA(
  50.             ip_string,
  51.             address_family,
  52.             None,
  53.             ctypes.byref(addr),
  54.             ctypes.byref(addr_size)
  55.     ) != 0:
  56.         raise socket.error(ctypes.FormatError())
  57.  
  58.     if address_family == socket.AF_INET:
  59.         return ctypes.string_at(addr.ipv4_addr, 4)
  60.     if address_family == socket.AF_INET6:
  61.         return ctypes.string_at(addr.ipv6_addr, 16)
  62.  
  63.     raise socket.error('unknown address family')
  64.  
  65.  
  66. def inet_ntop(address_family, packed_ip):
  67.     addr = sockaddr()
  68.     addr.sa_family = address_family
  69.     addr_size = ctypes.c_int(ctypes.sizeof(addr))
  70.     ip_string = ctypes.create_string_buffer(128)
  71.     ip_string_size = ctypes.c_int(ctypes.sizeof(ip_string))
  72.  
  73.     if address_family == socket.AF_INET:
  74.         if len(packed_ip) != ctypes.sizeof(addr.ipv4_addr):
  75.             raise socket.error('packed IP wrong length for inet_ntoa')
  76.         ctypes.memmove(addr.ipv4_addr, packed_ip, 4)
  77.     elif address_family == socket.AF_INET6:
  78.         if len(packed_ip) != ctypes.sizeof(addr.ipv6_addr):
  79.             raise socket.error('packed IP wrong length for inet_ntoa')
  80.         ctypes.memmove(addr.ipv6_addr, packed_ip, 16)
  81.     else:
  82.         raise socket.error('unknown address family')
  83.  
  84.     if WSAAddressToStringA(
  85.             ctypes.byref(addr),
  86.             addr_size,
  87.             None,
  88.             ip_string,
  89.             ctypes.byref(ip_string_size)
  90.     ) != 0:
  91.         raise socket.error(ctypes.FormatError())
  92.  
  93.     return ip_string[:ip_string_size.value - 1]
  94.  
  95. # Adding our two functions to the socket library
  96. if os.name == 'nt':
  97.     socket.inet_pton = inet_pton
  98.     socket.inet_ntop = inet_ntop
  99.  
  100. def inet_to_str(inet):
  101.     return socket.inet_ntop(socket.AF_INET, inet)
  102.  
  103. def print_packets(pcap):
  104.     """Print out information about each packet in a pcap
  106.        Args:
  107.            pcap: dpkt pcap reader object (dpkt.pcap.Reader)
  108.     """
  109.     # packet num count
  110.     r_num = 0
  111.     # For each packet in the pcap process the contents
  112.     for timestamp, buf in pcap:
  113.         r_num=r_num+1
  114.         print ('packet num count :' , r_num )
  115.         # Print out the timestamp in UTC
  116.         print('Timestamp: ', str(datetime.datetime.utcfromtimestamp(timestamp)))
  117.  
  118.         # Unpack the Ethernet frame (mac src/dst, ethertype)
  119.         eth = dpkt.ethernet.Ethernet(buf)
  120.         print('Ethernet Frame: ', mac_addr(eth.src), mac_addr(eth.dst), eth.type)
  121.  
  122.         # Ma
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/小蓝xlanll/article/detail/200831
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号