如何读取比 Scapy 的 rdpcap() 更快的 Pyshark 以外的 .cap 文件? [英] How to read .cap files other than Pyshark that is faster than Scapy's rdpcap ()?
问题描述
我一直在寻找一种将 .cap 文件中的 802.11 数据包转换为数组的方法.到目前为止,我发现:
I have been looking for a way to get 802.11 Packets from a .cap file into an Array. So far I have found:
斯皮:这很好,文档可用,但太慢了,当我尝试打开大小 > 40 Mb 的文件时,我一直挂着直到它消耗掉我所有的 Ram(所有 16 个演出),此时我的电脑只是块,我必须重新启动它
Scapy: which is kind of nice, documentation available, but too slow, when I try to open a file with size > 40 Mb, I just keeps hanging on until it consumes all my Ram (all 16 gigs of it) at which point my pc just blocks and I have to reboot it
Pyshark:没有任何 Scapy 的问题,但是文档太少,我找不到处理和获取 802.11 数据包属性的方法
Pyshark: doesn't have any of Scapy's problems, but documentation is too scarce, I can't find a way to handle and get attributes for 802.11 Packets
所以我在想也许有更好的解决方案,或者也许有人对 pyshark 有一些经验?
So I was thinking maybe there are better solutions out there, or maybe someone does have some experience with pyshark?
from scapy.all import *
import pyshark
from collections import defaultdict
import sys
import math
import numpy as np
counter=0
Stats = np.zeros((14))
filename='cap.cap'
a = rdpcap(filename)
print len(a)
for p in a:
pkt = p.payload
#Management packets
if p.haslayer(Dot11) and p.type == 0:
ipcounter = ipcounter +1
Stats[p.subtype] = Stats[p.subtype] + 1
print Stats
注意:当我以 10 兆字节的输入(例如)启动程序时,它需要大约 20 秒左右,但它确实有效,我想知道为什么会这样,为什么它与 pyshark 如此不同以及什么样的它在做计算吗?
Note: when I launch the program with a 10 Mega bytes input (for instance) it takes about 20 seconds or so, but it does work, I wonder why is that, why is it so different from pyshark and what kind of computations is it doing?
推荐答案
您可以修补名为 utils.py 的 scapy 文件,使其不会将所有内容加载到内存中
You can patch scapy file named utils.py so that it won't load everything into memory
改变:
def read_all(self,count=-1):
"""return a list of all packets in the pcap file
"""
res=[]
while count != 0:
count -= 1
p = self.read_packet()
if p is None:
break
res.append(p)
return res
到
def read_all(self,count=-1):
"""return an iterable of all packets in the pcap file
"""
while count != 0:
count -= 1
p = self.read_packet()
if p is None:
break
yield p
return
功劳归于:http://comments.gmane.org/gmane.comp.security.scapy.general/4462
但是链接已经失效
这篇关于如何读取比 Scapy 的 rdpcap() 更快的 Pyshark 以外的 .cap 文件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!