如何读取比 Scapy 的 rdpcap() 更快的 Pyshark 以外的 .cap 文件? [英] How to read .cap files other than Pyshark that is faster than Scapy's rdpcap ()?

问题描述

我一直在寻找一种将 .cap 文件中的 802.11 数据包转换为数组的方法.到目前为止，我发现:

I have been looking for a way to get 802.11 Packets from a .cap file into an Array. So far I have found:

• 斯皮:这很好，文档可用，但太慢了，当我尝试打开大小 > 40 Mb 的文件时，我一直挂着直到它消耗掉我所有的 Ram(所有 16 个演出)，此时我的电脑只是块，我必须重新启动它

• Scapy: which is kind of nice, documentation available, but too slow, when I try to open a file with size > 40 Mb, I just keeps hanging on until it consumes all my Ram (all 16 gigs of it) at which point my pc just blocks and I have to reboot it

Pyshark:没有任何 Scapy 的问题，但是文档太少，我找不到处理和获取 802.11 数据包属性的方法

Pyshark: doesn't have any of Scapy's problems, but documentation is too scarce, I can't find a way to handle and get attributes for 802.11 Packets

所以我在想也许有更好的解决方案，或者也许有人对 pyshark 有一些经验?

So I was thinking maybe there are better solutions out there, or maybe someone does have some experience with pyshark?

from scapy.all import *
import pyshark
from collections import defaultdict
import sys
import math
import numpy as np
counter=0
Stats = np.zeros((14))
filename='cap.cap'

a = rdpcap(filename)
print len(a)
for p in a:
        pkt = p.payload
        #Management packets
        if p.haslayer(Dot11) and p.type == 0:
                ipcounter = ipcounter +1
                Stats[p.subtype] = Stats[p.subtype] + 1

print Stats

注意:当我以 10 兆字节的输入(例如)启动程序时，它需要大约 20 秒左右，但它确实有效，我想知道为什么会这样，为什么它与 pyshark 如此不同以及什么样的它在做计算吗?

Note: when I launch the program with a 10 Mega bytes input (for instance) it takes about 20 seconds or so, but it does work, I wonder why is that, why is it so different from pyshark and what kind of computations is it doing?

推荐答案

您可以修补名为 utils.py 的 scapy 文件，使其不会将所有内容加载到内存中

You can patch scapy file named utils.py so that it won't load everything into memory

改变:

def read_all(self,count=-1):
    """return a list of all packets in the pcap file
    """
    res=[]
    while count != 0:
        count -= 1
        p = self.read_packet()
        if p is None:
            break
        res.append(p)
    return res

到

def read_all(self,count=-1):
    """return an iterable of all packets in the pcap file
    """
    while count != 0:
        count -= 1
        p = self.read_packet()
        if p is None:
            break
        yield p
    return

功劳归于:http://comments.gmane.org/gmane.comp.security.scapy.general/4462

但是链接已经失效

这篇关于如何读取比 Scapy 的 rdpcap() 更快的 Pyshark 以外的 .cap 文件?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！