如何将Wireshark处理的数据转发到python?用什么样的方法? [英] How to forward Wireshark processed data to python? in what kind of method?
问题描述
Wireshark 是一款强大的网络流量分析工具.但从我的实践来看,它只能将处理后的数据(这意味着,告诉你哪个部分是什么,例如数据":123456 等)到 .pcap 文件,但我想在每个文件中输出数据"段TCP 数据包实时(或 90% 实时)到其他应用程序,例如我的 python 脚本以供进一步使用(可能通过 TCP 转发?管道?)
我不知道如何准确地完成它.有人愿意帮助我吗?谢谢~
ps:没有得到一些快照,因为我什么也没有显示,甚至是代码......
tldr;管道
pdml2flow 实现了所有构建块,让您快速开始在 Python 中处理帧.我希望这有帮助,我非常感谢任何反馈.谢谢.
The Wireshark is a powerful tool for network traffic analysis. But from my practice, it can only export the processed data(which means, tell you which part is what, e.g. "data":123456 and so on) to .pcap file, but I would like to output 'data' segment in every TCP packet in real-time(or 90% real-time) to other application such as my python script for further use(may be via TCP forward?pipe?)
I don't know how to get it done exactly. Is anyone feel willing to help me with this? Thank you~
ps: did not get some snapshot cause I get nothing to show, even a code...
tldr; Pipe tshark output in any format (-T
) into your python program and parse it there.
I am currently working on a project called pdml2flow which might be of help for you as well. For the project I rely on the pdml output (XML) from tshark. Which is piped into pdml2flow:
$ tshark -i interface -Tpdml | pdml2flow +json
I chose pdml because it was the most complete and stable when I started. But these days many output formats such as json or postscript are also possible. From tshark(1):
-T ek|fields|json|jsonraw|pdml|ps|psml|tabs|text
Set the format of the output when viewing decoded packet data. The options are one of:
ek
: Newline delimited JSON format for bulk import into Elasticsearch. It can be used with-j
or-J
including the JSON filter or with-x
to include raw hex-encoded packet data. If-P
is specified it will print the packet summary only, with both-P
and-V
it will print the packet summary and packet details. If neither-P
or-V
are used it will print the packet details only. Example of usage to import data into Elasticsearch:$ tshark -T ek -j "http tcp ip" -P -V -x -r file.pcap > file.json $ curl -H "Content-Type: application/x-ndjson" -XPOST http://elasticsearch:9200/_bulk --data-binary "@file.json"
Elastic requires a mapping file to be loaded as template for packets-* index in order to convert wireshark types to elastic types. This file can be auto-generated with the command
tshark -G elastic-mapping
. Since the mapping file can be huge, protocols can be selected by using the option--elastic-mapping-filter
:tshark -G elastic-mapping --elastic-mapping-filter ip,udp,dns
fields
: The values of fields specified with the-e
option, in a form specified by the-E
option. For example,tshark -T fields -E separator=, -E quote=d
would generate comma-separated values (CSV) output suitable for importing into your favorite spreadsheet program.
json
: JSON file format. It can be used with-j
or-J
including the JSON filter or with-x
option to include raw hex-encoded packet data. Example of usage:$ tshark -T json -r file.pcap $ tshark -T json -j "http tcp ip" -x -r file.pcap
jsonraw
: JSON file format including only raw hex-encoded packet data. It can be used with-j
including or-J
the JSON filter option. Example of usage:$ tshark -T jsonraw -r file.pcap $ tshark -T jsonraw -j "http tcp ip" -x -r file.pcap
pdml
: Packet Details Markup Language, an XML-based format for the details of a decoded packet. This information is equivalent to the packet details printed with the-V
option. Using the--color
option will add color attributes to pdml output. These attributes are nonstandard.
ps
: PostScript for a human-readable one-line summary of each of the packets, or a multi-line view of the details of each of the packets, depending on whether the-V
option was specified.
psml
: Packet Summary Markup Language, an XML-based format for the summary information of a decoded packet. This information is equivalent to the information shown in the one-line summary printed by default. Using the--color
option will add color attributes to pdml output. These attributes are nonstandard.
tabs
: Similar to the default text report except the human-readable one-line summary of each packet will include an ASCII horizontal tab (0x09) character as a delimiter between each column.
text
: Text of a human-readable one-line summary of each of the packets, or a multi-line view of the details of each of the packets, depending on whether the -V option was specified. This is the default.
This means nothing stops you from writing your own parser for any of those output formats:
$ tshark -i interface -Tjson | python your_program.py
For convenience, pdml2flow already parses pdml to a python nested dict
and provides this to your code implemented as a plugin. In such a plugin you then have full access to each frame and flow and are free to do whatever you wish.
Example plugins:
The following screencast demonstrates how to create and run a new plugin in seconds:
pdml2flow implements all the building blocks to get you quickly started processing frames in python. I hope this helped and I do appreciate any feedback. Thank you.
这篇关于如何将Wireshark处理的数据转发到python?用什么样的方法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!