如何使用python通过特定协议过滤pcap文件? [英] How can I filter a pcap file by specific protocol using python?

问题描述

我有一些 pcap 文件，我想按协议过滤，即如果我想按 HTTP 协议过滤，除了 HTTP 数据包之外的任何内容都将保留在 pcap 文件中.

I have some pcap files and I want to filter by protocol, i.e., if I want to filter by HTTP protocol, anything but HTTP packets will remain in the pcap file.

有一个名为 openDPI 的工具，它非常适合我的需要，但没有包装python语言.

There is a tool called openDPI, and it's perfect for what I need, but there is no wrapper for python language.

有谁知道可以做我需要的任何 python 模块吗?

Does anyone knows any python modules that can do what I need?

谢谢

编辑 1:

HTTP 过滤只是一个例子，我想过滤很多协议.

HTTP filtering was just an example, there is a lot of protocols that I want to filter.

编辑 2:

我尝试过 Scapy，但我不知道如何正确过滤.过滤器只接受 Berkeley Packet Filter 表达式，即我不能从上层应用 msn、HTTP 或其他特定过滤器.有人可以帮我吗?

I tried Scapy, but I don't figure how to filter correctly. The filter only accepts Berkeley Packet Filter expression, i.e., I can't apply a msn, or HTTP, or another specific filter from upper layer. Can anyone help me?

推荐答案

一个使用 Scapy 的快速示例，因为我刚刚写了一个:

A quick example using Scapy, since I just wrote one:

pkts = rdpcap('packets.pcap')
ports = [80, 25]
filtered = (pkt for pkt in pkts if
    TCP in pkt and
    (pkt[TCP].sport in ports or pkt[TCP].dport in ports))
wrpcap('filtered.pcap', filtered)

这将过滤掉既不是 HTTP 也不是 SMTP 的数据包.如果你想要所有的数据包但 HTTP 和 SMTP，第三行应该是:

That will filter out packets that are neither HTTP nor SMTP. If you want all the packets but HTTP and SMTP, the third line should be:

filtered = (pkt for pkt in pkts if
    not (TCP in pkt and
    (pkt[TCP].sport in ports or pkt[TCP].dport in ports)))
wrpcap('filtered.pcap', filtered)

这篇关于如何使用python通过特定协议过滤pcap文件?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！