捕获来自特定客户端UDP(Python)的数据包 [英] capturing packets from a specific client UDP (Python)

问题描述

我有一个关于从特定客户端嗅探数据包的问题.我正在运行一个非常简单的UDP服务器，如下所示:

I have a question regarding sniffing packets from a specific client. I am running a very simple UDP server as follows:

from socket import *

IPv4 = ""
Port = 54345

ServerSock = socket(AF_INET, SOCK_DGRAM) # UDP
ServerSock.bind((IPv4, Port))
print "Socket is ready to receive data.."

while True:
    data, addr = ServerSock.recvfrom(1024) # buffer size is 1024 bytes
    print data

，我打算捕获端口号(54345)上的每个数据包，并解析其标头值.我认为将数据包保存到.pcap文件并使用scapy进行处理是可行的，但是一旦使用"socket.recvfrom"到达每个数据包，是否有可能进行处理?谢谢

and I intend to capture every packet that comes to the port number(54345) and parse its header values. I think it is doable if the packets are saved to .pcap file and probably use scapy to process them but is it possible to process every packet once it arrives using "socket.recvfrom"?. Thanks

推荐答案

您已经获得了数据.但是，您得到的是UDP数据包和源地址.如果您想要带有IPv4和UDP标头的完整原始数据包，那就不一样了.

You've already got the data. However, what you've got is UDP packets and source addresses; if you want the complete raw packet, with the IPv4 and UDP headers, that's different.

在某些平台上，您可以将普通的UDP套接字设置为IP_HDRINCL，或者有其他等效项.如果这样做，每个recvfrom都将在数据中包含标题，因此您已经拥有了想要的一切.

On some platforms, you can set a normal UDP socket to IP_HDRINCL, or there are other equivalents. If you do this, each recvfrom will include the headers in the data, so you've already got everything you want.

在其他平台上，可以使用SOCK_RAW代替SOCK_DGRAM.原始套接字可以做的事情千差万别.在许多Unix平台上，可以将IPPROTO_UDP与SOCK_RAW结合使用，然后将bind用作正常的UDP地址和端口，尽管可能会有限制，并且在每个平台上它们都有所不同.例如，在OS X上，您必须是root用户才能创建原始套接字，并且只能将原始套接字绑定到单接口地址(表示没有''/INADDR_ANY/'0.0.0.0').如果您通过Google搜索"SOCK_RAW Python"和"SOCK_RAW"，则应该能够找到所需的内容. (套接字模块文档中的最后一个示例显示了如何在Windows上使用原始套接字)

On other platforms, you can use SOCK_RAW instead of SOCK_DGRAM. What you can do with raw sockets varies dramatically. On many Unix platforms, you can use IPPROTO_UDP with SOCK_RAW, and then bind to a normal UDP address and port, although there may be restrictions, and they're different on each platform. For example, on OS X, you have to be root to create a raw socket, and you can only bind a raw socket to a single-interface address (meaning no ''/INADDR_ANY/'0.0.0.0'). If you Google for "SOCK_RAW Python" and "SOCK_RAW " you should be able to find out what you need. (The last example in the sockets module docs shows how to use raw sockets on Windows.)

一旦获得数据，将其保存到pcap文件并不难. Wireshark Wiki上的 LibpcapFileFormat 中记录了该格式.如果您熟悉stdlib struct模块，应该很容易弄清楚如何编写这种格式.这是一个简短的示例:

Once you've got the data, saving it to a pcap file isn't hard. The format is documented at LibpcapFileFormat at The Wireshark Wiki. If you have any familiarity with the stdlib struct module, it should be easy to figure out how to write this format. Here's a brief sample:

pcap_hdr = struct.pack('=IHHiIII',
                       0xa1b2c3d4, # magic number
                       2, 4,       # pcap 2.4 format
                       0,          # UTC timezone for timestamps
                       0,          # "in practice, all tools set it to 0"
                       65535,      # max packet length
                       228)        # LINKTYPE_IPV4, or maybe you want LINKTYPE_RAW
pcapfile.write(pcap_hdr)

如果您不想自己做，我对使用库编写pcap文件没有任何经验，但是scapy将是我首先想到的地方，然后的http://sourceforge.net/projects/pylibpcap/"rel =" nofollow> python-libpcap 绑定libpcap / WinPcap .如果这些都不起作用，请检查PyPI.

If you don't want to do that yourself, I don't have any experience with using libraries to write pcap files, but scapy would be the first place I'd look, then the python-libpcap bindings for libpcap/WinPcap. If none of those work, check around PyPI.

如果这一切听起来超出您的范围，则您可能不想这样做.只需运行您的UDP服务器，然后使用Wireshark捕获发送给它的所有数据包即可.

If all of this sounds beyond you, you probably don't want to do things this way. Just run your UDP server, and use Wireshark to capture all of the packets sent to it.

这篇关于捕获来自特定客户端UDP(Python)的数据包的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！