使用dpkt解析pcap文件(Python) [英] Parsing pcap files with dpkt (Python)
问题描述
我正在尝试使用dpkt模块解析先前捕获的HTTP标头跟踪:
I'm trying to parse a previously-captured trace for HTTP headers using the dpkt module:
import dpkt
import sys
f=file(sys.argv[1],"rb")
pcap=dpkt.pcap.Reader(f)
for ts, buf in pcap:
eth=dpkt.ethernet.Ethernet(buf)
ip=eth.data
tcp=ip.data
if tcp.dport==80 and len(tcp.data)>0:
try:
http=dpkt.http.Request(tcp.data)
print http.uri
except:
print 'issue'
continue
f.close()
虽然似乎可以有效地解析大多数数据包,但我还是收到了NeedData("Header of end of headers")的异常.它们似乎是WireShark中的有效数据包,所以对于为什么抛出异常,我有些困惑.
While it seems to effectively parse most of the packets, I'm receiving a NeedData("premature end of headers") exception on some. They appear to be valid packets within WireShark, so I'm a bit confused as to why the exceptions are being thrown.
一些输出:
/ec/fd/ls/GlinkPing.aspx?IG=4a06eefebcc1495f8f4de7cb41f0ce5c&CID=2265e1228f3451ff8011dcbe5e0cdff7&ID=API.YAds%2C5037.1&1307036510547
issue
issue #misses one packet here, two exceptions
/?ld=4vyO5h1FkjCNjBpThUTGnzF50sB7QUGL0Ok8YefDTWNmO6RXghgDqHXtcp1OqeXATbCAHliIkglLj95-VEwG6ZJN3fblgd3Lh5NvTp4mZPcBGXUyKqXn9FViBAsmt1T96oumpCL5gm7gZ3qlZqSdLNUWjpML_9I8FvB2TLKPSYcJmb_VwwvJhiHpiUIvrjRdzqdVVnuQZVjQmZIIlfaMq0LOmgew_plopjt7hYvOSzBi3VJl4bqOBVk3zdhIvgZK0SfJp3kEWTXAr2_UU_q9KHBpSTnvuhY2W1xo3K2BOHKGk1VAlMiWtWC_nUaJdZmhzzWfb6yRAmY3M9YkUzFGs9z10-70OszkkNpVMSS3-p7xsNXQnC3Zpaxks
感谢您的帮助;也许需要替代的库建议.
Help is appreciated; perhaps an alternative library recommendation is needed.
推荐答案
在使用HTTP请求和dpkt时遇到了相同的问题.
I have encountered the same problem while working with HTTP Requests and dpkt.
问题在于dpkt的HTTP标头解析器使用了错误的逻辑.当HTTP不以\r\n\r\n
结尾时,将引发此异常. (正如您所说,有很多很好的数据包,但最后没有\r\n\r\n
.)
The problem is that the dpkt's HTTP headers parser uses wrong logic. This exception is raised when the HTTP doesn't end with \r\n\r\n
. (And as you say, there are a lot of good packets with no \r\n\r\n
at the end.)
这是错误报告解决您的问题.
这篇关于使用dpkt解析pcap文件(Python)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!