使用dpkt解析pcap文件(Python) [英] Parsing pcap files with dpkt (Python)
问题描述
我正在尝试使用dpkt模块解析先前捕获的HTTP标头跟踪:
I'm trying to parse a previously-captured trace for HTTP headers using the dpkt module:
import dpkt
import sys
f=file(sys.argv[1],"rb")
pcap=dpkt.pcap.Reader(f)
for ts, buf in pcap:
eth=dpkt.ethernet.Ethernet(buf)
ip=eth.data
tcp=ip.data
if tcp.dport==80 and len(tcp.data)>0:
try:
http=dpkt.http.Request(tcp.data)
print http.uri
except:
print 'issue'
continue
f.close()
虽然似乎可以有效地解析大多数数据包,但我还是收到了NeedData("Header of end of headers")的异常.它们似乎是WireShark中的有效数据包,所以对于为什么抛出异常,我有些困惑.
While it seems to effectively parse most of the packets, I'm receiving a NeedData("premature end of headers") exception on some. They appear to be valid packets within WireShark, so I'm a bit confused as to why the exceptions are being thrown.
一些输出:
/ec/fd/ls/GlinkPing.aspx?IG=4a06eefebcc1495f8f4de7cb41f0ce5c&CID=2265e1228f3451ff8011dcbe5e0cdff7&ID=API.YAds%2C5037.1&1307036510547
issue
issue #misses one packet here, two exceptions
/?ld=4vyO5h1FkjCNjBpThUTGnzF50sB7QUGL0Ok8YefDTWNmO6RXghgDqHXtcp1OqeXATbCAHliIkglLj95-VEwG6ZJN3fblgd3Lh5NvTp4mZPcBGXUyKqXn9FViBAsmt1T96oumpCL5gm7gZ3qlZqSdLNUWjpML_9I8FvB2TLKPSYcJmb_VwwvJhiHpiUIvrjRdzqdVVnuQZVjQmZIIlfaMq0LOmgew_plopjt7hYvOSzBi3VJl4bqOBVk3zdhIvgZK0SfJp3kEWTXAr2_UU_q9KHBpSTnvuhY2W1xo3K2BOHKGk1VAlMiWtWC_nUaJdZmhzzWfb6yRAmY3M9YkUzFGs9z10-70OszkkNpVMSS3-p7xsNXQnC3Zpaxks
感谢您的帮助;也许需要替代的库建议.
Help is appreciated; perhaps an alternative library recommendation is needed.
推荐答案
在使用HTTP请求和dpkt时遇到了相同的问题.
I have encountered the same problem while working with HTTP Requests and dpkt.
问题在于dpkt的HTTP标头解析器使用了错误的逻辑.当HTTP不以\r\n\r\n结尾时,将引发此异常. (正如您所说,有很多很好的数据包,但最后没有\r\n\r\n.)
The problem is that the dpkt's HTTP headers parser uses wrong logic. This exception is raised when the HTTP doesn't end with \r\n\r\n. (And as you say, there are a lot of good packets with no \r\n\r\n at the end.)
这是错误报告解决您的问题.
这篇关于使用dpkt解析pcap文件(Python)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
