用 Python 修改 PCAP [英] PCAP modification with Python

问题描述

我需要读取一个 PCAP 文件，修改一些字段(实际上是 IPv4 源和目标以及以太网源和目标).PCAP 经过预过滤，仅包含 IPv4 over Ethernet 数据包.

I need to read a PCAP file, modify some fields (actually IPv4 source and destination and Ethernet source and destination). The PCAP is pre-filtered to only include IPv4 over Ethernet packets.

到目前为止，我试图用 scapy 来做到这一点，但是它有一个严重的内存问题.读取 ~350MB PCAP 文件时，我的 16GB RAM 已完全填满.其实就是读书.我还没有对这个文件做任何其他事情.我也 找到了这个答案，随着这些变化，阅读速度非常快.一开始修改数据包，内存又膨胀了.Scapy 实际上在这种情况下不可用

Up to now I tried to do this with scapy, which however has a severe memory problem. My 16GB RAM are completely filled when reading a ~350MB PCAP file. Actually, just reading. I did nothing else with this file yet. I have also found this answer, and with these changes reading is very fast. As soon as I start to modify the packet, memory is bloated again. Scapy is in fact not usable in this context

我也考虑过使用其他工具，例如 tcprewrite，但它不能满足我的目的.每个数据包的源 MAC 总是相同的，这也可以通过 tcprewrite 来完成.源 IP 在给定的子网范围内应该是随机的，例如均匀分布在 10.0.0.0/16.不太容易.更复杂的是目标 IP，它需要从给定的流量矩阵中计算出来.

I also thought about using other tools such as tcprewrite, but it cannot serve my purposes. The Source MAC is always the same for each packet, this can also be done with tcprewrite. Source IP should be random in a given subnet range, for example uniformly distributed in 10.0.0.0/16. Not too easy. Even more complicated is destination IP, which needs to be calculated out of a given traffic matrix.

所以问题是:如何读入 PCAP 文件，使用自定义函数修改四个基本字段(Ethernet src+dst、IP src+dst)，然后将其写回(另一个)PCAP 文件?

So the question is: how can I read in a PCAP file, modify four basic fields (Ethernet src+dst, IP src+dst) with a custom function, and write it back to (another) PCAP file?

实际上，我框架的其余部分是用 Python 编写的，所以我更喜欢基于 Python 的解决方案.但是，因为我可以简单地调用其他脚本，所以这不是强制性的.谢谢！

Actually, the rest of my framework is written in Python, so I would prefer a python based solution. However, as I could simply call other scripts, this is not mandatory. Thank you!

推荐答案

我不知道 scapy 是否有办法做到这一点，但您也可以使用非常简单的 PcapFile.py 库，可让您逐包读取/写入 pcap 文件(免责声明:我是其中之一作者).如果您的需求不太复杂(例如您不需要重新生成校验和)，您可以使用 Python 切片和 Python 的 struct 模块简单地修改框架的字节串.

I don't know if there is a way to do that with scapy, but you could also use the very simple PcapFile.py library that lets you read/write pcap files packet by packet (disclaimer: I'm one of the authors). If your needs aren't too complicated (e.g. you don't need to re-generate checksums) you could simply modify the frame's bytestring using Python slicing and Python's struct module.

但我认为也应该可以使用 p = Ether(packet_bytes) 分析帧并使用 str(p) 转换回 PcapFile.py 的字节流.这样你就可以让 scapy 为你重新计算一个有效的校验和.

But I think it should also be possible to get scapy to analyze the frame using p = Ether(packet_bytes) and convert back to a bytestream for PcapFile.py using str(p). This way you can let scapy re-calculate a valid checksum for you.

这篇关于用 Python 修改 PCAP的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！