分析pcap文件的代码 [英] Code to analyze pcap file

问题描述

我试图分析包含使用tcpdump捕获的数据包的文件。我首先想要使用5元组将数据包分类为流。然后我需要得到每个流中每个数据包的大小和到达间隔时间。我试过在wireshark中的对话列表，但它只给出流中的数据包数量，而不是流中的每个数据包的信息。一个建议的任何代码（c ++或shell脚本），可以做这个工作？谢谢

I am trying to analyse a file containing packets captured using tcpdump. I first want to categorize the packets into flows using 5-tuple. Then I need to get the size and inter-arrival time of each packet in each flow. I tried Conversation list in wireshark but it gives only the number of packets in the flow not information about each packet in the flow. A suggestion for any code (c++ or shell script) that can do the job? Thank you

推荐答案

UmNyobe，

的Scapy，但我遗憾你想要做的是一个接近完美契合。例如，我写了这个小片段来解析一个pcap字段，并给我一些你正在谈论的使用Scapy的东西。

If you haven't heard of Scapy yet I beleive what you are trying to do would be a near perfect fit. For example I wrote this little snippet to parse a pcap field and give me something like what you are talking about using Scapy.

#!/usr/bin/python -tt

from scapy import *
import sys
from datetime import datetime

'''Parse PCAP files into easy to read NETFLOW like output\n
   Usage:\n
   python cap2netflow.py <[ pcap filename or -l ]>\n
   -l is live capture switch\n
   ICMP packets print as source ip, type --> dest ip, code'''


def parse_netflow(pkt):  
    # grabs 'netflow-esqe' fields from packets in a PCAP file
    try:
        type = pkt.getlayer(IP).proto
    except:
        pass

    snifftime = datetime.fromtimestamp(pkt.time).strftime('%Y-%m-%d %H:%M:%S').split(' ')[1]

    if type == 6:
        type = 'TCP'
    if type == 17:
        type = 'UDP'
    if type == 1:
        type = 'ICMP'

    if type == 'TCP' or type == 'UDP':
        print( ' '.join([snifftime, type.rjust(4, ' '), str(pkt.getlayer(IP).src).rjust(15, ' ') , str(pkt.getlayer(type).sport).rjust(5, ' ') , '-->' , str(pkt.getlayer(IP).dst).rjust(15, ' ') , str(pkt.getlayer(type).dport).rjust(5, ' ')]))

    elif type == 'ICMP':
        print(' '.join([snifftime, 'ICMP'.rjust(4, ' '),  str(pkt.getlayer(IP).src).rjust(15, ' ') , ('t: '+ str(pkt.getlayer(ICMP).type)).rjust(5, ' '), '-->' , str(pkt.getlayer(IP).dst).rjust(15, ' '), ('c: ' + str(pkt.getlayer(ICMP).code)).rjust(5, ' ')]))

    else:
        pass
if '-l' in sys.argv:
    sniff(prn=parse_netflow)
else:
    pkts = rdpcap(sys.argv[1])
    print(' '.join(['Date: ',datetime.fromtimestamp(pkts[0].time).strftime('%Y-%m-%d %H:%M:%S').split(' ')[0]]))
    for pkt in pkts:
        parse_netflow(pkt)

安装Python和Scapy然后使用这个开始。让我知道，如果你需要任何帮助想全部，如果你知道C ++的机会，这已经对你有意义。

Install Python and Scapy then use this to get you started. Let me know if you need any assistance figuring it all out, if you know C++ chances are this will already make alot of sense to you.

在这里获得Scapy

Get Scapy here

http://www.secdev.org/projects/ scapy /

这个页面上有许多有用的教程链接，请记住Scapy做了很多，但是在谈论pcap的领域解析..

There are tons of links on this page to helpful tutorials, keep in mind Scapy does alot more but hone in on the areas that talk about pcap parsing..

我希望这会有帮助！

dc

这篇关于分析pcap文件的代码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！