pcap文件常用于储存一些以太网数据,内部数据使用16进制数进行储存,要想解析一份pcap文件,可以使用工具wireshark,例如下图。
图中右下区域即文件内储存的16进制数,要想得到这样的数组,也可以使用python中的库dpkt等,例如以下代码即可读出数据。
import dpkt
dbc_file = open('data_packet.txt', "w", encoding="gb18030")
def read_pcap(file_path):
# 打开pcap文件
with open(file_path, 'rb') as f:
pcap = dpkt.pcap.Reader(f)
for timestamp, packet in pcap:
dbc_file.write(' Timestamp: ' + str(timestamp) + ' packet: ' + str(packet) + '\n')
file_path = r"test.pcap"
read_pcap(file_path)运行上述代码后发现得到的结果如下:
输出结果与期望的还是有些区别,进一步修改代码后:
import dpkt
import time
dbc_file = open('data_packet.txt', "w", encoding="gb18030")
def read_pcap(file_path):
# 打开pcap文件
with open(file_path, 'rb') as f:
pcap = dpkt.pcap.Reader(f)
for timestamp, packet in pcap:
time_local = time.localtime(timestamp)
dt = time.strftime("%Y-%m-%d %H:%M:%S", time_local)
hex_str = ' '.join(f'{c:02x}' for c in packet)
dbc_file.write(' Timestamp: ' + str(dt) + ' packet: ' + str(hex_str) + '\n')
# 使用示例
file_path = r"test.pcap" # 替换为你的pcap文件路径
read_pcap(file_path)得到以下结果:
这次的结果已经和wireshark看到的原始数据一致了,拿到原始数据后,就可以做任何形式的解析了,以下一段代码是我跟据时间戳,来解析这一帧报文的头部,payload部分的解析需要结合arxml文件才能进行。
import dpkt
from datetime import datetime
destination_lan = ''
protocol = ''
checksum = ''
list_stamp = []
list_packet = []
# 打开pcap文件
with open(r"test.pcap", 'rb') as f: # 需要解析的pcap文件
pcap = dpkt.pcap.Reader(f)
for timestamp, packet in pcap:
timestamp2 = datetime.fromtimestamp(timestamp)
dt = timestamp2.strftime("%Y-%m-%d %H:%M:%S.%f")
hex_str = ' '.join(f'{c:02x}' for c in packet)
list_stamp.append(str(dt))
list_packet.append(str(hex_str))
input_chosen_timestamp = '2024-08-07 09:01:19.918663' # 输入的时间戳
index_timestamp = list_stamp.index(input_chosen_timestamp)
chosen_packet = list_packet[index_timestamp]
list_every_value = chosen_packet.split(' ')
list_source_mac = list_every_value[0:6]
source_mac = ':'.join(list_source_mac) # IP头部字段源地址
list_destination_mac = list_every_value[6:12]
destination_mac = ':'.join(list_destination_mac) # IP头部字段目标地址
list_virtual_lan = list_every_value[16:18]
destination_lan_original = ''.join(list_virtual_lan) # 判断ipv6还是ipv4
if destination_lan_original == '86dd':
destination_lan = 'ipv6'
elif destination_lan_original == '0800':
destination_lan = 'ipv4'
protocol_original = list_every_value[24] # 判断tcp还是udp协议
if protocol_original == '11':
protocol = 'UDP'
elif protocol_original == '06':
protocol = 'TCP'
list_source_address = list_every_value[26:42]
source_address = ':'.join(list_source_address) # IP层源地址
list_destination_address = list_every_value[42:58]
destination_address = ':'.join(list_destination_address) # IP层目标地址
list_source_port = list_every_value[58:60]
source_port_original = ''.join(list_source_port) # 源端口
source_port = int(source_port_original, 16)
list_destination_port = list_every_value[60:62]
destination_port_original = ''.join(list_destination_port)
destination_port = int(destination_port_original, 16) # 目标端口
if protocol == 'TCP':
list_checksum = list_every_value[74:76]
checksum = ''.join(list_checksum) # TCP协议下的校验和
elif protocol == 'UDP':
list_checksum = list_every_value[64:66]
checksum = ''.join(list_checksum) # UDP协议下的校验和
print('选中的时间戳: ' + str(input_chosen_timestamp))
print('source_mac: ' + str(source_mac))
print('destination_mac: ' + str(destination_mac))
print('destination_lan: ' + str(destination_lan))
print('protocol: ' + str(protocol))
print('source_address: ' + str(source_address))
print('destination_address: ' + str(destination_address))
print('source_port: ' + str(source_port))
print('destination_port: ' + str(destination_port))
print('checksum: ' + str(checksum))选中的时间戳: 2024-08-07 09:01:19.918663
source_mac: 33:33:00:00:00:3a
destination_mac: 02:7d:fa:00:10:01
destination_lan: ipv6
protocol: UDP
source_address: fd:53:7c:b8:03:83:00:05:00:00:00:00:00:00:00:0e
destination_address: ff:14:00:00:00:00:00:00:00:00:00:00:00:00:00:3a
source_port: 42994
destination_port: 42557
checksum: ad13当然以上例子仅仅是我针对读出的pcap原始数据来进行分析,dpkt库中本身也有函数可以解析头部字段,网上资料也比较多,在此就不过多赘述了。
294
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
