title: 数据包处理
categories: 逆向与协议分析
toc: true
mathjax: true
tags:
- 抓包
- 协议分析
widgets:
-
type: toc
position: left
-
type: profile
position: left
author: Runope
# Author title
author_title: 不知不论,不做不论
# Author's current location
location: Nanjin,jiangsu
# URL or path to the avatar image
avatar: https://en.gravatar.com/userimage/194935117/7129e2095de79a9dd97e5cc344acaba2?size=200
# Whether show the rounded avatar image
avatar_rounded: false
# Email address for the Gravatar
gravatar: 275358499@qq.com
# URL or path for the follow button
follow_link: 'https://github.com/runope'
-
type: recent_posts
position: leftstun协议去除
在处理语音和视频通话时,stun的协议头会影响wireshark对于协议的解析。比如dtls如果包裹在stun协议头下面,就无法解析出相应的dtls的握手过程,从而影响到相应的动作流程的判断。
现给出学习强国的stun去除首部脚本,脚本是借助python的kamene库来实现的
# -*- encoding: utf-8 -*-
# @File : clip_stun.py
# @Description : The Stun header affects wireshark parsing. So this script will help you to Remove stun headers
# @Time : 2020/09/29 08:00:27
# @Author : runope
# @version : v1.0
# Need kamene library, pip3 install kamene
from kamene.all import *
# Only clip header of stun, which obtain attribute type of data
# Algorithm take advantage of data's attribute type of which Hexadecimal notation is 0x0013
# and The calculated length is verified
with PcapReader("audio.pcap") as pcap_reader:
writers = PcapWriter("audio_clip_stun_header.pcap")
for pkt in pcap_reader:
if 'UDP' in pkt:
# read Application layer data
if pkt.haslayer('Raw'):
Raw = bytes(pkt['Raw'])
Raw_str = ''
Raw_str = Raw_str.join(['%02X' % b for b in Raw])
Raw_len = len(Raw_str)
# Determine if there is any other protocol reuse
if int(Raw_str[0], 16) >= 4:
# Throw out 4 bytes of Stun
remaining = Raw_str[8:]
pkt['Raw'] = bytes.fromhex(remaining)
# Modify the LENGTH attribute of UDP's header
UDPtemp = bytes(pkt['UDP'])
UDPtemp2 = ''
UDPtemp2 = UDPtemp2.join(['%02X' % b for b in UDPtemp])
UDPtemp3 = bytearray(UDPtemp)
print((int(UDPtemp2[8:12], 16) - 4))
print((hex(int(UDPtemp2[8:12], 16) - 4)))
j = bytearray(bytes.fromhex((hex(int(UDPtemp2[8:12], 16) - 4))[2:].zfill(4)))
UDPtemp3[4] = j[0]
print(j[0])
UDPtemp3[5] = j[1]
print(j[1])
pkt['UDP'] = bytes(UDPtemp3)
# Modify the LENGTH attribute of IP's header
Iptemp = bytes(pkt['IP'])
Iptemp3 = bytearray(Iptemp)
Iptemp2 = ''
Iptemp2 = Iptemp2.join(['%02X' % b for b in Iptemp])
print((int(Iptemp2[4:8], 16) - 4))
k = bytearray(bytes.fromhex((hex(int(Iptemp2[4:8], 16) - 4))[2:].zfill(4)))
Iptemp3[2] = k[0]
Iptemp3[3] = k[1]
pkt['IP'] = bytes(Iptemp3)
writers.write(pkt)
else:
# Determines whether there is a data attribute
start_index = Raw_str.find("0013")
# Extract the data for the data attribute
if start_index != -1:
remaining = Raw_str[start_index:]
remaining_length = int(remaining[4:8],16)
remaining = remaining[8:]
# 4-byte alignment, slove the error by padding
if len(remaining) // 8 == (remaining_length + 3) // 4:
pkt['Raw'] = bytes.fromhex(remaining[0:remaining_length*2])
sub_len = (Raw_len - remaining_length*2) // 2
# Modify the LENGTH attribute of UDP's header
UDPtemp = bytes(pkt['UDP'])
UDPtemp2 = bytearray(UDPtemp)
UDPtemp2[5] = UDPtemp2[5] - sub_len
UDPtemp3 = bytes(UDPtemp2)
pkt['UDP'] = UDPtemp3
# Modify the LENGTH attribute of IP's header
Iptemp = bytes(pkt['IP'])
Iptemp2 = bytearray(Iptemp)
Iptemp2[3] = Iptemp2[3] - sub_len
Iptemp3 = bytes(Iptemp2)
pkt['IP'] = Iptemp3
writers.write(pkt)
else:
writers.write(pkt)
writers.flush()
writers.close()效果如下图:
去除首部前
去除首部后
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
