环境配置
首先在pyshark默认tshark路径是"C:\Program Files\wireshark"下的所以我们的wireshark要默认安装在c盘
安装完成之后
在pycharm中安装pyshark模块:pip install pyshark
这样子就可以使用pyshark模块了
import pyshark
cap = pyshark.FileCapture('pcapng.pcapng',tshark_path='c:/Program Files/Wireshark/tshark.exe',display_filter='http')
print(cap[0])
#三个个参数分别指定输入文件和 tshark 路径和需要过滤出来的协议
#打印结果如下
Packet (Length: 464)
Layer SLL
: Packet type: Sent by us (4)
Link-layer address type: Ethernet (1)
Link-layer address length: 6
Source: a0:a4:c5:94:1f:7e
Unused: 0000
Protocol: IPv4 (0x0800)
Layer IP
: 0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 448
Identification: 0x5ca7 (23719)
010. .... = Flags: 0x2, Don't fragment
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 64
Protocol: TCP (6)
Header Checksum: 0x1cdc [validation disabled]
Header checksum status: Unverified
Source Address: 192.168.31.25
Destination Address: 192.168.31.75
Layer TCP
: Source Port: 57124
Destination Port: 80
Stream index: 7
Conversation completeness: Incomplete, ESTABLISHED (7)
..0. .... = RST: Absent
...0 .... = FIN: Absent
.... 0... = Data: Absent
.... .1.. = ACK: Present
.... ..1. = SYN-ACK: Present
.... ...1 = SYN: Present
Completeness Flags: ···ASS
TCP Segment Len: 396
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 1499439008
Next Sequence Number: 397 (relative sequence number)
Acknowledgment Number: 1 (relative ack number)
Acknowledgment number (raw): 2062611008
1000 .... = Header Length: 32 bytes (8)
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Accurate ECN: Not set
.... 0... .... = Congestion Window Reduced: Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
TCP Flags: ·······AP···
Window: 502
Calculated window size: 64256
Window size scaling factor: 128
Checksum: 0xd99f [unverified]
Checksum Status: Unverified
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - Timestamps: TSval 208884719, TSecr 904220019
Length: 10
Timestamp value: 208884719
Timestamp echo reply: 904220019
Timestamps
Time since first frame in this TCP stream: 0.000521527 seconds
Time since previous frame in this TCP stream: 0.000204703 seconds
SEQ/ACK analysis
iRTT: 0.000316824 seconds
Bytes in flight: 396
Bytes sent since last PSH flag: 396
TCP payload (396 bytes)
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
Kind: Time Stamp Option (8)
Layer HTTP
: GET /shell.php?pass=187 HTTP/1.1\r\n
Expert Info (Chat/Sequence): GET /shell.php?pass=187 HTTP/1.1\r\n
GET /shell.php?pass=187 HTTP/1.1\r\n
Severity level: Chat
Group: Sequence
Request Method: GET
Request URI: /shell.php?pass=187
Request URI Path: /shell.php
Request URI Query: pass=187
Request URI Query Parameter: pass=187
Request Version: HTTP/1.1
Content-type: application/x-www-form-urlencoded\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)\r\n
Host: 192.168.31.75\r\n
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\r\n
Connection: keep-alive\r\n
Full request URI: http://192.168.31.75/shell.php?pass=187
HTTP request 1/1
\r\n
也可以遍历流量包
import pyshark
cap = pyshark.FileCapture('./pcapng.pcapng',tshark_path='c:/Program Files/Wireshark/tshark.exe',display_filter='http')
for p in cap:
print(p)
单独看IP层
print(cap[0].ip) #单独看IP层
print(dir(pcap[0])) #查看流量包的可用字段
pyshark获取data-text-lines字段的值
我们可以看看如何获取
import pyshark
cap = pyshark.FileCapture('./swt1.pcapng',tshark_path='c:/Program Files/Wireshark/tshark.exe',display_filter='http')
print(dir(cap[0].http))
然后我们既可以看到调用函数'file_data'
cap[0].http.file_data
小菜鸡勿喷,请大家点点赞,每天都会更新一些关于web安全,以及流量分析,密码学方向的解题骚姿势。