流量包往往大而繁杂,所以编写了该Python脚本辅助。
需用Linux环境,因为调用了Tcpdump。将该脚本放入pcap数据包的目录中运行,可以输入1-4。
1可以批量改名,3批量过滤,4将包合成 2可以在过滤后自动将过滤出的包合成。
在过滤选项中也有几个选择,1只过滤http流量,2只过滤ftp流量,3.同时过滤http和ftp流量,4自定义过滤,填tcpdump的语句。
代码如下:
#! /usr/bin/python
# -*- coding: utf-8 -*-
#author:Blus
import os
import subprocess
import re
def rename(path):
print "Rename ........"
f_list = os.listdir(path)
list2 = []
for i in f_list:
if os.path.splitext(i)[1] == '.pcap':
list2.append(i[0:-5])
list3=sorted(list2)
#list3 = sorted(list2,key = lambda i:int(re.match(r'(\d+)',i).group()))
#print list3
for i in list3:
print i
i=0
c=""
tpath=[]
for f in list3:
i=i+1
ii=str(i)
if len(ii)==1:
ii="0"+ii
c=c+ii
oldname = path + f +".pcap"
newname = path + str(ii)+"_"+f[-6:] +".pcap"
print oldname
print newname
print f
print f[-6:0]
print ""
os.rename(oldname,newname)
print "Rename done."
print ""
def tcpdump_filter(path,cmd,path_name):
path_http=path+path_name+"/"
path_http2=path_http
i=1
while(os.path.exists(path_http2)):
path_http2=path_http[0:-1]+str(i)+"/"
i=i+1
folder = os.path.exists(path_http2)
if not folder:
os.makedirs(path_http2) #makedirs
print "New path: "+path_http2
print ""
global h_path
h_path=path_http2
f_list = os.listdir(path)
list2 = []
for i in f_list:
# os.path.splitext():
if os.path.splitext(i)[1] == '.pcap':
list2.append(i[0:-5])
list3=sorted(list2)
#list3 = sorted(list2,key = lambda i:int(re.match(r'(\d+)',i).group()))
#print "--------show the code------"
tpath=[]
for f in list3:
tp="tcpdump -r "+path + f +".pcap"+" -w "+path_http2+f+"_"+path_name+".pcap"+" "+cmd
tpath.append(tp)
print "--------begin filter-------"
# os.chdir(wireshark_path)
for i in tpath:
print i
p = subprocess.Popen(i, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
for line in p.stdout.readlines():
print line,
retval = p.wait()
print "--------filter done-------"
print ""
def merge(h_path) :
if(h_path==""):
h_path=os.getcwd()+"/"
print "--------begin merge-------"
print "-----"+h_path
print ""
path_merge=h_path+"merge/"
path_merge2=path_merge
i=1
while(os.path.exists(path_merge2)):
path_merge2=path_merge[0:-1]+str(i)+"/"
i=i+1
print "new path: "+path_merge2
folder = os.path.exists(path_merge2)
if not folder:
os.makedirs(path_merge2)
#print "--- OK ---"
f_list = os.listdir(path)
i=0
for f in f_list:
i=i+1
#print str(i)+" files"
out=path_merge2+"he.pcap"
#cmd="C:\\Program Files\\Wireshark\\mergecap.exe -w " + out #报错
cmd = "mergecap -w " + out
print ""
for i in os.listdir(h_path):
if os.path.splitext(i)[1] == '.pcap':
p=h_path+i
print "111: "+p
cmd=cmd+" "+p
print ""
print "-----------------------------------------"
print cmd
print "-----------------------------------------"
print ""
p = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
for line in p.stdout.readlines():
print line,
retval = p.wait()
print "--merge done--"
if __name__ == '__main__':
path = os.getcwd()+"/"
path_name="filter"
h_path=""
while(True):
print "1: rename "
print "2: auto-filter-merge"
print "3: filter"
print "4: merge"
input1 = raw_input(":")
if input1=="1":
rename(path)
if input1=="2":
input2=raw_input("please input \n1: http \n2: ftp \n3: http ftp \n4: other command \n:")
if input2=="1":
cmd2='tcp port http'
print cmd2
elif input2=="2":
cmd2='tcp port ftp or ftp-data'
elif input2=="3":
cmd2='(port http) or (port ftp or ftp-data)'
elif input2=="4":
cmd2=input2
else:
print "break";
break;
tcpdump_filter(path,cmd2,path_name)
merge(h_path)
if input1=="3":
input2=raw_input("please input \n1: http \n2: ftp \n3: http ftp \n4: other command")
if input2=="1":
cmd2='tcp port http'
if input2=="2":
cmd2='tcp port ftp or ftp-data'
if input2=="3":
cmd2='(port http) or (port ftp or ftp-data)'
else:
cmd2=input2
tcpdump_filter(path,cmd2,path_name)
if input1=="4":
merge(h_path)
else:
continue