流量预处理-2:过滤
- 炼丹的时候,经常需要过滤无关流量
- 论文的通常做法是将dns、icmp、arp、tcp握手报文删除
- 以下是给出我的代码,用wirshark前后对比pcap有效
from scapy.all import *
from scapy.layers.dns import DNS
from scapy.layers.inet import ICMP, TCP
from scapy.layers.l2 import ARP
def remove_pcap_errors(file_path,new_path):
"""过滤的pcap与新的pcap不冲突"""
packets = rdpcap(file_path)
dns_cnt = 0
icmp_cnt = 0
arp_cnt = 0
tcp_flags = 0
new_packets = []
for packet in packets:
if packet.haslayer(DNS):
dns_cnt+=1
elif packet.haslayer(ICMP):
icmp_cnt += 1
elif packet.haslayer(TCP) and (packet[TCP].flags.value==0x12 or packet[TCP].flags.value==0x02 or packet[TCP].flags.value==0x11):
tcp_flags+=1
elif packet.haslayer(ARP):
arp_cnt += 1
else:
new_packets.append(packet)
wrpcap(new_path, new_packets)
print("dns:{}个".format(dns_cnt))
print("icmp:{}个".format(icmp_cnt))
print("tcp握手:{}个".format(tcp_flags))
print("arp包:{}个".format(arp_cnt))
- 处理前:
-![在这里插入图片描述](https://img-blog.csdnimg.cn/f7be7333e3c94fe1beadb714418a9f5b.png#pic_center)
- 处理后:
-![在这里插入图片描述](https://img-blog.csdnimg.cn/d236deed8bff4036a7414f461789035e.png#pic_center)