如题所述,分享一个使用python的scapy包来提取pcap文件中TCP包的标志位的代码。
from scapy.all import *
FIN = 0x01
SYN = 0x02
RST = 0x04
PSH = 0x08
ACK = 0x10
URG = 0x20
ECE = 0x40
CWR = 0x80
caida = "/home/zongyi/traces/CAIDA.equinix-nyc.dirA.20180315-125910.UTC.anon.pcap"
limit = 5000
count = 0
def func(pkt):
global count, limit
srcip, dstip, proto, sport, dport = None, None, None, None, None
if pkt.haslayer(IP):
srcip = pkt[IP].src
dstip = pkt[IP].dst
proto = pkt[IP].proto
if pkt.haslayer(TCP):
sport = pkt[TCP].sport
dport = pkt[TCP].dport
if pkt[TCP].flags & FIN:
print count, "FIN flag is activated"
if pkt[TCP].flags & RST:
print count, "RST flag is activated"
if pkt[TCP].flags & SYN:
print count, "SYN flag is activated"
elif pkt.haslayer(UDP):
sport = pkt[UDP].sport
dport = pkt[UDP].dport
if srcip and dstip and proto and sport and dport:
count = count + 1
if limit > 0 and count >= limit:
return True
else:
return False
def parse(trace, n_pkts = -1):
global limit, count
limit = n_pkts
count = 0
sniff(offline=trace, stop_filter=func, store=False)
parse(caida, 5000)