#coding=utf-8
import os
import socket
import struct
import os,time,threading
import subprocess
class get_app():
def init(self,file):
self.len1=4
self.len2=0
self.dic1={}
self.file=file
def get_connect(self):
app1='[bee.exe]'
app2='[TangChat.exe]'
app_list=[]
with open(self.file,'r') as f:
s=f.readlines()
#print(len(s))
while (self.len1 < len(s)):
if s[self.len1].split()== []:
self.len1=self.len1+1
elif s[self.len1].split()[0] == 'TCP' or s[self.len1].split()[0] == 'UDP':
app_list.append(s[self.len1])
self.len1=self.len1+1
elif s[self.len1].split()[0] == app1 or s[self.len1].split()[0] == app2:
for k in app_list:
srcport=k.split()[1].split(':')[1]
dstip=k.split()[2].split(':')[0]
self.dic1[srcport]=dstip
app_list=[]
self.len1=self.len1+1
else:
app_list=[]
self.len1=self.len1+1
return self.dic1
class pcap():
def init(self, file):
self.file = file
self.i=self.file.split(’/’)[-1].split(’.’)[0]# 取路径中的文件名
self.file_pcap=open(‘D:/python/pcap1/target.pcap’,‘ab+’)
def db_log(self):
f=open(self.file,'rb')
pcap_file = f.read()
if count==0:
pcap_file_header=pcap_file[0:24]
self.file_pcap.write(pcap_file_header)
#print(srcbytearr.find(magic_number,0))
#print(srcbytearr)
#print(srcbytearr[0:36])
#print(srcbytearr[16:20])
#packet_len=struct.unpack('I',pcap_file[32:36])[0]
#print(srcbytearr[36:40])
#startindex=0
j=24
len1=24
len2=0
#print(len(pcap_file))
while (j<len(pcap_file)) :
packet_len=struct.unpack('I',pcap_file[j+12:j+16])[0]
#print(packet_len)
len2=len1+16+packet_len
#print(len1)
#print(len2)
s=pcap_file[len1:len2]
dstip=struct.unpack('I',s[46:50])[0]
srcport=str(struct.unpack('>H',s[50:52])[0])
dstport=str(struct.unpack('>H',s[52:54])[0])
#print(srcport)
dstip=socket.inet_ntoa(struct.pack("!I",socket.htonl(dstip)))
#print(dstip)
#print(srcport1)
#print(srcport)
#print(s.hex())
for key in dic2:
#print(key,dic2[key],len(key))
#print(srcport,dstport,dstip,len(dstip))
if key==srcport or key==dstport:
#print('111111111111111111')
self.file_pcap.write(s)
len1=len2
j=len2
else:
#print('000000000000000')
continue
len1=len2
j=len2
#print(len2)
if name == ‘main’:
#第一份:获取应用的连接信息和所有报文
#获取PC的所有网络连接信息并保持到2.txt中
def netstat():
while 1:
time.sleep(0.1) #默认秒为单位
os.system(‘netstat -anb >> c:/2.txt’)
threading.Thread(target=netstat).start()
#使用wireshark持续抓应用发的所有报文
def my():
#os.system('C:/Program Files (x86)/Wireshark/dumpcap.exe -i 4 -P -s 0 -b filesize:100000 -w D:/python/packet/out.pcap')
# -P参数保证保持的报文是pcap格式
subprocess.Popen("C:/Program Files (x86)/Wireshark/dumpcap.exe -i 4 -P -s 0 -b filesize:100000 -w D:/python/packet/out.pcap")
threading.Thread(target=my).start()
#第二部分:根据应用的连接信息,从抓取的报文中提取出网络应用的报文,方便应用识别,避免网络杂报。这样提取出的报文,都是相应应用的报文,例如QQ应用
file ='c:/1.txt'
s=get_app(file)
dic2=s.get_connect()
#print(dic2)
count=0
for fpathe,dirs,fs in os.walk('D:/python/pcap/'):#路径可修改
for fl in fs:
print(fl)
s=pcap(os.path.join(fpathe,fl))
s.db_log()
count=count+1