如何使用 python 按特定协议过滤 pcap 文件?
我有一些 pcap 文件,我想按协议过滤,即,如果我想按 HTTP 协议过滤,则除 HTTP 数据包之外的任何内容都将保留在 pcap 文件中。
有一个名为 openDPI 的工具,它非常适合我的需要,但没有 python 语言的包装器。
有谁知道任何 python 模块可以满足我的需要吗?
谢谢
编辑1:
HTTP过滤只是一个例子,我想过滤很多协议。
编辑2:
我尝试了Scapy,但我不知道如何正确过滤。该过滤器仅接受 Berkeley Packet Filter 表达式,即我无法应用 msn、HTTP 或来自上层的其他特定过滤器。有人可以帮助我吗?
I have some pcap files and I want to filter by protocol, i.e., if I want to filter by HTTP protocol, anything but HTTP packets will remain in the pcap file.
There is a tool called openDPI, and it's perfect for what I need, but there is no wrapper for python language.
Does anyone knows any python modules that can do what I need?
Thanks
Edit 1:
HTTP filtering was just an example, there is a lot of protocols that I want to filter.
Edit 2:
I tried Scapy, but I don't figure how to filter correctly. The filter only accepts Berkeley Packet Filter expression, i.e., I can't apply a msn, or HTTP, or another specific filter from upper layer. Can anyone help me?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(8)
我已经尝试使用 @nmichaels 方法进行相同的操作,但是当我想在多个协议上迭代它时,它会变得很麻烦。我尝试寻找读取 .pcap 文件然后对其进行过滤的方法,但没有找到任何帮助。
基本上,当读取 .pcap 文件时,Scapy 中没有允许过滤这些数据包的功能,另一方面,使用类似命令
有助于过滤,但只能在嗅探时进行。
如果有人知道我们可以使用 BPF 语法代替 for 语句的任何其他方法吗?
I have tried the same using @nmichaels method, but it becomes cumbersome when I want to iterate it over multiple protocols. I tried finding ways to read the .pcap file and then filter it but found no help.
Basically, when one reads a .pcap file there is no function in Scapy which allows to filter these packets, on the other hand using a command like,
helps to filter but only while sniffing.
If anyone knows of any other method where we can use a BPF syntax instead of the for statement?
这是我使用 scapy 进行 pcap 解析的 示例。它还具有一些用于性能测试和其他一些东西的相关代码。
Here is my example of pcap parsing using scapy. It also has some relevant code for performance testing and some other stuff.
一个使用 Scapy 的简单示例,因为我刚刚写了一个:
它将过滤掉既不是 HTTP 也不是 SMTP 的数据包。如果您想要除 HTTP 和 SMTP 之外的所有数据包,第三行应该是:
A quick example using Scapy, since I just wrote one:
That will filter out packets that are neither HTTP nor SMTP. If you want all the packets but HTTP and SMTP, the third line should be:
我知道这是一个非常古老的问题,但我刚刚遇到它,以为我会提供我的答案。这是我多年来多次遇到的问题,而且我不断发现自己又回到了 dpkt< /a>. dpkt 最初来自功能非常强大的 dugsong,主要是一个数据包创建/解析库。我感觉 pcap 解析是事后才想到的,但事实证明它非常有用,因为解析 pcap、IP、TCP 和 TCP 标头非常简单。它正在解析所有更高级别的协议,这成为了时间的消耗! (在找到 dpkt 之前我编写了自己的 python pcap 解析库)
有关使用 pcap 解析功能的文档有点薄。这是我的文件中的一个示例:
希望这可以帮助下一个人阅读这篇文章!
I know this is a super-old question, but I just ran across it thought I'd provide my answer. This is a problem I've encountered several times over the years, and I keep finding myself falling back to dpkt. Originally from the very capable dugsong, dpkt is primarily a packet creation/parsing library. I get the sense the pcap parsing was an afterthought, but it turns out to be a very useful one, because parsing pcaps, IP, TCP and and TCP headers is straightforward. It's parsing all the higher-level protocols that becomes the time sink! (I wrote my own python pcap parsing library before finding dpkt)
The documentation on using the pcap parsing functionality is a little thin. Here's an example from my files:
Hope this helps the next guy to run across this post!
sniff 支持离线选项,您可以提供 pcap 文件作为输入。这样您就可以在 pcap 文件上使用 sniff 命令的过滤优势。
希望有帮助!
sniff supports a offline option wherein you can provide the pcap file as input. This way you can use the filtering advantages of sniff command on pcap file.
Hope that helps !
类似于
from pcapy import open_offline from impacket.ImpactDecoder import EthDecoder from impacket.ImpactPacket import IP, TCP, UDP, ICMP decoder = EthDecoder() def callback(jdr, data): packet = decoder.decode(data) child = packet.child() if isinstance(child, IP): child = packet.child() if isinstance(child, TCP): if child.get_th_dport() == 80: print 'HTTP' pcap = open_offline('net.cap') pcap.loop(0, callback)使用
http://oss.coresecurity.com/projects/impacket.html< /a>
Something along the lines of
from pcapy import open_offline from impacket.ImpactDecoder import EthDecoder from impacket.ImpactPacket import IP, TCP, UDP, ICMP decoder = EthDecoder() def callback(jdr, data): packet = decoder.decode(data) child = packet.child() if isinstance(child, IP): child = packet.child() if isinstance(child, TCP): if child.get_th_dport() == 80: print 'HTTP' pcap = open_offline('net.cap') pcap.loop(0, callback)using
http://oss.coresecurity.com/projects/impacket.html
尝试 pylibpcap。
Try pylibpcap.
要过滤输入/输出特定协议,您必须对每个数据包进行分析,否则您可能会错过网络中流动的非常规端口上的一些 http 流量。当然,如果您想要一个松散的系统,您可以仅检查源端口号和目标端口号,但这不会给您准确的结果。您必须寻找协议的特定功能,例如 HTTP 的 GET、POST、HEAD 等关键字以及其他协议的其他关键字,并检查每个 TCP 数据包。
to filter in/out a specific protocol you have to do a per packet analysis otherwise you could miss some http traffic on a non-conventional port that is flowing in your network. of course if you want a loose system, you could check just for source and destination port number but that wont give you exact results. you have to look for specific feature of a protocol like GET, POST, HEAD etc keywords for HTTP and others for other protocol and check each TCP packets.