How to you parse a packet from either a .pcap file, or an interface, using python?
如何使用python从.pcap文件或接口解析数据包?
I'm specifically looking for a solution that uses a well documented library.
我特意寻找使用文档齐全的库的解决方案。
4 个解决方案
#1
17
Try scapy. It is a very powerful program for packet inspection, manipulation and creation.
尝试scapy。它是一个非常强大的数据包检查,操作和创建程序。
You can use it to build your own tools.
您可以使用它来构建自己的工具。
#2
14
I tried that and then tried pcapy. I choose pcapy because my use was similar to an example which I found googling.
我尝试了然后尝试了pcapy。我选择pcapy因为我的用法类似于我发现谷歌搜索的一个例子。
http://snipplr.com/view/3579/live-packet-capture-in-python-with-pcapy/ (or see the same code copied below)
http://snipplr.com/view/3579/live-packet-capture-in-python-with-pcapy/(或查看下面复制的相同代码)
import pcapy
from impacket.ImpactDecoder import *
# list all the network devices
pcapy.findalldevs()
max_bytes = 1024
promiscuous = False
read_timeout = 100 # in milliseconds
pc = pcapy.open_live("name of network device to capture from", max_bytes,
promiscuous, read_timeout)
pc.setfilter('tcp')
# callback for received packets
def recv_pkts(hdr, data):
packet = EthDecoder().decode(data)
print packet
packet_limit = -1 # infinite
pc.loop(packet_limit, recv_pkts) # capture packets
#3
5
I recommend you to use Pyshark. this is wrapper for tshark. it also support all of tshark filter, decoder lib, ... and easy to use! This is a great package for parsing .pcap file and also livecapturing
我建议你使用Pyshark。这是tshark的包装器。它还支持所有tshark过滤器,解码器库,...并且易于使用!这是一个很好的解析.pcap文件和livecapturing的包
https://pypi.python.org/pypi/pyshark
sample code (from the link):
示例代码(来自链接):
import pyshark
cap = pyshark.FileCapture('/root/log.cap')
cap
>>> <FileCapture /root/log.cap>
print cap[0]
Packet (Length: 698)
Layer ETH:
Destination: BLANKED
Source: BLANKED
Type: IP (0x0800)
Layer IP:
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 684s
Identification: 0x254f (9551)
Flags: 0x00
Fragment offset: 0
Time to live: 1
Protocol: UDP (17)
Header checksum: 0xe148 [correct]
Source: BLANKED
Destination: BLANKED
...
dir(cap[0])
['__class__', '__contains__', '__delattr__', '__dict__', '__dir__', '__doc__', '__format__', '__getattr__', '__getattribute__', '__getitem__', '__getstate__', '__hash__', '__init__', '__module__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__setstate__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__', '_packet_string', 'bssgp', 'captured_length', 'eth', 'frame_info', 'gprs-ns', 'highest_layer', 'interface_captured', 'ip', 'layers', 'length', 'number', 'pretty_print', 'sniff_time', 'sniff_timestamp', 'transport_layer', 'udp']
cap[0].layers
[<ETH Layer>, <IP Layer>, <UDP Layer>, <GPRS-NS Layer>, <BSSGP Layer>]
....
#4
3
pycapfile can be also used. Link to pip: https://pypi.python.org/pypi/pypcapfile
也可以使用pycapfile。链接到pip:https://pypi.python.org/pypi/pypcapfile
#1
17
Try scapy. It is a very powerful program for packet inspection, manipulation and creation.
尝试scapy。它是一个非常强大的数据包检查,操作和创建程序。
You can use it to build your own tools.
您可以使用它来构建自己的工具。
#2
14
I tried that and then tried pcapy. I choose pcapy because my use was similar to an example which I found googling.
我尝试了然后尝试了pcapy。我选择pcapy因为我的用法类似于我发现谷歌搜索的一个例子。
http://snipplr.com/view/3579/live-packet-capture-in-python-with-pcapy/ (or see the same code copied below)
http://snipplr.com/view/3579/live-packet-capture-in-python-with-pcapy/(或查看下面复制的相同代码)
import pcapy
from impacket.ImpactDecoder import *
# list all the network devices
pcapy.findalldevs()
max_bytes = 1024
promiscuous = False
read_timeout = 100 # in milliseconds
pc = pcapy.open_live("name of network device to capture from", max_bytes,
promiscuous, read_timeout)
pc.setfilter('tcp')
# callback for received packets
def recv_pkts(hdr, data):
packet = EthDecoder().decode(data)
print packet
packet_limit = -1 # infinite
pc.loop(packet_limit, recv_pkts) # capture packets
#3
5
I recommend you to use Pyshark. this is wrapper for tshark. it also support all of tshark filter, decoder lib, ... and easy to use! This is a great package for parsing .pcap file and also livecapturing
我建议你使用Pyshark。这是tshark的包装器。它还支持所有tshark过滤器,解码器库,...并且易于使用!这是一个很好的解析.pcap文件和livecapturing的包
https://pypi.python.org/pypi/pyshark
sample code (from the link):
示例代码(来自链接):
import pyshark
cap = pyshark.FileCapture('/root/log.cap')
cap
>>> <FileCapture /root/log.cap>
print cap[0]
Packet (Length: 698)
Layer ETH:
Destination: BLANKED
Source: BLANKED
Type: IP (0x0800)
Layer IP:
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 684s
Identification: 0x254f (9551)
Flags: 0x00
Fragment offset: 0
Time to live: 1
Protocol: UDP (17)
Header checksum: 0xe148 [correct]
Source: BLANKED
Destination: BLANKED
...
dir(cap[0])
['__class__', '__contains__', '__delattr__', '__dict__', '__dir__', '__doc__', '__format__', '__getattr__', '__getattribute__', '__getitem__', '__getstate__', '__hash__', '__init__', '__module__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__setstate__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__', '_packet_string', 'bssgp', 'captured_length', 'eth', 'frame_info', 'gprs-ns', 'highest_layer', 'interface_captured', 'ip', 'layers', 'length', 'number', 'pretty_print', 'sniff_time', 'sniff_timestamp', 'transport_layer', 'udp']
cap[0].layers
[<ETH Layer>, <IP Layer>, <UDP Layer>, <GPRS-NS Layer>, <BSSGP Layer>]
....
#4
3
pycapfile can be also used. Link to pip: https://pypi.python.org/pypi/pypcapfile
也可以使用pycapfile。链接到pip:https://pypi.python.org/pypi/pypcapfile