pcap文件生成metadata
#!/usr/bin/env python # -*- coding: utf-8 -*- import os import time, datetime import struct in_path = "/home/bonelee/dns_tunnel_tool/iodine_when_idle.pcap" tmp_dir = "/tmp" out_path = "/tmp/out_metadata.txt" tshark_path = "/usr/bin/tshark" os.system(tshark_path + " -T fields -E separator=\"^\" " "-e data ""-e data " "-e ip.src " # 3=sourceIP "-e ip.dst " # 4=destIP "-e udp.srcport " # 5=sourcePort "-e udp.dstport " # 6=destPort "-e ip.proto " # 7=protocol "-e data ""-e data ""-e data ""-e data " # 8-11 "-e frame.time_epoch " # flowStartSeconds # 带插入 "-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data " "-e dns.flags.rcode " # 54 = DNSReplyCode "-e dns.qry.name " # 55 = DNSQueryName "-e dns.qry.type " # 56 = DNSRequestRRType "-e dns.qry.class " # 57 = DNSRRClass "-e dns.time " # 58 = DNSDelay #每个请求包和响应包的时间间隔,换算 "-e dns.resp.ttl " # 59 = DNSReplyTTL "-e ip.addr " # 60 = DNSReplyIPv4 "-e ipv6.addr " # 61 = DNSReplyIPv6 "-e dns.resp.type " # 62 = DNSReplyRRType "-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data " "-e dns.resp.name " # 77 = DNSReplyName "-e data ""-e data ""-e data " # 待插payload "-e data ""-e data ""-e data ""-e data ""-e data ""-e data " "-e dns.length " # 88 = DNSRequestLength "-e data " # 89=DNSRequestErrLength "-e dns.resp.len " # 90 = DNSReplyLength "-e data " # 91=DNSReplyErrLength "-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data " "-Y dns -r %s >%s/tsharkResult.txt" % (in_path, tmp_dir)) #读取pcap文件,解析相应的信息,为了在记事本中显示的方便。 payloadResultwithBlank = "%s/payloadResultwithBlank.txt" % tmp_dir fpcap = open(in_path, 'rb+') ftxt = open(payloadResultwithBlank,'w') string_data = fpcap.read() #pcap文件包头解析 pcap_header = {} pcap_header['magic_number'] = string_data[0:4] pcap_header['version_major'] = string_data[4:6] pcap_header['version_minor'] = string_data[6:8] pcap_header['thiszone'] = string_data[8:12] pcap_header['sigfigs'] = string_data[12:16] pcap_header['snaplen'] = string_data[16:20] pcap_header['linktype'] = string_data[20:24] step = 0 packet_num = 0 packet_data = [] pcap_packet_header = {} i =24 while(i<len(string_data)): # 数据包头各个字段 pcap_packet_header['GMTtime'] = string_data[i:i+4] pcap_packet_header['MicroTime'] = string_data[i+4:i+8] pcap_packet_header['caplen'] = string_data[i+8:i+12] pcap_packet_header['len'] = string_data[i+12:i+16] #求出此包的包长len packet_len = struct.unpack('I',pcap_packet_header['len'])[0] #写入此包数据 packet_data.append(string_data[i+58:i+16+packet_len]) i = i+ packet_len+16 packet_num+=1 # 把pacp文件里的数据包信息写入result.txt for i in range(packet_num): ftxt.write(''.join(x.encode('hex') for x in packet_data[i]) + '\n') ftxt.close() fpcap.close() infp = open(payloadResultwithBlank, "r") payloadResultOver = "%s/payloadResultOver.txt" % tmp_dir outfp = open(payloadResultOver, "w") lines = infp.readlines() for li in lines: if li.split(): outfp.writelines(li) infp.close() outfp.close() def copyTimeMetadata(string): string = string.split('^') string.insert(11,string[11]) return string payloadFile = open("%s/payloadResultOver.txt" % tmp_dir) tsharkFile = open("%s/tsharkResult.txt" % tmp_dir) tsharkData = [] payload = [] meteData = [] for line in tsharkFile: line = line.replace("\n", "") line = copyTimeMetadata(line) tsharkData.append(line) for line in payloadFile: line = line.replace("\n","") payload.append(line) count1 = len(payload) for i in range(0,count1): tsharkData[i].insert(80,payload[i]) if (tsharkData[i][76]=="<Root>"): tsharkData[i][76]=tsharkData[i][54] meteDataWithPayload = open("%s/meteDataWithPayload.txt" % tmp_dir,'w') for line in tsharkData: meteDataWithPayload.write("^".join(line)+"\n") finallyMetedata = [] dataListFromQuery = [] dataListFromRespon = [] QueriesName_map = {} DNSQueryName = 55 -1 destPort = 6 -1 DNSDelay = 0 with open("%s/meteDataWithPayload.txt" % tmp_dir) as f: lines = f.readlines() for index,line in enumerate(lines): line = line.replace("\n","") dataFromQuery = line.split("^") if dataFromQuery[destPort] == "53": # 此时是请求报文,合并到请求报文中 dataListFromQuery.append(dataFromQuery) #dataListFromQuery列表保存的全是请求字段 QueriesName = dataFromQuery[DNSQueryName] QueriesName_map[QueriesName] = index count = len(QueriesName_map) #计算总共多少条请求报文 for line in lines: dataFromRespon = line.split("^") if dataFromRespon[destPort] != "53": NAME = dataFromRespon[DNSQueryName] #响应报文中的域名 if (NAME in QueriesName_map): for i in range(0, count): if dataListFromQuery[i][DNSQueryName] == NAME: dataListFromQuery[i][12] = dataFromRespon[12] dataListFromQuery[i][53] = dataFromRespon[53] dataListFromQuery[i][57] = dataFromRespon[57] dataListFromQuery[i][58] = dataFromRespon[58] dataListFromQuery[i][89] = dataFromRespon[89] DNSDelay = (float(dataListFromQuery[i][12])-float(dataListFromQuery[i][11]))*1000000 dataListFromQuery[i][57] = str(DNSDelay) else: print "warning: The response message could not find the requested message", line meteDataFile = open(out_path,'w') for line in dataListFromQuery: if line[53]!="": line[59] = line[59].replace(",",";") meteDataFile.write("^".join(line) + "\n") meteDataFile.close()
示意结果:
^^10.0.2.15^223.5.5.5^60088^53^17^^^^^1512356312.819122000^1512356312.860855000^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^0^daisy.ubuntu.com^1^0x00000001^41733.0265045^1357^10.0.2.15;223.5.5.5^^^^^^^^^^^^^^^^^^^^^4b3601000001000000000000056461697379067562756e747503636f6d0000010001^^^^^^^^^49^^^^^^^^^^^ ^^10.0.2.15^223.5.5.5^60088^53^17^^^^^1512356312.819318000^1512356312.860855000^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^0^daisy.ubuntu.com^28^0x00000001^41537.0464325^1357^10.0.2.15;223.5.5.5^^^^^^^^^^^^^^^^^^^^^a82b01000001000000000000056461697379067562756e747503636f6d00001c0001^^^^^^^^^49^^^^^^^^^^^
本文转自张昺华-sky博客园博客,原文链接:http://www.cnblogs.com/bonelee/p/7976821.html,如需转载请自行联系原作者
