用dpkt(Python)解析pcap文件

|| 我正在尝试使用dpkt模块解析先前捕获的HTTP标头跟踪: 
import dpkt
import sys

f=file(sys.argv[1],\"rb\")
pcap=dpkt.pcap.Reader(f)


for ts, buf in pcap:
  eth=dpkt.ethernet.Ethernet(buf)
  ip=eth.data
  tcp=ip.data

if tcp.dport==80 and len(tcp.data)>0:
    try:
        http=dpkt.http.Request(tcp.data)
        print http.uri
    except:
        print \'issue\'
        continue


  f.close()
尽管它似乎可以有效地解析大多数数据包,但我在某些情况下收到NeedData(\“ header的末尾\”)异常。它们在WireShark中似乎是有效的数据包,因此对于为什么抛出异常,我有些困惑。 一些输出: 
/ec/fd/ls/GlinkPing.aspx?IG=4a06eefebcc1495f8f4de7cb41f0ce5c&CID=2265e1228f3451ff8011dcbe5e0cdff7&ID=API.YAds%2C5037.1&1307036510547
issue
issue #misses one packet here, two exceptions
/?ld=4vyO5h1FkjCNjBpThUTGnzF50sB7QUGL0Ok8YefDTWNmO6RXghgDqHXtcp1OqeXATbCAHliIkglLj95-VEwG6ZJN3fblgd3Lh5NvTp4mZPcBGXUyKqXn9FViBAsmt1T96oumpCL5gm7gZ3qlZqSdLNUWjpML_9I8FvB2TLKPSYcJmb_VwwvJhiHpiUIvrjRdzqdVVnuQZVjQmZIIlfaMq0LOmgew_plopjt7hYvOSzBi3VJl4bqOBVk3zdhIvgZK0SfJp3kEWTXAr2_UU_q9KHBpSTnvuhY2W1xo3K2BOHKGk1VAlMiWtWC_nUaJdZmhzzWfb6yRAmY3M9YkUzFGs9z10-70OszkkNpVMSS3-p7xsNXQnC3Zpaxks
感谢帮助;也许需要替代的库建议。     
2020-02-04 4 条评论
分享

没有找到相关结果

    已邀请:

    弓萍功

            使用HTTP请求和dpkt时遇到了相同的问题。 问题是dpkt的HTTP标头解析器使用错误的逻辑。当HTTP不以ѭ2结尾时,将引发此异常。 (正如您所说,有很多好的数据包,最后没有
    \\r\\n\\r\\n
    。) 这是您的问题的错误报告。     
    2020-02-04 0 0
    分享

    捐焦

            在您的python代码中,在分配ip = eth.data之前,请检查其以太网类型是否为IP。如果以太网类型不是ip,则对该数据包不执行任何操作。并检查IP协议是否为TCP协议         去检查                1.是否有IP数据包                2.是否使用TCP协议 修改了程序代码   ............       eth = dpkt.ethernet.Ethernet(buf)       ip = eth.data       tcp = ip.data       ........ 如      ............      eth = dpkt.ethernet.Ethernet(buf)      如果eth.type!= 2048:#对于ipv4,dpkt.ethernet.Ethernet(buf).type = 2048            继续      ip = eth.data      如果ip.p!= 6:            继续      tcp = ip.data      .......           看看是否有任何错误问题。 就,关于, Irengbam Tilokchan Singh     
    2020-02-04 0 0
    分享

    徐百晴墓斜

            我在dpkt中添加了一个示例,该示例解析并显示HTTP标头。可以在以下位置找到这些文档:http://dpkt.readthedocs.io/en/latest/print_http_requests.html,示例代码可以在dpkt / examples / print_http_requests.py中找到 
    # For each packet in the pcap process the contents
for timestamp, buf in pcap:

    # Unpack the Ethernet frame (mac src/dst, ethertype)
    eth = dpkt.ethernet.Ethernet(buf)

    # Make sure the Ethernet data contains an IP packet
    if not isinstance(eth.data, dpkt.ip.IP):
        print \'Non IP Packet type not supported %s\\n\' % eth.data.__class__.__name__
        continue

    # Now grab the data within the Ethernet frame (the IP packet)
    ip = eth.data

    # Check for TCP in the transport layer
    if isinstance(ip.data, dpkt.tcp.TCP):

        # Set the TCP data
        tcp = ip.data

        # Now see if we can parse the contents as a HTTP request
        try:
            request = dpkt.http.Request(tcp.data)
        except (dpkt.dpkt.NeedData, dpkt.dpkt.UnpackError):
            continue

        # Pull out fragment information (flags and offset all packed into off field, so use bitmasks)
        do_not_fragment = bool(ip.off & dpkt.ip.IP_DF)
        more_fragments = bool(ip.off & dpkt.ip.IP_MF)
        fragment_offset = ip.off & dpkt.ip.IP_OFFMASK

        # Print out the info
        print \'Timestamp: \', str(datetime.datetime.utcfromtimestamp(timestamp))
        print \'Ethernet Frame: \', mac_addr(eth.src), mac_addr(eth.dst), eth.type
        print \'IP: %s -> %s   (len=%d ttl=%d DF=%d MF=%d offset=%d)\' % \\
              (inet_to_str(ip.src), inet_to_str(ip.dst), ip.len, ip.ttl, do_not_fragment, more_fragments, fragment_offset)
        print \'HTTP request: %s\\n\' % repr(request)
    示例输出 
    Timestamp:  2004-05-13 10:17:08.222534
Ethernet Frame:  00:00:01:00:00:00 fe:ff:20:00:01:00 2048
IP: 145.254.160.237 -> 65.208.228.223   (len=519 ttl=128 DF=1 MF=0 offset=0)
HTTP request: Request(body=\'\', uri=\'/download.html\', headers={\'accept-language\': \'en-us,en;q=0.5\', \'accept-encoding\': \'gzip,deflate\', \'connection\': \'keep-alive\', \'keep-alive\': \'300\', \'accept\': \'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1\', \'user-agent\': \'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113\', \'accept-charset\': \'ISO-8859-1,utf-8;q=0.7,*;q=0.7\', \'host\': \'www.ethereal.com\', \'referer\': \'http://www.ethereal.com/development.html\'}, version=\'1.1\', data=\'\', method=\'GET\')

Timestamp:  2004-05-13 10:17:10.295515
Ethernet Frame:  00:00:01:00:00:00 fe:ff:20:00:01:00 2048
IP: 145.254.160.237 -> 216.239.59.99   (len=761 ttl=128 DF=1 MF=0 offset=0)
HTTP request: Request(body=\'\', uri=\'/pagead/ads?client=ca-pub-2309191948673629&random=1084443430285&lmt=1082467020&format=468x60_as&output=html&url=http%3A%2F%2Fwww.ethereal.com%2Fdownload.html&color_bg=FFFFFF&color_text=333333&color_link=000000&color_url=666633&color_border=666633\', headers={\'accept-language\': \'en-us,en;q=0.5\', \'accept-encoding\': \'gzip,deflate\', \'connection\': \'keep-alive\', \'keep-alive\': \'300\', \'accept\': \'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1\', \'user-agent\': \'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113\', \'accept-charset\': \'ISO-8859-1,utf-8;q=0.7,*;q=0.7\', \'host\': \'pagead2.googlesyndication.com\', \'referer\': \'http://www.ethereal.com/download.html\'}, version=\'1.1\', data=\'\', method=\'GET\')
        
    2020-02-04 0 0
    分享
    为什么被折叠? 0 个回复被折叠

    要回复问题请先登录注册

    或代码 OrCode.com 备案号:粤ICP备15020848号-1
    Escape time: 0.099627017974854