用dpkt解析PPPoE数据包
[英]Parsing PPPoE packets with dpkt
问题描述
I am trying to retrieve 5-tuples information from a list of pcap files using the dpkt library. 
我正在尝试使用dpkt库从pcap文件列表中检索5元组信息。 To parse the PPPoE packets with VLAN tags, I write codes like this(for test only): 为了解析带有VLAN标签的PPPoE数据包,我编写了这样的代码(仅用于测试):
import dpkt
import socket
def decode(pc):
for ts, pkt in pc:
eth = dpkt.ethernet.Ethernet(pkt)
pppoe = dpkt.pppoe.PPPoE(eth.data)
ip = pppoe.data
if ip.p == dpkt.ip.IP_PROTO_UDP:
udp = ip.data
yield(ip.src, udp.sport, ip.dst, udp.dport, ip.v)
else: pass
def test():
pc = dpkt.pcap.Reader(open('epon.pcap','rb'))
for src, sport, dst, dport, ip_version in decode(pc):
print "from", socket.inet_ntoa(src),":",sport, " to ",socket.inet_ntoa(dst),":",dport
test()
It turns out error which means the parsing is wrong: 原来是错误,这意味着解析错误:
AttributeError: 'str' object has no attribute 'p'
So what should the correct code be like? 那么正确的代码应该是什么样的呢? I'm a Python beginner and the dpkt source code really puzzles me a lot... 我是Python初学者,而dpkt源代码确实让我很困惑。
1 个解决方案
解决方案1
1 已采纳 2015-04-14 15:50:27
The capture you have has a vlan within a vlan (stacked vlan). 您具有的捕获在vlan中有一个vlan(堆叠的vlan)。
Without modifying the dpkt library you will need to parse the second VLAN manually. 在不修改dpkt库的情况下,您将需要手动解析第二个VLAN。
Another problem you will have is the payload of pppoe is ppp not ip. 您将遇到的另一个问题是pppoe的有效负载是ppp而不是ip。
You can change your code to something like this: 您可以将代码更改为以下内容:
import struct
... ...
def decode(pc):
for ts, pkt in pc:
eth = dpkt.ethernet.Ethernet(pkt)
if eth.type == dpkt.ethernet.ETH_TYPE_8021Q:
eth.tag, eth.type = struct.unpack('>HH', eth.data[:4])
eth.data = eth.data[4:]
pppoe = dpkt.pppoe.PPPoE(eth.data)
ppp = pppoe.data
ip = ppp.ip
if ip.p == dpkt.ip.IP_PROTO_UDP:
udp = ip.data
yield(ip.src, udp.sport, ip.dst, udp.dport, ip.v)
else: pass
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.