python-3.4 Scapy嗅探
[英]python-3.4 Scapy sniffing
问题描述
I have an error when running this script: 
运行此脚本时出错:
from scapy.all import *
sn = sniff(filter="http", count=30)
wireshark(sn)
This is the error: 这是错误:
WARNING: No route found for IPv6 destination :: (no default route?)
WARNING: Please, report issues to https://github.com/phaethon/scapy
Traceback (most recent call last):
File "arp1.py", line 2, in <module>
sn = sniff(filter="http", count=30)
File "/Library/Frameworks/Python.framework/Versions/3.4/lib/python3.4/site-packages/scapy/sendrecv.py", line 566, in sniff
s = L2socket(type=ETH_P_ALL, *arg, **karg)
File "/Library/Frameworks/Python.framework/Versions/3.4/lib/python3.4/site-packages/scapy/arch/pcapdnet.py", line 276, in __init__
self.ins.setfilter(filter)
File "/Library/Frameworks/Python.framework/Versions/3.4/lib/python3.4/site-packages/scapy/arch/pcapdnet.py", line 236, in setfilter
error("Could not compile filter expression %s" % f)
NameError: name 'error' is not defined
When running this script, everything works: 运行此脚本时,一切正常:
from scapy.all import *
sn = sniff(filter="icmp and host 66.35.250.151", count=4)
wireshark(sn)
1 个解决方案
解决方案1
2 已采纳 2015-09-24 23:01:55
Scapy uses the BPF syntax for filtering. Scapy使用BPF语法进行过滤。 This syntax doesn't support specifying "http" as the filter in order to filter HTTP traffic. 此语法不支持将"http"指定为过滤器以过滤HTTP流量。
However, it is possible to filter all traffic destined to or originating at port 80, which is commonly used for HTTP . 但是,可以过滤目的地或源自端口80的所有流量,这通常用于HTTP 。 The link above proposes the following filter: 上面的链接提出了以下过滤器:
To capture all IPv4 HTTP packets to and from port 80, ie print only packets that contain data, not, for example, SYN and FIN packets and ACK -only packets.
tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)
This stackoverflow answer supplies a clear explanation of the technical details that stand behind this filter. 此stackoverflow答案清楚地解释了此过滤器背后的技术细节。 In a nutshell, it calculates the length in bytes of the application layer payload carried by the packet and verifies that it is not 0 (and thus, positive): 简而言之,它计算数据包承载的应用层有效负载的字节长度,并验证它不是0(因此,为正):
- IP packet length - IP header length - TCP header length != 0 IP包长度 - IP报头长度 - TCP报头长度!= 0
Since the file /etc/services assigns port number 80 to the service name http it is possible to rewrite the previous filter as follows: 由于文件/etc/services将端口号80分配给服务名称http ,因此可以重写前一个过滤器,如下所示:
tcp port http and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)
For completeness, it is recommended to filter port 8080 as well ( http-alt in /etc/services ). 为了完整起见,建议也过滤端口8080( /etc/services http-alt )。
Of course, this doesn't guarantee that the filtered traffic is indeed HTTP traffic or that unfiltered traffic doesn't contain HTTP traffic. 当然,这并不能保证过滤的流量确实是HTTP流量,或者未过滤的流量不包含HTTP流量。 More sophisticated filters are required for such an endeavour. 这种努力需要更复杂的过滤器。 They would examine the content of the application layer payload in an attempt to deduce the underlying protocol in use. 他们将检查应用程序层有效负载的内容,以尝试推断使用中的基础协议。
A simple google search would present several alternative filters for all kinds of purposes, depending on your end-goal. 一个简单的谷歌搜索将提供几种替代过滤器,用于各种目的,具体取决于您的最终目标。 This stackoverflow answer , for example, suggests filters for the basic methods of HTTP : one for the HTTP GET method and another for the HTTP POST method. 例如, 此stackoverflow答案建议HTTP的基本方法的过滤器:一个用于HTTP GET方法,另一个用于HTTP POST方法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.