堆栈内存溢出
  简体   繁体   English

用scapy读取PCAP文件

[英]Reading PCAP file with scapy

 原文  2017-03-22 21:52:36       python/ scapy

问题描述

I have about 10GB pcap data with IPv6 traffic to analyze infos stored in IPv6 header and other extension header. 我有大约10GB的pcap数据和IPv6流量来分析存储在IPv6标头和其他扩展标头中的信息。 To do this I decided to use Scapy framework. 为此,我决定使用Scapy框架。 I tried rdpcap function , but for such big files it is not recommended. 我试过rdpcap函数,但对于这样的大文件,不建议使用。 It tries to load all file into memory and get stuck in my case. 它试图将所有文件加载到内存中并陷入我的情况。 I found in the Net that in such situation sniff is recommended, my code look like: 我在网上发现,在这种情况下建议使用嗅探 ,我的代码如下: 

def main():
   sniff(offline='traffic.pcap', prn=my_method,store=0)


def my_method(packet):
   packet.show()

In function called my_method I receive each packet separately and I can parse them, but.... When I call show function with is in-build framework method I got sth like this: 在名为my_method的函数中,我分别接收每个数据包,我可以解析它们,但....当我调用show function with in-build framework方法时,我得到了这样的信息: 结果

When opened in wireshark I got properly looking packet: 当在wireshark中打开时,我得到了正确的数据包: RESULT2

Could you tell me how to parse this packets in scapy to get proper results? 你能告诉我如何在scapy中解析这些数据包以获得正确的结果吗?

EDIT: According to the discussion in comments I found a way to parse PCAP file with Python. 编辑:根据评论中的讨论,我找到了一种用Python解析PCAP文件的方法。 In my opinion the easies way is to use pyshark framework: 在我看来,简单的方法是使用pyshark框架: 

import pyshark
pcap = pyshark.FileCapture(pcap_path) ### for reading PCAP file

It is possible to easily iterate read file with for loop 可以使用for循环轻松迭代读取文件 

for pkt in pcap:
    #do what you want

For parsing IPv6 header following methods may be useful: 对于解析IPv6头,以下方法可能很有用: 

pkt['ipv6'].tclass            #Traffic class field
pkt['ipv6'].tclass_dscp       #Traffic class DSCP field
pkt['ipv6'].tclass_ecn        #Traffic class ECN field
pkt['ipv6'].flow              #Flow label field
pkt['ipv6'].plen              #Payload length field
pkt['ipv6'].nxt               #Next header field
pkt['ipv6'].hlim              #Hop limit field

1 个解决方案

解决方案1
 4  2017-09-13 14:46:43

Update 更新

The latest scapy versions now support ipv6 parsing. 最新的scapy版本现在支持 ipv6解析。 So to parse an ipv6 ".pcap" file with scapy now it can be done like so: 所以要用scapy解析一个ipv6“.pcap”文件现在可以这样做: 

from scapy.all import *

scapy_cap = rdpcap('file.pcap')
for packet in scapy_cap:
    print packet[IPv6].src

Now as I had commented back when this question was originally asked, for older scapy versions (that don't support ipv6 parsing): 现在正如我在最初询问此问题时回顾过的那样,对于较旧的scapy版本(不支持ipv6解析):

  • pyshark can be used instead ( pyshark is a tshark wrapper) like so: pyshark可以用来代替( pyshark是tshark的包装器),如下所示: 
import pyshark

shark_cap = pyshark.FileCapture('file.pcap')
for packet in shark_cap:
    print packet.ipv6.src
  • or even of course tshark (kind of the terminal version of wireshark): 甚至当然是tshark (有点终端版本的wireshark): 
$ tshark -r file.pcap -q -Tfields -e ipv6.src

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在 Scapy 中读取 pcap 文件的一部分 - Reading part of pcap file in Scapy 使用 scapy 读取 Python 中的 a.pcap 文件时出现问题 - Problems reading a .pcap file in Python using scapy 在Python Scapy中从STDIN读取.pcap文件 - Reading .pcap file from STDIN in Python Scapy 用 scapy 关闭 pcap 文件 - close pcap file with scapy python scapy过滤器pcap文件 - python scapy filter pcap file 通过Scapy解析pcap文件 - Parsing the pcap file through scapy 是否可以使用 Scapy 从 pcap 文件中读取会话以提高内存效率 - Can reading sessions from a pcap file with Scapy be made more memory efficient 使用 Scapy 解析 pcap 文件中的 Modbus 数据包 - Parsing Modbus packets in pcap file using Scapy 不是 pcap 捕获文件(坏魔法)- scapy python - Not a pcap capture file (bad magic) - scapy python 如何使用 scapy 过滤已经存在的 pcap 文件? - How can I filter an already existing pcap file using scapy?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM