[英]Using Scapy to extract payload data from a PCAP
I would like to calculate the payload size of the packets from a PCAP file using Scapy below is where I found a function that does this and works out all the payload size stats eg median/min/max etc.我想使用 Scapy 计算来自 PCAP 文件的数据包的有效负载大小,我在下面找到了一个 function 执行此操作并计算出所有有效负载大小统计信息,例如中值/最小值/最大值等。
How can I use this function on my PCAP file and do I need to do anything to my PCAP file before I process it using this function.如何在我的 PCAP 文件上使用此 function 并且在使用此 function 处理我的 PCAP 文件之前是否需要对其执行任何操作。
Can this be written simpler?这可以写得更简单吗?
def calc_IP_payload_size_features(packet_list, filter_con):
global IP_len
global IP_len_list
global slice_length
IP_len_list = []
for i, (packet, dev_name) in enumerate(packet_list):
try:
IP_len.append(packet["IP"].len - packet["IP"].ihl)
except IndexError:
# IP_len.append(0)
pass
yield packet, dev_name
# print("IP_len", IP_len)
IP_len_list.append(IP_len)
IP_len = []
for i, (data) in enumerate(IP_len_list):
if len(data) == 0:
data.append(0)
data = data[:min(slice_length, len(data)-1)]
min_ip_len = min(data) # minimum IP packet size
max_ip_len = max(data) # maximum IP packet size
q1_ip_len = np.percentile(data, 25) # first quartile of IP packet size
median_ip_len = np.percentile(data, 50) # median of IP packet size
mean_ip_len = np.mean(data) # mean of IP packet size
q3_ip_len = np.percentile(data, 75) # third quartile of IP packet size
var_ip_len = np.var(data) # variance of IP packet size
iqr_ip_len = q3_ip_len - q1_ip_len # IQR of IP packet size
# print(i, "IP payload size features: ", min_ip_len, max_ip_len, q1_ip_len, median_ip_len, mean_ip_len, q3_ip_len, var_ip_len, iqr_ip_len)
feature_list[i].append(min_ip_len)
feature_list[i].append(max_ip_len)
feature_list[i].append(q1_ip_len)
feature_list[i].append(median_ip_len)
feature_list[i].append(mean_ip_len)
feature_list[i].append(q3_ip_len)
feature_list[i].append(var_ip_len)
feature_list[i].append(iqr_ip_len)
You can read pcap files with scapy like this:您可以像这样使用 scapy 读取 pcap 文件:
pcap_contents = rdpcap("/path/to/foo.pcap")
source: https://scapy.readthedocs.io/en/latest/usage.html#reading-pcap-files来源: https://scapy.readthedocs.io/en/latest/usage.html#reading-pcap-files
This will return a scapy.plist.PacketList
, which you can iterate over using standard Python techniques, for example a for
loop:这将返回一个scapy.plist.PacketList
,您可以使用标准 Python 技术对其进行迭代,例如for
循环:
for packet in pcap_contents:
print(len(packet))
Your loop however seems to expect the packet_list
to contain tuples of (packet, dev_name)
:但是,您的循环似乎期望packet_list
包含(packet, dev_name)
的元组:
for i, (packet, dev_name) in enumerate(packet_list):
My random sample pcap file certainly didn't produce this kind of data, so you probably need to match each packet with a dev_name
first, to produce a list of (packet, dev_name)
tuple
s.我的随机样本 pcap 文件肯定不会产生这种数据,因此您可能需要先将每个数据包与dev_name
匹配,以产生(packet, dev_name)
tuple
的列表。 This can be done using standard Python methods, eg with for
loops, or, if you've got a list of dev_names
where the indices match, you could zip
the lists:这可以使用标准的 Python 方法来完成,例如使用for
循环,或者,如果你有一个索引匹配的dev_names
列表,你可以zip
列表:
packets = [IP()/TCP(), IP()/UDP()]
dev_names = ['foo', 'bar']
packet_list = zip(packets, dev_names)
filter_con
doesn't appear to be used, so I can't comment on that. filter_con
似乎没有被使用,所以我不能对此发表评论。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.