连续读取正在连续写入的 python 中的 pcap 文件
[英]Continuously read pcap file in python that being written continuously
问题描述
Using Python I want to continuously read the packets one-by-one in the same order they are written into, from a pcap file that is being continuously written by tshark (or a piece of code written in libpcap or pfring ) live capture.
使用Python我想从tshark (或用libpcap或pfring编写的一段代码)实时捕获连续写入的pcap文件中,以它们写入的相同顺序连续读取数据包。
To test this I used tshark and scapy in Python in the following way.为了测试这一点,我按以下方式在 Python 中使用了tshark和scapy 。
@terminal1: ping -i 5 192.168.1.10 @terminal1: ping -i 5 192.168.1.10
@terminal2: tshark -f "icmp" -a filesize:1000 -w ping_live.pcap @terminal2: tshark -f "icmp" -a filesize:1000 -w ping_live.pcap
Packet reader in Python intended to read each unread packet at every 5 seconds (not the whole set of packets every time). Python 中的数据包阅读器旨在每 5 秒读取每个未读数据包(而不是每次都读取整组数据包)。 But it will not wait for the next set of packets that are about to written after 5 second, and it exits.但它不会等待5秒后即将写入的下一组数据包,它会退出。
from scapy.all import *
def process_packet(packet):
print(packet.summary())
sniff(offline="ping_live.pcap", prn=process_packet, store=0)
print("sniff complete, exiting")
Then I tried to put while True: loop around the sniff method, but it is not reading only the next unread packet, instead reading whole file again and again.然后我尝试在sniff方法周围放置while True:循环,但它不是只读取下一个未读数据包,而是一次又一次地读取整个文件。
What is the solution for my requirement (not limited to scapy )?我的要求的解决方案是什么(不限于scapy )?
Thank you谢谢
1 个解决方案
解决方案1
0 2021-03-21 13:08:17
I'm unsure if this answers your question, because I cannot understand the exact requirement.我不确定这是否能回答您的问题,因为我无法理解确切的要求。 Based on my interpretation of the information within your question, you want to 'continuously read the packets in the same order as they are written into a PCAP file."根据我对您问题中信息的解释,您希望“以与写入 PCAP 文件相同的顺序连续读取数据包。”
Your example used ICMP, so my answer will use that protocol.您的示例使用了ICMP,因此我的答案将使用该协议。
import pyshark
# filter live capture by type, which is ICMP
capture = pyshark.LiveCapture('en0', display_filter='icmp')
for packet in capture:
# obtain all the field names within the ICMP packets
field_names = packet.icmp._all_fields
# obtain all the field values
field_values = packet.icmp._all_fields.values()
# enumerate the field names and field values
for field_name, field_value in zip(field_names, field_values):
# filter the time stamp
if field_name == 'icmp.data_time':
print(field_value)
# output
Mar 21, 2021 09:03:21.681450000 EDT
Mar 21, 2021 09:03:21.681450000 EDT
Mar 21, 2021 09:03:22.686135000 EDT
Mar 21, 2021 09:03:22.686135000 EDT
Mar 21, 2021 09:03:23.689576000 EDT
Mar 21, 2021 09:03:23.689576000 EDT
Mar 21, 2021 09:03:24.691429000 EDT
Mar 21, 2021 09:03:24.691429000 EDT
Mar 21, 2021 09:03:25.692395000 EDT
Mar 21, 2021 09:03:25.692395000 EDT
truncated...
Here are the field names that can be filtered:以下是可以过滤的字段名称:
icmp.type
icmp.code
icmp.checksum
icmp.checksum.status
icmp.ident
icmp.seq
icmp.seq_le
icmp.data_time
icmp.data_time_relative
data
data.data
data.len
Hopefully, this answer helps you.希望这个答案对您有所帮助。
PS Here is a GitHub document that I wrote on using pyshark . PS 这是我使用pyshark编写的 GitHub 文档。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.