[英]How can I filter an already existing pcap file using scapy?
我正在嘗試嗅探現有的 pcap 文件,對其進行過濾並將其保存到一個新文件中,但是當我運行我的代碼時會彈出此異常。 我怎樣才能解決這個問題?
代碼:
from scapy.all import *
def write(pcap):
for pkt in pcap:
wrpcap('filtered.pcap', pkt, append=True)
else:
pass
def load_pcap(path, filter_str):
pcap = sniff(offline=path, filter=filter_str)
write(pcap)
def main():
load_pcap("file.pcap", 'icmp')
main()
例外:
Traceback (most recent call last):
File "C:\Users\myUser\AppData\Local\Programs\Python\Python37\lib\site-packages\scapy\utils.py", line 1663, in tcpdump
stderr=stderr,
File "C:\Users\myUser\AppData\Local\Programs\Python\Python37\lib\subprocess.py", line 756, in __init__
restore_signals, start_new_session)
File "C:\Users\myUser\AppData\Local\Programs\Python\Python37\lib\subprocess.py", line 1100, in _execute_child
args = list2cmdline(args)
File "C:\Users\myUser\AppData\Local\Programs\Python\Python37\lib\subprocess.py", line 511, in list2cmdline
needquote = (" " in arg) or ("\t" in arg) or not arg
TypeError: argument of type 'NoneType' is not iterable
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "sharkscript.py", line 140, in <module>
main()
File "sharkscript.py", line 137, in main
funcs()
File "sharkscript.py", line 130, in funcs
options()
File "sharkscript.py", line 95, in options
load_pcap(get_filter(), path)
File "sharkscript.py", line 33, in load_pcap
pcap = sniff(offline=path, filter=filter_str)
File "C:\Users\myUser\AppData\Local\Programs\Python\Python37\lib\site-packages\scapy\sendrecv.py", line 972, in sniff
sniffer._run(*args, **kwargs)
File "C:\Users\myUser\AppData\Local\Programs\Python\Python37\lib\site-packages\scapy\sendrecv.py", line 824, in _run
)] = offline
File "C:\Users\myUser\AppData\Local\Programs\Python\Python37\lib\site-packages\scapy\utils.py", line 1663, in tcpdump
stderr=stderr,
File "C:\Users\myUser\AppData\Local\Programs\Python\Python37\lib\site-packages\scapy\utils.py", line 555, in __exit__
raise OSError(msg)
OSError: Could not execute windump(), is it installed ?
我嘗試搜索 windump 以及如何安裝它,但找不到任何東西。 還有另一種過濾“離線”pcap的方法嗎?
我試圖運行你的代碼並得到同樣的錯誤。 我認為這是sniff
函數中的一個錯誤,因為刪除filter
參數使其工作(並且過去似乎對其他人有效,例如這里.
無論如何,如果你事先知道過濾器,你可以用haslayer
函數替換它,就像這樣 -
def load_pcap(path):
f = PcapWriter("out.pcap", append=True, sync=True)
sniff(offline=path, prn=lambda p: f.write(p) if ICMP in p else None)
如果您不知道確切的過濾器,但它將是一個簡單的協議名稱,您可以在字符串和 Scapy 層之間進行映射,並以相同的方式使用它。
如果過濾器更復雜(例如tcp.srcport==1234
類的東西),恐怕您需要單獨從用戶那里獲取參數(例如load_pcap(path, src_mac, dst_mac, src_ip, dst_ip, src_port, dst_port, protocol,...)
或找到將 BPF 字符串解析為參數的方法。
希望這可以幫助 :)
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.