Python—網絡抓包與解包（pcap、dpkt）

pcap安裝

[root@localhost ~]# pip install pypcap

抓包與解包

# -*- coding:utf-8 -*-
import pcap, dpkt
import re, threading, requests
 
__black_ip = ['103.224.249.123', '203.66.1.212']

# 抓包：param1 eth_name 網卡名，如：eth0,eth3。 param2 p_type 日誌捕獲類型 1：sdk日誌用例分析 2：目標域名過濾輸出 3：原始數據包
def catch_pack(eth_name="enp5s0", packet_type=None):
    sniffer = pcap.pcap(eth_name)
    sniffer.setfilter("tcp")            # 只抓取TCP包
    # sniffer.setfilter('tcp port 80')  # 設置監聽過濾器
    if sniffer:
        for packet_time, packet_data in sniffer:  # packet_time爲收到的時間，packet_data爲收到的數據
            th = threading.Thread(target=check_pack, args=(packet_time, packet_data, packet_type))
            th.setDaemon(True)
            th.start()
 
# 解包
def check_pack(packet_time, packet_data, packet_type):
    packet = dpkt.ethernet.Ethernet(packet_data)
    # 判斷是否HTTP協議javascript:;
    try:
        m_tips = packet.data.data.data[:3]
    except:
        return False
    if m_tips != 'GET' and m_tips != 'POS': return False
 
    # 取回頭信息
    tmp = get_header(packet, packet_time)
    if not tmp: return False
    print "tmp===>", tmp
    # self.input_database(tmp)
 
# 取header數據
def get_header(packet, packet_time):
    if not packet: return False
    tmp = {}
 
    # 獲取基礎頭信息
    tmp['dst'] = "%d.%d.%d.%d" % tuple(map(ord, list(packet.data.dst)))
    if tmp['dst'] in __black_ip: return False
    tmp['src'] = "%d.%d.%d.%d" % tuple(map(ord, list(packet.data.src)))
    tmp['time'] = packet_time
    tmp['dport'] = packet.data.data.dport
    tmp['sport'] = packet.data.data.sport
    # if not self.ip_exists(tmp['dst']): self.input_ip(tmp['dst'])
 
    # 截取前1024個字符
    t = packet.data.data.data[:1024]
 
    # 獲取host,uri,referer,method
    o = re.search('(GET|POST)\s+(.+)\s+HTTP(.|\n)+Host:\s+(.+)\r(.|\n)+Referer:\s+(.+)\r', t)
    if not o: return False
    o1 = o.groups()
    if len(o1) < 6: return False
    tmp['method'] = o1[0]
    tmp['host'] = o1[3]
    tmp['uri'] = o1[1]
    tmp['referer'] = o1[5]
    # if self.is_exists(tmp['host'],tmp['dport']): return False
    return tmp
 
if __name__ == "__main__":
    catch_pack("eth0", 1)

解析pcap文件

try:
    import scapy.all as scapy
except ImportError:
    import scapy
from scapy.utils import PcapReader

packets = scapy.rdpcap('test.pcap')
for data in packets:
    if 'UDP' in data:
        s = repr(data)
        print(data['UDP'].sport)
        break

 

https://www.cnblogs.com/guanfuchang/p/6495533.html

http://www.javashuo.com/article/p-bfbdnjha-cz.html