pcap文件生成metadata

#!/usr/bin/env python

# -*- coding: utf-8 -*-

import os

import time, datetime

import struct

in_path = "/home/bonelee/dns_tunnel_tool/iodine_when_idle.pcap"

tmp_dir = "/tmp"

out_path = "/tmp/out_metadata.txt"

tshark_path = "/usr/bin/tshark"

os.system(tshark_path + " -T fields -E separator=\"^\" "

"-e data ""-e data "

          "-e ip.src "            #  3=sourceIP

          "-e ip.dst "            #  4=destIP

          "-e udp.srcport "       #  5=sourcePort

          "-e udp.dstport "       #  6=destPort

          "-e ip.proto "          #  7=protocol

"-e data ""-e data ""-e data ""-e data " # 8-11

          "-e frame.time_epoch "  #  flowStartSeconds

                                  #  带插入

"-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data "

          "-e dns.flags.rcode "   #  54 = DNSReplyCode

          "-e dns.qry.name "      #  55 = DNSQueryName

          "-e dns.qry.type "      #  56 = DNSRequestRRType

          "-e dns.qry.class "     #  57 = DNSRRClass

          "-e dns.time "          #  58 = DNSDelay   #每个请求包和响应包的时间间隔,换算

          "-e dns.resp.ttl "      #  59 = DNSReplyTTL

          "-e ip.addr "           #  60 = DNSReplyIPv4

          "-e ipv6.addr "         #  61 = DNSReplyIPv6

          "-e dns.resp.type "     #  62 = DNSReplyRRType

"-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data "

          "-e dns.resp.name "     #  77 = DNSReplyName

"-e data ""-e data ""-e data "

                                  #  待插payload

          "-e data ""-e data ""-e data ""-e data ""-e data ""-e data "

          "-e dns.length "        #  88 = DNSRequestLength

          "-e data "              #  89=DNSRequestErrLength

          "-e dns.resp.len "      #  90 = DNSReplyLength

          "-e data "              #  91=DNSReplyErrLength

"-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data "

          "-Y dns -r %s  >%s/tsharkResult.txt" % (in_path, tmp_dir))

#读取pcap文件,解析相应的信息,为了在记事本中显示的方便。

payloadResultwithBlank = "%s/payloadResultwithBlank.txt" % tmp_dir

fpcap = open(in_path, 'rb+')

ftxt = open(payloadResultwithBlank,'w')

string_data = fpcap.read()

#pcap文件包头解析

pcap_header = {}

pcap_header['magic_number'] = string_data[0:4]

pcap_header['version_major'] = string_data[4:6]

pcap_header['version_minor'] = string_data[6:8]

pcap_header['thiszone'] = string_data[8:12]

pcap_header['sigfigs'] = string_data[12:16]

pcap_header['snaplen'] = string_data[16:20]

pcap_header['linktype'] = string_data[20:24]

step = 0

packet_num = 0

packet_data = []

pcap_packet_header = {}

i =24

while(i<len(string_data)):

    # 数据包头各个字段

    pcap_packet_header['GMTtime'] = string_data[i:i+4]

    pcap_packet_header['MicroTime'] = string_data[i+4:i+8]

    pcap_packet_header['caplen'] = string_data[i+8:i+12]

    pcap_packet_header['len'] = string_data[i+12:i+16]

    #求出此包的包长len

    packet_len = struct.unpack('I',pcap_packet_header['len'])[0]

    #写入此包数据

    packet_data.append(string_data[i+58:i+16+packet_len])

    i = i+ packet_len+16

    packet_num+=1

# 把pacp文件里的数据包信息写入result.txt

for i in range(packet_num):

    ftxt.write(''.join(x.encode('hex') for x in packet_data[i]) + '\n')

ftxt.close()

fpcap.close()

infp = open(payloadResultwithBlank, "r")

payloadResultOver = "%s/payloadResultOver.txt" % tmp_dir

outfp = open(payloadResultOver, "w")

lines = infp.readlines()

for li in lines:

    if li.split():

        outfp.writelines(li)

infp.close()

outfp.close()

def copyTimeMetadata(string):

    string = string.split('^')

    string.insert(11,string[11])

    return string

payloadFile = open("%s/payloadResultOver.txt" % tmp_dir)

tsharkFile = open("%s/tsharkResult.txt" % tmp_dir)

tsharkData = []

payload = []

meteData = []

for line in tsharkFile:

    line = line.replace("\n", "")

    line = copyTimeMetadata(line)

    tsharkData.append(line)

for line in payloadFile:

    line = line.replace("\n","")

    payload.append(line)

count1 = len(payload)

for i in range(0,count1):

    tsharkData[i].insert(80,payload[i])

    if (tsharkData[i][76]=="<Root>"):

        tsharkData[i][76]=tsharkData[i][54]

meteDataWithPayload = open("%s/meteDataWithPayload.txt" % tmp_dir,'w')

for line in tsharkData:

    meteDataWithPayload.write("^".join(line)+"\n")

finallyMetedata = []

dataListFromQuery = []

dataListFromRespon = []

QueriesName_map = {}

DNSQueryName = 55 -1

destPort = 6 -1

DNSDelay = 0

with open("%s/meteDataWithPayload.txt" % tmp_dir) as f:

    lines = f.readlines()

    for index,line in enumerate(lines):

        line = line.replace("\n","")

        dataFromQuery = line.split("^")

        if dataFromQuery[destPort] == "":             # 此时是请求报文,合并到请求报文中

            dataListFromQuery.append(dataFromQuery)     #dataListFromQuery列表保存的全是请求字段

            QueriesName = dataFromQuery[DNSQueryName]

            QueriesName_map[QueriesName] = index

    count = len(QueriesName_map)                        #计算总共多少条请求报文

    for line in lines:

        dataFromRespon = line.split("^")

        if dataFromRespon[destPort] != "":

            NAME = dataFromRespon[DNSQueryName]         #响应报文中的域名

            if (NAME in QueriesName_map):

                for i in range(0, count):

                    if dataListFromQuery[i][DNSQueryName] == NAME:

                        dataListFromQuery[i][12] = dataFromRespon[12]

                        dataListFromQuery[i][53] = dataFromRespon[53]

                        dataListFromQuery[i][57] = dataFromRespon[57]

                        dataListFromQuery[i][58] = dataFromRespon[58]

                        dataListFromQuery[i][89] = dataFromRespon[89]

                        DNSDelay = (float(dataListFromQuery[i][12])-float(dataListFromQuery[i][11]))*1000000

                        dataListFromQuery[i][57] = str(DNSDelay)

            else:

                print "warning: The response message could not find the requested message", line

meteDataFile = open(out_path,'w')

for line in dataListFromQuery:

    if line[53]!="":

        line[59] = line[59].replace(",",";")

        meteDataFile.write("^".join(line) + "\n")

meteDataFile.close()

示意结果:

^^10.0.2.15^223.5.5.5^60088^53^17^^^^^1512356312.819122000^1512356312.860855000^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^0^daisy.ubuntu.com^1^0x00000001^41733.0265045^1357^10.0.2.15;223.5.5.5^^^^^^^^^^^^^^^^^^^^^4b3601000001000000000000056461697379067562756e747503636f6d0000010001^^^^^^^^^49^^^^^^^^^^^

^^10.0.2.15^223.5.5.5^60088^53^17^^^^^1512356312.819318000^1512356312.860855000^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^0^daisy.ubuntu.com^28^0x00000001^41537.0464325^1357^10.0.2.15;223.5.5.5^^^^^^^^^^^^^^^^^^^^^a82b01000001000000000000056461697379067562756e747503636f6d00001c0001^^^^^^^^^49^^^^^^^^^^^

pcap文件生成metadata——使用tshark解析tcpdump的pcap包的更多相关文章

  1. Android first---xml文件生成与解析

    一.使用append进行xml生成 Message类属性:private String body;        private String date;       private String a ...

  2. 自主创建tcpdump/wireshark pcap文件

      pcap文件格式是bpf保存原始数据包的格式,很多软件都在使用,比如tcpdump.wireshark等等,了解pcap格式可以加深对原始数据包的了解,自己也可以手工构造任意的数据包进行测试. p ...

  3. 构建tcpdump/wireshark pcap文件

      pcap文件格式是bpf保存原始数据包的格式,很多软件都在使用,比如tcpdump.wireshark等等,了解pcap格式可以加深对原始数据包的了解,自己也可以手工构造任意的数据包进行测试. p ...

  4. NodeJs之word文件生成与解析

    NodeJs之word文件生成与解析 一,介绍与需求 1.1,介绍 1,officegen模块可以为Microsoft Office 2007及更高版本生成Office Open XML文件.此模块不 ...

  5. python dpkt 解析 pcap 文件

    dpkt Tutorial #2: Parsing a PCAP File 原文链接:https://jon.oberheide.org/blog/2008/10/15/dpkt-tutorial-2 ...

  6. 解析Markdown文件生成React组件文档

    前言 最近做的项目使用了微前端框架single-spa. 对于这类微前端框架而言,通常有个utility应用,也就是公共应用,里面是各个子应用之间可以共用的一些公共组件或者方法. 对于一个团队而言,项 ...

  7. Linux使用tcpdump命令抓包保存pcap文件wireshark分析

    [root@ok Desktop]# yum search tcpdump Loaded plugins: fastestmirror, refresh-packagekit, security Lo ...

  8. pcapng文件的python解析实例以及抓包补遗

    为了弥补pcap文件的缺陷,让抓包文件可以容纳更多的信息,pcapng格式应运而生.关于它的介绍详见<PCAP Next Generation Dump File Format> 当前的w ...

  9. text2pcap: 将hex转储文本转换为Wireshark可打开的pcap文件

    简介 Text2pcap是一个读取ASCII hex转储的程序,它将描述的数据写入pcap或pcapng文件.text2pcap可以读取包含多个数据包的hexdumps,并构建多个数据包的捕获文件.t ...

随机推荐

  1. springmvc-servlet.xml(springmvc-servlet.xml 配置 增强配置)

    <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.sp ...

  2. Hadoop MapReduce编程 API入门系列之多个Job迭代式MapReduce运行(十二)

    推荐 MapReduce分析明星微博数据 http://git.oschina.net/ljc520313/codeexample/tree/master/bigdata/hadoop/mapredu ...

  3. maven nexus memory optimization

    #链接地址:https://help.sonatype.com/repomanager3/system-requirements#filehandles While starting Nexus I ...

  4. windows7 安装 choco

    windows7 安装 choco: cmd下: @"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -N ...

  5. Linux od与hexdump命令

    od命令:以指定格式输出文件内容常用格式:od -Ax -tx1 filename直接格式:od filename 等价 od -o filename语法:od [-abcdfsiloxv] [-An ...

  6. AVD的Hardware选项

    最近学习开发游戏,需要GLES2.0使用,使用Android虚拟机调试一直报错闪退.百度说Android 4.0及以后的版本[使用API15及以上]),已经支持GLES2.0,需要在HardWare选 ...

  7. Nginx代码风格图示

    Nginx代码风格图示 (100%) 一.基本原则 K&R编码风格(偏BSD子类). 每行不能超过80列. 不用TAB对齐,用空格. 默认对齐单元是4个空格. 除宏定义外,字母均为小写,单词间 ...

  8. **PCD数据获取:Kinect+OpenNI+PCL对接(代码)

    前言: PCL使用点云作为数据格式,Kinect可以直接作为三维图像的数据源产生三维数据,其中的桥梁是OpenNI和PrimeSense.为了方便地使用Kinect的数据,还是把OpenNI获取的基础 ...

  9. (转) RabbitMQ学习之远程过程调用(RPC)(java)

    http://blog.csdn.net/zhu_tianwei/article/details/40887885 在一般使用RabbitMQ做RPC很容易.客户端发送一个请求消息然后服务器回复一个响 ...

  10. C# 生成Model和DAL

    using Model; using System.Collections.Generic; using System.Text; public class Class1 { #region 生成Mo ...