- A+
使用scapy、scapy_http就可以方便的对pcap包中的http数据包进行解析
scapy_http可以在https://github.com/invernizzi/scapy-http下载,该地址下也给出了简单的示例程序,按照此示例程序我修改了一个输出pcap包中http包的源目的地址、payload的小程序,如下所示:
-
#!/usr/bin/env python
-
try:
-
import scapy.all as scapy
-
except ImportError:
-
import scapy
-
-
try:
-
# This import works from the project directory
-
import scapy_http.http
-
except ImportError:
-
# If you installed this package via pip, you just need to execute this
-
from scapy.layers import http
-
-
packets = scapy.rdpcap('f:\\abc123.pcap')
-
for p in packets:
-
print '=' * 78
-
#print p.show()
-
for f in p.payload.fields_desc:
-
if f.name == 'src' or f.name == 'dst':
-
ct = scapy.conf.color_theme
-
vcol = ct.field_value
-
fvalue = p.payload.getfieldval(f.name)
-
reprval = f.i2repr(p.payload,fvalue)
-
print "%s : %s" % (f.name, reprval)
-
-
for f in p.payload.payload.fields_desc:
-
if f.name == 'load':
-
ct = scapy.conf.color_theme
-
vcol = ct.field_value
-
fvalue = p.payload.getfieldval(f.name)
-
reprval = f.i2repr(p.payload,fvalue)
-
print "%s : %s" % (f.name, reprval)
其中,p为数据包,scapy_http将其分为:
Ethernet->TCP->RAW三个层次,
使用p.show()函数可以打印出如下结果:
###[ Ethernet ]###
dst = 02:00:00:00:00:39
src = 00:00:00:01:02:09
type = 0x800
###[ IP ]###
version = 4L
ihl = 5L
tos = 0x0
len = 1014
id = 7180
flags =
frag = 0L
ttl = 45
proto = tcp
chksum = 0xbbf9
src = 126.209.59.13
dst = 121.113.176.25
\options \
###[ Raw ]###
load = '.....'
第一层是网络层,包含源、目的mac、ip协议号,第二层是tcp层,第三层包含端口号、http报文
其中每一层均为上一层的payload成员
在运行程序的过程中,如果提示dnet或pcap库异常,需要到这里下载并重新安装相应的库:
pcap http://files.cnblogs.com/Jerryshome/pcap-1.1.win32-py2.7.rar
dnet http://files.cnblogs.com/Jerryshome/dnet-1.12.win32-py2.7.rar
参考:http://www.cnblogs.com/Jerryshome/p/4076800.html
- 我的微信
- 这是我的微信扫一扫
-
- 我的微信公众号
- 我的微信公众号扫一扫
-
