Python 使用 scapy 读取 PCAP 文件
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/42963343/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Reading PCAP file with scapy
提问by Krystian
I have about 10GB pcap data with IPv6 traffic to analyze infos stored in IPv6 header and other extension header. To do this I decided to use Scapy framework. I tried rdpcapfunction , but for such big files it is not recommended. It tries to load all file into memory and get stuck in my case. I found in the Net that in such situation sniffis recommended, my code look like:
我有大约 10GB 的 pcap 数据和 IPv6 流量来分析存储在 IPv6 标头和其他扩展标头中的信息。为此,我决定使用 Scapy 框架。我试过rdpcap函数,但对于这么大的文件,不推荐使用。它试图将所有文件加载到内存中并在我的情况下卡住。我在网上发现在这种情况下建议使用嗅探,我的代码如下:
def main():
sniff(offline='traffic.pcap', prn=my_method,store=0)
def my_method(packet):
packet.show()
In function called my_methodI receive each packet separately and I can parse them, but....
When I call showfunction with is in-build framework method I got sth like this:
在名为my_method 的函数中,我分别接收每个数据包,我可以解析它们,但是....当我使用内置框架方法调用show函数时,我得到了这样的东西:
When opened in wireshark I got properly looking packet:
在wireshark中打开时,我得到了正确的数据包:
Could you tell me how to parse this packets in scapy to get proper results?
你能告诉我如何在 scapy 中解析这个数据包以获得正确的结果吗?
EDIT: According to the discussion in comments I found a way to parse PCAP file with Python. In my opinion the easies way is to use pyshark framework:
编辑:根据评论中的讨论,我找到了一种用 Python 解析 PCAP 文件的方法。在我看来,最简单的方法是使用 pyshark 框架:
import pyshark
pcap = pyshark.FileCapture(pcap_path) ### for reading PCAP file
It is possible to easily iterate read file with for loop
可以使用 for 循环轻松迭代读取文件
for pkt in pcap:
#do what you want
For parsing IPv6 header following methods may be useful:
对于解析 IPv6 标头,以下方法可能有用:
pkt['ipv6'].tclass #Traffic class field
pkt['ipv6'].tclass_dscp #Traffic class DSCP field
pkt['ipv6'].tclass_ecn #Traffic class ECN field
pkt['ipv6'].flow #Flow label field
pkt['ipv6'].plen #Payload length field
pkt['ipv6'].nxt #Next header field
pkt['ipv6'].hlim #Hop limit field
回答by coder
Update
更新
The latest scapyversions now supportipv6parsing.
So to parse an ipv6 ".pcap" filewith scapynow it can be done like so:
最新的scapy版本现在支持ipv6解析。因此,要分析一个IPv6的“.pcap”文件与scapy现在它可以像这样做:
from scapy.all import *
scapy_cap = rdpcap('file.pcap')
for packet in scapy_cap:
print packet[IPv6].src
Now as I had commented back when this question was originally asked, for older
scapyversions (that don't support ipv6 parsing):
现在,正如我在最初提出这个问题时所评论的那样,对于旧
scapy版本(不支持 ipv6 解析):
pysharkcan be used instead (pysharkis a tshark wrapper) like so:
pyshark可以改为使用(pyshark是一个 tshark 包装器),如下所示:
import pyshark
shark_cap = pyshark.FileCapture('file.pcap')
for packet in shark_cap:
print packet.ipv6.src
- or even of course
tshark(kind of the terminal version of wireshark):
- 甚至当然
tshark(一种wireshark的终端版本):
$ tshark -r file.pcap -q -Tfields -e ipv6.src
