pcap2txt

該程序的作用是將pcap文件里的前三個(gè)ssl/tls包的數(shù)據(jù),轉(zhuǎn)化成十進(jìn)制提取到txt文件里:

  • dataset里有很多域名文件夾,每個(gè)文件夾下有很多的txt文件,記錄著數(shù)據(jù)包,我們使不同域名文件夾下的txt文件個(gè)數(shù)相同
  • pcapnum_per_txt:每個(gè)txt文件,是由pcapnum_per_txt個(gè)pcap處理得到的
  • filelist是所有pcap文件名的列表,這些pcap要分txt_num次處理,每次處理的文件名存進(jìn)new_list里
if __name__ == '__main__':
    path = '/home/new3/https/lx/login.weixin.qq.com'
    filelist = os.listdir(path)
    #print (len(filelist))

    pcapnum_per_txt = len(filelist) // txt_num

    for i in range(txt_num):
        print(str(i)+'.txt')
        new_list = filelist[i*pcapnum_per_txt:i*pcapnum_per_txt + pcapnum_per_txt]


        for file in new_list:
            print('The pcap file is: ' + file)
            filepath = os.path.join(path,file)
            parse_pcap(filepath)

        txt_name = str(i) + '.txt'
        fw = open(txt_name, "a+")
        for key in flow.keys():
            if key in new_list:
                if(len(flow[key]) == 3):
                    print(key)
                    for pkts in flow[key]:
                        for bytes in pkts:
                            fw.write(str(bytes)+" ")
                        fw.write("\n")
        print('The above pcap file is written in the txt file.')
        print ('\n')

parse_pcap

  • 先讀取24字節(jié)的pcap文件頭,然后在循環(huán)讀【先16字節(jié)數(shù)據(jù)包頭包含這個(gè)數(shù)據(jù)包的大小iplensave,再讀iplensave大小的數(shù)據(jù)包】
  • 參數(shù)iplensave記錄了當(dāng)前數(shù)據(jù)包的長度
確定當(dāng)前包是ssl/tls的方法:
  • tls是基于tcp的,由tcp封裝
  • tls包的第一個(gè)字段標(biāo)明了tls類型(content type),接下來的一個(gè)字段標(biāo)明了version,大多數(shù)(目前發(fā)現(xiàn))的content type 值只有20(0x14),22(0x16),23(0x17)三個(gè)值,version的第一個(gè)字節(jié)都是由0x03開頭的
tls.png
  • mac層有14B,ip層一般有20B,tcp的長度不定長,由首部的header length字段給出了tcp層的長度,該字段只有4bits,位于tcp首部的第13B的前4b,該值轉(zhuǎn)化為十進(jìn)制再乘4就是整個(gè)tcp的長度
  • 首先判斷包長度iplensave > 54,因?yàn)閙ac+ip+tcp最少需要54B,小于54B一定沒有tls層
  • 判斷iplensave - tcplen - iplen - maclen > 0,如果=0也沒有tls層

  • 兩個(gè)條件都滿足,再判斷tcp的下一字節(jié)是不是20,22或者23,version是不是3,兩者都滿足,則是tls包(巧合的概率很小可以忽略)


    tcp
def parse_pcap(filename):
    with open(filename, "rb") as file: 
        # Read 24-bytes pcap header 
        data = file.read(pcaphdrlen)
        (tag, maj, min, tzone, ts, ppsize, lt) = struct.unpack("=L2p2pLLLL", data)
        # pocket counter
        cnt = 0

        while data:
            # read packet header
            data = file.read(pkthdrlen)
            if not data:
                break
            (sec, microsec, iplensave, origlen) = struct.unpack("=LLLL", data)
            # print (sec, microsec, iplensave, origlen)
            #print iplensave
            data = file.read(iplensave)


            if iplensave > 54:
                tcplen = ord(data[46])//16*4
                if iplensave - tcplen - iplen - maclen > 0:
                    tlstype = maclen + iplen + tcplen
                    tlsversion = tlstype + 1
                    if (ord(data[tlstype]) == 20 or ord(data[tlstype]) == 22 or ord(data[tlstype]) == 23) and ord(data[tlsversion]) == 3:
                        processpacket(data)
                        cnt = cnt + 1

        print('The number of ssl/tls packets: ' + str(cnt))
        print('----------------------------------------------------------------------------------')

processpacket

  • 定義一個(gè)字典flow,key是pcap的文件名,因?yàn)槲覀冚斎氲氖且粋€(gè)域名文件夾下的所有pcap文件,使用文件名作為key不會(huì)有重復(fù),value是該pcap文件下滿足篩選條件(tls)的包,最多取三個(gè)
def processpacket(pkt):
    pkt = [ord(b) for b in str(pkt)]
    proto = pkt[23]

    srcip = "{0}.{1}.{2}.{3}".format(pkt[26], pkt[27], pkt[28], pkt[29])
    dstip = "{0}.{1}.{2}.{3}".format(pkt[30], pkt[31], pkt[32], pkt[33])

    sport = pkt[34] * 256 + pkt[35]
    dport = pkt[36] * 256 + pkt[37]

    pkt = preprocess(pkt, proto)
    # print file    

    tuple = file
    if tuple in flow:

        value = flow[tuple]
        if len(value) < 3:
            value.append(pkt)
            flow[tuple] = value

    else:
        value = []

        value.append(pkt)
        flow[tuple] = value

preprocess

  • 取1000字節(jié),去掉mac和ip層的信息,從tcp開始截取
def preprocess(packet, proto):
    # remove mac and ip layer, start from tcp layer
    packet = packet[34:]
    #TCP
    if len(packet) < 1000:
        for j in range(1000 - len(packet)):
            packet.append(0)
    else:
        packet = packet[:1000]
    return packet

結(jié)果:

  • 橫線部分是程序處理的pcap文件,ssl/tls包的個(gè)數(shù)是3的才會(huì)被寫進(jìn)txt里,小于3的不處理
  • 橫線底下列出的是寫進(jìn)txt的pcap文件,列出的順序就是寫入txt的順序
new3@new3:~/https/lx$ python parsepcap.py 
0.txt
The pcap file is: 159.226.121.15_54806_101.226.76.164_443_1556368053.pcap
The number of ssl/tls packets: 2
----------------------------------------------------------------------------------
The pcap file is: 159.226.117.158_44082_101.227.160.102_443_1556357309.pcap
The number of ssl/tls packets: 2
----------------------------------------------------------------------------------
The pcap file is: 159.226.171.251_5794_101.227.160.102_443_1556370252.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.35.244_60644_101.227.160.102_443_1556357290.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.35.253_12310_223.166.152.108_443_1556368139.pcap
The number of ssl/tls packets: 2
----------------------------------------------------------------------------------
The pcap file is: 159.226.25.81_7116_101.226.76.164_443_1556368107.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.20.7_35292_101.226.76.164_443_1556368849.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.117.215_1098_101.227.160.102_443_1556357592.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
159.226.25.81_7116_101.226.76.164_443_1556368107.pcap
159.226.171.251_5794_101.227.160.102_443_1556370252.pcap
159.226.117.215_1098_101.227.160.102_443_1556357592.pcap
159.226.35.244_60644_101.227.160.102_443_1556357290.pcap
159.226.20.7_35292_101.226.76.164_443_1556368849.pcap
The above pcap file is written in the txt file.


1.txt
The pcap file is: 159.226.171.251_34568_101.226.76.164_443_1556369112.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.121.15_49579_101.226.76.164_443_1556357432.pcap
The number of ssl/tls packets: 2
----------------------------------------------------------------------------------
The pcap file is: 159.226.171.251_34358_101.227.160.102_443_1556368031.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.113.225_14779_101.226.76.164_443_1556369020.pcap
The number of ssl/tls packets: 2
----------------------------------------------------------------------------------
The pcap file is: 159.226.118.121_53831_101.226.76.164_443_1556357383.pcap
The number of ssl/tls packets: 2
----------------------------------------------------------------------------------
The pcap file is: 159.226.171.251_14133_101.227.160.102_443_1556368271.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.182.51_49968_117.135.169.34_443_1556368833.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.25.91_36511_101.226.76.164_443_1556368921.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
159.226.25.91_36511_101.226.76.164_443_1556368921.pcap
159.226.171.251_14133_101.227.160.102_443_1556368271.pcap
159.226.182.51_49968_117.135.169.34_443_1556368833.pcap
159.226.171.251_34568_101.226.76.164_443_1556369112.pcap
159.226.171.251_34358_101.227.160.102_443_1556368031.pcap
The above pcap file is written in the txt file.


2.txt
The pcap file is: 159.226.95.33_12289_101.226.76.164_443_1556370074.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.43.54_48313_101.226.76.164_443_1556357346.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.118.132_54887_101.227.160.102_443_1556357319.pcap
The number of ssl/tls packets: 2
----------------------------------------------------------------------------------
The pcap file is: 159.226.118.121_58915_101.226.76.164_443_1556368004.pcap
The number of ssl/tls packets: 2
----------------------------------------------------------------------------------
The pcap file is: 159.226.25.91_32511_101.227.160.102_443_1556367961.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.35.172_5276_101.227.160.102_443_1556370303.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.113.225_33547_101.226.76.164_443_1556370161.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.118.121_58948_101.226.76.164_443_1556368244.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
159.226.25.91_32511_101.227.160.102_443_1556367961.pcap
159.226.95.33_12289_101.226.76.164_443_1556370074.pcap
159.226.43.54_48313_101.226.76.164_443_1556357346.pcap
159.226.35.172_5276_101.227.160.102_443_1556370303.pcap
159.226.118.121_58948_101.226.76.164_443_1556368244.pcap
159.226.113.225_33547_101.226.76.164_443_1556370161.pcap
The above pcap file is written in the txt file.


3.txt
The pcap file is: 159.226.117.158_7200_101.227.160.102_443_1556369012.pcap
The number of ssl/tls packets: 2
----------------------------------------------------------------------------------
The pcap file is: 159.226.199.87_60649_101.227.160.102_443_1556368176.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.110.25_65292_101.226.76.164_443_1556368947.pcap
The number of ssl/tls packets: 2
----------------------------------------------------------------------------------
The pcap file is: 159.226.171.251_1215_101.227.160.102_443_1556357407.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.113.225_55106_101.226.76.164_443_1556357379.pcap
The number of ssl/tls packets: 2
----------------------------------------------------------------------------------
The pcap file is: 159.226.25.81_7611_101.226.76.164_443_1556368229.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.117.158_23010_101.226.76.164_443_1556370332.pcap
The number of ssl/tls packets: 2
----------------------------------------------------------------------------------
The pcap file is: 159.226.118.138_51823_101.226.76.164_443_1556370162.pcap
The number of ssl/tls packets: 2
----------------------------------------------------------------------------------
159.226.171.251_1215_101.227.160.102_443_1556357407.pcap
159.226.199.87_60649_101.227.160.102_443_1556368176.pcap
159.226.25.81_7611_101.226.76.164_443_1556368229.pcap
The above pcap file is written in the txt file.


4.txt
The pcap file is: 159.226.35.244_53259_101.226.76.164_443_1556368032.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.21.20_53148_101.227.160.102_443_1556357379.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.35.244_53897_101.227.160.102_443_1556368813.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.117.158_12623_101.227.160.102_443_1556368952.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.35.244_55147_101.226.76.164_443_1556370313.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.231.165_52310_101.226.76.164_443_1556367992.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.25.81_6935_101.226.76.164_443_1556368047.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.35.177_55157_101.226.76.164_443_1556357535.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
159.226.35.177_55157_101.226.76.164_443_1556357535.pcap
159.226.35.244_55147_101.226.76.164_443_1556370313.pcap
159.226.35.244_53259_101.226.76.164_443_1556368032.pcap
159.226.21.20_53148_101.227.160.102_443_1556357379.pcap
159.226.25.81_6935_101.226.76.164_443_1556368047.pcap
159.226.231.165_52310_101.226.76.164_443_1556367992.pcap
159.226.35.244_53897_101.227.160.102_443_1556368813.pcap
159.226.117.158_12623_101.227.160.102_443_1556368952.pcap
The above pcap file is written in the txt file.


new3@new3:~/https/lx$
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

  • 簡介 用簡單的話來定義tcpdump,就是:dump the traffic on a network,根據(jù)使用者...
    JasonShi6306421閱讀 1,351評論 0 1
  • 簡介 用簡單的話來定義tcpdump,就是:dump the traffic on a network,根據(jù)使用者...
    保川閱讀 6,079評論 1 13
  • https://nodejs.org/api/documentation.html 工具模塊 Assert 測試 ...
    KeKeMars閱讀 6,607評論 0 6
  • 網(wǎng)絡(luò)編程 一.楔子 你現(xiàn)在已經(jīng)學(xué)會(huì)了寫python代碼,假如你寫了兩個(gè)python文件a.py和b.py,分別去運(yùn)...
    go以恒閱讀 2,246評論 0 6
  • 慵懶的早晨,一抹陽光照進(jìn)臥室,愜意的靠在老公的肩頭,這樣的情景似乎好久不曾有過,一轉(zhuǎn)頭,看見他原本黑亮的頭...
    趙婉寧閱讀 532評論 0 0

友情鏈接更多精彩內(nèi)容