Python:将tcpdump转换为text2pcap可读格式
我写了一个 Python 脚本,用来把 tcpdump -i eth0 -neXXs0 的文本输出转换成 text2pcap 能理解的格式。这是我写的第一个 Python 程序,我希望能得到一些建议,让它在效率、可读性上更好,或者看看代码里有没有什么问题。
我正在处理的 tcpdump 输出格式大概是这样的:
20:11:32.001190 00:16:76:7f:2b:b1 > 00:11:5c:78:ca:c0, ethertype IPv4 (0x0800), length 72: 123.236.188.140.41756 > 94.59.34.210.45931: UDP, length 30
0x0000: 0011 5c78 cac0 0016 767f 2bb1 0800 4500 ..\x....v.+...E.
0x0010: 003a 0000 4000 4011 812d 7bec bc8c 5e3b .:..@.@..-{...^;
0x0020: 22d2 a31c b36b 0026 b9bd 2033 6890 ad33 "....k.&...3h..3
0x0030: e845 4b8d 2ba1 0685 0cb3 70dd 9b98 76d8 .EK.+.....p...v.
0x0040: 8fc6 8293 bf33 325a .....32Z
输出
可以被 text2pcap 理解的格式:
20:11:32.001190
0000: 00 11 5c 78 ca c0 00 16 76 7f 2b b1 08 00 45 00 ..\x....v.+...E.
0010: 00 3a 00 00 40 00 40 11 81 2d 7b ec bc 8c 5e 3b .:..@.@..-{...^;
0020: 22 d2 a3 1c b3 6b 00 26 b9 bd 20 33 68 90 ad 33 "....k.&...3h..3
0030: e8 45 4b 8d 2b a1 06 85 0c b3 70 dd 9b 98 76 d8 .EK.+.....p...v.
0040: 8f c6 82 93 bf 33 32 5a .....32Z
以下是我的代码:
import re
# Identify time of the current packet.
time = re.compile('(..:..:..\.[\w]*) ')
# Get individual elements from the packet. ie. offset, hexdump, chars
all = re.compile('[ |\t]+0x([\w]+:) +(.+) +(.*)')
# Regex for two spaces
twoSpaces = re.compile(' +')
# Regex for single space
singleSpace = re.compile(' ')
# Single byte pattern.
singleBytePattern = re.compile(r'([\w][\w])')
# Open files.
f = open('pcap.txt', 'r')
outfile = open('ashu.txt', 'w')
for line in f:
result = time.match(line)
if result:
# If current line contains time format dump only time
print(result.group())
outfile.write(result.group() + '\n')
else:
print(line)
# Split line containing hex dump and tokenize into list elements.
result = all.split(line)
if result:
i = 0
for values in result:
if i == 2:
# Strip off additional spaces in hex dump
# Useful when hex dump does not end in 16 bytes boundary.
val = twoSpaces.sub('', values)
# Tokenize individual elements separated by single space.
byteResult = singleSpace.split(val)
for twoByte in byteResult:
# Identify individual byte
singleByte = singleBytePattern.split(twoByte)
byteOffset = 0
for oneByte in singleByte:
if byteOffset == 1 or byteOffset == 3:
# Write out individual byte with a space char appended
print(oneByte, end=' ')
outfile.write(oneByte + ' ')
byteOffset += 1
elif i == 3:
# Write of char format of hex dump
print(" " + values, end='')
outfile.write(' ' + values + ' ')
elif i == 4:
outfile.write(values)
else:
print(values, end=' ')
outfile.write(values + ' ')
i += 1
else:
print("could not split")
f.close()
outfile.close()
2 个回答
0
我做了一个PowerShell的类似工具。text2pcap.exe可以接受这个工具,但我收到很多“偏移不一致。期待0,但得到了10。忽略包的其余部分”的警告。Wireshark可以打开文件,但看起来不太对。我打算检查一下我的tcpdump参数和text2pcap参数,看看能不能让它看起来更好。
下面提供代码,以防对某些人有帮助。
$text.split(10)|forEach{ if($_ -notmatch"0x"){$_} else { $num = [regex]::match($_,"(?<=0x)\d.*:").value ; $hex = [regex]::matches($_," \w.+").value.trim().replace(" ","") |%{$_ -split ("([a-z0-9]{2})")}; [string]$num,[string]$hex -join " "} }
2023-03-20 13:20:04.309607 IP 192.168.0.2.443 > 192.168.0.10.56321: Flags [.], ack 11801, win 498, length 0
0000: 45 00 00 28 3d e9 40 00 ff 06 00 00 c0 a8 0c 57 E..(=.@........W
0010: 0a fc 16 ba 01 bb dc 01 38 29 25 31 51 97 cd b6 ........8)% 1Q ...
0020: 50 10 01 f2 00 00 00 00 P.......
3
使用 tcpdump 的 -w 选项可以把数据写入一个 pcap 格式的文件。
tcpdump -w filename.pcap
Wireshark 应该能够读取这个文件。