首页 / 问题 / 正文

Scapy:将sr的输出保存到磁盘

0 投票
1 回答
1826 浏览
提问于 2025-04-17 13:54

Scapy中,我想把sr的输出保存到硬盘上,以便以后分析。

ans, unans = sr(somePackets)

虽然unans可以用Scapy自带的wrpcap函数轻松保存,但我却无法把ans保存到硬盘上。

>>> wrpcap(locationOnDisk, ans)
WARNING: PcapWriter: unknown LL type for tuple. Using type 1 (Ethernet)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/dist-packages/scapy/utils.py", line 470, in wrpcap
    PcapWriter(filename, *args, **kargs).write(pkt)
  File "/usr/lib/python2.7/dist-packages/scapy/utils.py", line 653, in write
    self._write_packet(p)
  File "/usr/lib/python2.7/dist-packages/scapy/utils.py", line 692, in _write_packet
    sec = int(packet.time)
AttributeError: 'tuple' object has no attribute 'time'

其实,我最关注的是sr给每个数据包添加的time属性。

所以我试着用pickle,结果更糟糕:

>>> pickle.dump(ans, open(locationOnDisk, "w+"))
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/pickle.py", line 1370, in dump
    Pickler(file, protocol).dump(obj)
  File "/usr/lib/python2.7/pickle.py", line 224, in dump
    self.save(obj)
  File "/usr/lib/python2.7/pickle.py", line 286, in save
    f(self, obj) # Call unbound method with explicit self
  File "/usr/lib/python2.7/pickle.py", line 725, in save_inst
    save(stuff)
  File "/usr/lib/python2.7/pickle.py", line 286, in save
    f(self, obj) # Call unbound method with explicit self
  File "/usr/lib/python2.7/pickle.py", line 649, in save_dict
    self._batch_setitems(obj.iteritems())
  File "/usr/lib/python2.7/pickle.py", line 663, in _batch_setitems
    save(v)
  File "/usr/lib/python2.7/pickle.py", line 286, in save
    f(self, obj) # Call unbound method with explicit self
  File "/usr/lib/python2.7/pickle.py", line 600, in save_list
    self._batch_appends(iter(obj))
  File "/usr/lib/python2.7/pickle.py", line 615, in _batch_appends
    save(x)
  File "/usr/lib/python2.7/pickle.py", line 286, in save
    f(self, obj) # Call unbound method with explicit self
  File "/usr/lib/python2.7/pickle.py", line 562, in save_tuple
    save(element)
  File "/usr/lib/python2.7/pickle.py", line 331, in save
    self.save_reduce(obj=obj, *rv)
  File "/usr/lib/python2.7/pickle.py", line 419, in save_reduce
    save(state)
  File "/usr/lib/python2.7/pickle.py", line 286, in save
    f(self, obj) # Call unbound method with explicit self
  File "/usr/lib/python2.7/pickle.py", line 649, in save_dict
    self._batch_setitems(obj.iteritems())
  File "/usr/lib/python2.7/pickle.py", line 663, in _batch_setitems
    save(v)
  File "/usr/lib/python2.7/pickle.py", line 286, in save
    f(self, obj) # Call unbound method with explicit self
  File "/usr/lib/python2.7/pickle.py", line 649, in save_dict
    self._batch_setitems(obj.iteritems())
  File "/usr/lib/python2.7/pickle.py", line 663, in _batch_setitems
    save(v)
  File "/usr/lib/python2.7/pickle.py", line 286, in save
    f(self, obj) # Call unbound method with explicit self
  File "/usr/lib/python2.7/pickle.py", line 725, in save_inst
    save(stuff)
  File "/usr/lib/python2.7/pickle.py", line 286, in save
    f(self, obj) # Call unbound method with explicit self
  File "/usr/lib/python2.7/pickle.py", line 649, in save_dict
    self._batch_setitems(obj.iteritems())
  File "/usr/lib/python2.7/pickle.py", line 663, in _batch_setitems
    save(v)
  File "/usr/lib/python2.7/pickle.py", line 286, in save
    f(self, obj) # Call unbound method with explicit self
  File "/usr/lib/python2.7/pickle.py", line 748, in save_global
    (obj, module, name))
pickle.PicklingError: Can't pickle <function <lambda> at 0x976c224>: it's not found as scapy.layers.inet.<lambda>

有没有什么办法可以解决这个问题?

数据分析 scapy 网络工具 pickle 数据包 磁盘保存

1 个回答

1
[13:44:49][root@box:~]$ scapy    
Welcome to Scapy (2.1.0)
>>> sr
<function sr at 0x8cc3614>
>>> ans, unans = sr(IP(dst="www.slashdot.org")/ICMP()/"XXXXXXXXXXX")
Begin emission:
.Finished to send 1 packets.
.*
Received 3 packets, got 1 answers, remaining 0 packets

>>> ans
<Results: TCP:0 UDP:0 ICMP:1 Other:0>
>>> type(ans)
<type 'instance'>
>>> dir(ans)
['__add__', '__doc__', '__getattr__', '__getitem__', '__getslice__', '__init__', '__module__', '__repr__', '_dump_document', '_elt2pkt', '_elt2show', '_elt2sum', 'afterglow', 'conversations', 'diffplot', 'display', 'filter', 'hexdump', 'hexraw', 'listname', 'make_lined_table', 'make_table', 'make_tex_table', 'multiplot', 'nsummary', 'nzpadding', 'padding', 'pdfdump', 'plot', 'psdump', 'rawhexdump', 'replace', 'res', 'sessions', 'show', 'sr', 'stats', 'summary', 'timeskew_graph']

那么我们现在知道什么呢?我们现在知道 ans 绝对不是一个数据包的列表,而是另一个实例对象,它提供了元组的特性(比如 __getitem__ 等等),因此 scapy 不会把它导出到捕获文件中:

>>> wrpcap("test.cap", ans)
WARNING: PcapWriter: unknown LL type for tuple. Using type 1 (Ethernet)
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/usr/local/lib/python2.7/site-packages/scapy/utils.py", line 466, in wrpcap
    PcapWriter(filename, *args, **kargs).write(pkt)
  File "/usr/local/lib/python2.7/site-packages/scapy/utils.py", line 649, in write
    self._write_packet(p)
  File "/usr/local/lib/python2.7/site-packages/scapy/utils.py", line 688, in _write_packet
    sec = int(packet.time)
AttributeError: 'tuple' object has no attribute 'time'

正如我在上面的评论中所说,错误信息中有提示。 ans 不是你想的那样

>>> type(ans[0])
<type 'tuple'>
>>> len(ans[0])
2
>>> ans[0]
(<IP  frag=0 proto=icmp dst=216.34.181.48 |<ICMP  |<Raw  load='XXXXXXXXXXX' |>>>, <IP  version=4L ihl=5L tos=0x0 len=39 id=51902 flags=DF frag=0L ttl=235 proto=icmp chksum=0xbe0 src=216.34.181.48 dst=10.227.33.1 options=[] |<ICMP  type=echo-reply code=0 chksum=0xee45 id=0x0 seq=0x0 |<Raw  load='XXXXXXXXXXX' |<Padding  load='\x00\x00\x00\x00\x00\x00\x00' |>>>>)
>>> ans[0][0]
<IP  frag=0 proto=icmp dst=216.34.181.48 |<ICMP  |<Raw  load='XXXXXXXXXXX' |>>>
>>> ans[0][1]
<IP  version=4L ihl=5L tos=0x0 len=39 id=51902 flags=DF frag=0L ttl=235 proto=icmp chksum=0xbe0 src=216.34.181.48 dst=10.227.33.1 options=[] |<ICMP  type=echo-reply code=0 chksum=0xee45 id=0x0 seq=0x0 |<Raw  load='XXXXXXXXXXX' |<Padding  load='\x00\x00\x00\x00\x00\x00\x00' |>>>>

那么我们现在知道什么呢?ans 的每个元素都是一个二元组:

  • 元组的第一个元素是发送的数据包。
  • 元组的第二个元素是相应接收到的数据包。

因此,假设你想在输出中包含这两种类型的数据包:

>>> all_packets = [elem[0] for elem in ans] + [elem[1] for elem in ans]
>>> import operator
>>> all_packets.sort(key=operator.attrgetter("time"))
>>> wrpcap("test.cap", all_packets)
/usr/local/lib/python2.7/site-packages/scapy/utils.py:665: DeprecationWarning: 'I' format requires 0 <= number <= 4294967295
  self.f.write(struct.pack(self.endian+"IIII", sec, usec, caplen, wirelen))
>>> exit()

[14:03:09][root@box:~]$ ls -ltra | tail -1
-rw-r--r--  1 root root       141 2013-02-13 14:02 test.cap

我已经确认这个文件在 Wireshark 中可以正确打开,所以你应该没问题;我建议你进一步测试以确保。不过,结论是:ans 不是你想的那样。

回答于 2025-04-17 由 Python大师
分享 举报

撰写回答