python/scapy DNS嗅探器和par

2024-05-14 12:50:58 发布

您现在位置:Python中文网/ 问答频道 /正文
452 3

我有DNS的python/scapy嗅探器。我可以嗅探DNS消息并获取IP/UDP源和目标IP地址及端口,但解析DNS部分时遇到问题 我希望能得到一些帮助或解决办法。

#!/usr/bin/env python

from scapy.all import *
from datetime import datetime
import time
import datetime
import sys

############# MODIFY THIS PART IF NECESSARY ###############
interface = 'eth0'
filter_bpf = 'udp and port 53'

# ------ SELECT/FILTER MSGS
def select_DNS(pkt):
    pkt_time = pkt.sprintf('%sent.time%')
# ------ SELECT/FILTER DNS MSGS
    try:
        if DNSQR in pkt and pkt.dport == 53:
        # queries
           print '[**] Detected DNS QR Message at: ' + pkt_time
           # 
        elif DNSRR in pkt and pkt.sport == 53:
        # responses
           print '[**] Detected DNS RR Message at: ' + pkt_time
 # 
    except:
        pass
# ------ START SNIFFER 
sniff(iface=interface, filter=filter_bpf, store=0,  prn=select_DNS)

Tags: andfromimportdatetimetimednsfilterselect
2条回答
网友
1楼 · 编辑于 2024-05-14 12:50:58
>>> ls(DNS)
id         : ShortField           = (0)
qr         : BitField             = (0)
opcode     : BitEnumField         = (0)
aa         : BitField             = (0)
tc         : BitField             = (0)
rd         : BitField             = (0)
ra         : BitField             = (0)
z          : BitField             = (0)
rcode      : BitEnumField         = (0)
qdcount    : DNSRRCountField      = (None)
ancount    : DNSRRCountField      = (None)
nscount    : DNSRRCountField      = (None)
arcount    : DNSRRCountField      = (None)
qd         : DNSQRField           = (None)
an         : DNSRRField           = (None)
ns         : DNSRRField           = (None)
ar         : DNSRRField           = (None)
>>> ls(DNSQR)
qname      : DNSStrField          = ('.')
qtype      : ShortEnumField       = (1)
qclass     : ShortEnumField       = (1)
>>> ls(DNSRR)
rrname     : DNSStrField          = ('.')
type       : ShortEnumField       = (1)
rclass     : ShortEnumField       = (1)
ttl        : IntField             = (0)
rdlen      : RDLenField           = (None)
rdata      : RDataField           = ('')
>>>

如果上面的层定义和字段不够,您可以define your own layer并使用自定义层解码包,或者直接从原始有效负载中检索数据。至于时间戳,你可以做pkt.time。

网友
2楼 · 编辑于 2024-05-14 12:50:58

我是在这里登陆的,当时我正在搜索一个捕获的pcap文件

这是我的解决方案:

#!/usr/bin/env python

from scapy.all import *
from scapy.layers.dns import DNSRR, DNS, DNSQR

pcap = '/path/.../to/.../pcap/.../.pcap'
pkts = rdpcap(pcap)

for p in pkts:
    if p.haslayer(DNS):   
        if p.qdcount > 0 and isinstance(p.qd, DNSQR):
            name = p.qd.qname
        elif p.ancount > 0 and isinstance(p.an, DNSRR):
            name = p.an.rdata
        else:
            continue

        print name

相关问题 更多 >

    编程相关推荐

    热门问题