概述
在过去的几年中,我一直在使用Wireshark成功捕获和分析网络流量样本。 然后,我通常需要通过将捕获文件封装在GTP层中来修改它,以便可以使用专有工具对pcap进行后期处理。 我一直在linux环境中使用python脚本成功地实现了这一目标,该脚本使用类似于
import sys
import dpkt
from dpkt.ip import IP
from dpkt.udp import UDP
from optparse import OptionParser
import struct
import socket
# from pcapy import *
ETHERNET_SRC = "x01x02x03x04x05x06"
ETHERNET_DST = "xA1xA2xA3xA4xA5xA6"
GGSN_IP_SRC= "xd5xe9x82x38" #"213.233.130.56"
GGSN_IP_DST= "xd5xe9x82x37" #"213.233.130.55"
userip = None
global_userip = "x0ax44x17x5b"
total_packets_writes = 0
pcap_writer = None
# pcap file pid383_session1_272017012778276.pcap is on the Destkop
# GTP HEADER FOR CREATE PDP CONTEXT
# TID x84xbax40x11 for downstream
# TID 81fbe032 for upstream
# ip client 0a 44 17 5b
gtp_pdp_context_request = "x32x10x00xa1x00x00x00x00x20xacx00x00x02x72x02x71"
"x10x72x87x72xf6x0fxfcx10x84xbax40x11x11x80xcex00"
"x11x14x0ax80x00x02xf1x21x83x00x15x05x74x65x73x74"
"x31x02x68x73x08x76x6fx64x61x66x6fx6ex65x02x69x65"
"x84x00x1dx80xc0x23x06x01x06x00x06x00x00x80x21x10"
"x01x01x00x10x81x06x00x00x00x00x83x06x00x00x00x00"
"x85x00x04xd5xe9x82x38x85x00x04xd5xe9x82x38x86x00"
"x07x91x53x83x97x23x75x33x87x00x0fx02x22x92x1fx93"
"x96xfexfex74x05x01x01x00x4fx00x97x00x01x01x98x00"
"x08x01x72xf2x10x0bxccxccx65x99x00x02x40x01x9ax00"
"x08x53x88x85x40x19x74x27x50"
gtp_pdp_context_response="x32x11x00x57x80xcex00x11x20xacx00x00x01x80x08xfe"
"x10x81xfbxe0x32x11x95xcax80x32x7fx10x9bxfbx08x80"
"x00x06xf1x21" "x0ax44x17x5b" "x84x00x14x80x80x21x10x03"
"x01x00x10x81x06x59x13x40xa4x83x06x59x13x40x24x85"
"x00x04xd5xe9x82x37x85x00x04xd5xe9x82x37x87x00x0f"
"x02x22x92x1fx93x96xfexfex74x05x01x01x00x4fx00"
gtp_pdp_user_data_up = "x30xffx00x3cx81xfbxe0x32"
gtp_pdp_user_data_down = "x30xffx00x3cx80xcex00x11"
# GTP HEADER FOR PDP UPDATE
"""
0000 32 12 00 3f 95 ca 80 32 20 ad 00 00 10 84 ba 40
0010 11 14 0a 85 00 04 d5 e9 82 38 85 00 04 d5 e9 82
0020 38 87 00 0f 02 22 92 1f 93 96 fe fe 74 05 01 01
0030 00 4a 00 97 00 01 01 98 00 08 01 72 f2 10 0b cc
0040 cc 65 99 00 02 40 01"""
def parseOptions():
"""Parse the user options"""
usage = "Usage: %prog [options]"
p = OptionParser(usage)
p.add_option("-f", "--pcapfile", dest="pcapfile",
help="Pcapfile for add the GTP header.")
p.add_option("-i", "--userip", dest="userip",
help="User IP address.")
p.add_option("-r", "--remove", dest="remove",action="store_true",
help="Remove the GTP layer.")
p.add_option("-v", "--verbose",action="count",dest="verbose",default=0,
help="Shows extra information.")
return p
def generatePdpContextRequest(w):
eth = dpkt.ethernet.Ethernet(src=ETHERNET_SRC,dst=ETHERNET_DST)
udp = UDP(sport=1024, dport=2123,data = gtp_pdp_context_request)
ip = IP(src=GGSN_IP_SRC,dst=GGSN_IP_DST, data = udp)
ip.p = 17
ip.data = udp
ip.len = 8 + 20 + len(gtp_pdp_context_request)
udp.ulen = 8 + len(gtp_pdp_context_request)
eth.data = ip
w.writepkt(eth)
def generatePdpContextResponse(w):
eth = dpkt.ethernet.Ethernet(src=ETHERNET_DST,dst=ETHERNET_SRC)
udp = UDP(sport=2123, dport=1024,data = gtp_pdp_context_response)
ip = IP(src=GGSN_IP_DST,dst=GGSN_IP_SRC,data=udp)
#ip = IP (dst='x01x02x03x04', src='x05x06x07x08',data = udp)
ip.p = 17
ip.data = udp
ip.len = 8 + 20 + len(gtp_pdp_context_response)
udp.ulen = 8 + len(gtp_pdp_context_response)
eth.data = ip
w.writepkt(eth)
def generateUserData(w,isUp,length,data):
if(isUp):
srceth= ETHERNET_SRC
dsteth= ETHERNET_DST
srcip = GGSN_IP_SRC
dstip = GGSN_IP_DST
gtp_header = "x30xff" + struct.pack(">h",length) + "x81xfbxe0x32"
srcport = 1024
dstport = 2152
else:
srceth= ETHERNET_DST
dsteth= ETHERNET_SRC
srcip = GGSN_IP_DST
dstip = GGSN_IP_SRC
gtp_header = "x30xff" + struct.pack(">h",length) + "x84xbax40x11"
srcport = 2152
dstport = 1024
f_data = gtp_header + data
f_length = 8 + length
udp = UDP(sport = srcport,dport=dstport,data=f_data)
ip = IP(src=srcip,dst=dstip,data = udp)
eth = dpkt.ethernet.Ethernet(src=srceth,dst=dsteth,data = ip)
ip.p = 17
ip.len = 20 + 8+ f_length
udp.ulen = 8 + f_length
w.writepkt(eth)
def processPcapFile(filename):
total_packets = 0
total_packets_writes = 0
total_packets_nowrites = 0
total_bogus_packets = 0
pcap=dpkt.pcap.Reader(file(filename,"rb"))
try:
for ts, buf in pcap:
total_packets += 1
if pcap.datalink() == dpkt.pcap.DLT_LINUX_SLL:
l2 = dpkt.sll.SLL(buf)
else:
l2 = dpkt.ethernet.Ethernet(buf)
raw_data = l2.data
if (str(type(l2.data)) != ""):
""" Check for other types of encapsulation """
if (str(type(l2.data)) == ""):
raw_data = l2.data.ppp.ip
else:
total_bogus_packets += 1
continue
ip = raw_data
if(socket.inet_ntoa(ip.src) == userip):
direction = True
newip = IP(src=global_userip,dst=ip.dst,p=ip.p,len=ip.len,data=ip.data)
generateUserData(pcap_writer,direction,ip.len,str(newip))
total_packets_writes += 1
elif(socket.inet_ntoa(ip.dst) == userip):
direction = False
total_packets_writes += 1
newip = IP(src=ip.src,dst=global_userip,p=ip.p,len=ip.len,data=ip.data)
generateUserData(pcap_writer,direction,ip.len,str(newip))
else:
total_packets_nowrites += 1
except:
e = sys.exc_info()[0]
print("ERROR during processing packets:",e, " packet:",total_packets)
print "Total bogus packets>:", total_bogus_packets
print "Total user packets writes:",total_packets_writes
print "Total nonuser packets :",total_packets_nowrites
def removeGTPLayerFromPcapfile(filename):
total_packets_writes = 0
total_bogus_packets = 0
f = open("%sGTP.pcap" % filename ,"w")
writer = dpkt.pcap.Writer(f)
pcap=dpkt.pcap.Reader(file(filename,"rb"))
for ts, buf in pcap:
if pcap.datalink() == dpkt.pcap.DLT_LINUX_SLL:
l2 = dpkt.sll.SLL(buf)
else:
l2 = dpkt.ethernet.Ethernet(buf)
if (str(type(l2.data)) != ""):
total_bogus_packets += 1
continue
ip = l2.data
udp = ip.data
gtp = udp.data
gtp_length = int(gtp[0])
# print "%d %x" % (gtp_length,gtp_length)
if (gtp_length ==0):
offset = 8
else:
offset = 12
eth = dpkt.ethernet.Ethernet(src=ETHERNET_DST,dst=ETHERNET_SRC,data=gtp[offset:])
writer.writepkt(eth)
total_packets_writes += 1
writer.close()
f.close()
print "Total bogus packets>:", total_bogus_packets
print "Total packets writes:",total_packets_writes
if __name__ == "__main__":
parser = parseOptions()
(options, args) = parser.parse_args()
if(options.pcapfile == None):
parser.error("Argument is required")
sys.exit(1)
if (options.remove == True):
print "Removing GTP Layer from pcapfile."
removeGTPLayerFromPcapfile(options.pcapfile)
sys.exit(0)
if(options.userip == None):
parser.error("Argument is required")
sys.exit(1)
userip = options.userip
f = open("%sGTP.pcap" % options.pcapfile ,"w")
pcap_writer = dpkt.pcap.Writer(f)
generatePdpContextRequest(pcap_writer)
generatePdpContextResponse(pcap_writer)
processPcapFile(options.pcapfile)
pcap_writer.close()
f.close()
sys.exit(0)
正如我提到的那样,它总是在linux环境中成功运行,在Linux环境中,每个附加的GTP头正确地插入了Hex,但是我的问题是我需要将此端口移植到Windows,现在突然我的附加GTP头被插入了ascii而不是hex导致无效的结果pcap。 我想知道这是否与Winpcap V Libpcap有关,或者是否还有其他原因,实际上是否有人对如何解决此问题有任何建议。
亲切的问候
曼德拉克
最后
以上就是清秀保温杯为你收集整理的python调用wireshark_python - 使用python向Wireshark捕获添加协议 - 堆栈内存溢出的全部内容,希望文章能够帮你解决python调用wireshark_python - 使用python向Wireshark捕获添加协议 - 堆栈内存溢出所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
发表评论 取消回复