流量采集分析工具tshark、pcap

Python 2022-10-30

1. 查看当前linux主机活动网卡

watch cat /proc/net/dev

2. 利用tshark抓包

1. 按个数抓取
tshark -i eth0 -n -c 10 -w /tmp/zhaoyun.pcap
2. 按文件大小抓取
tshark -i eth0 -n -a filesize:1024 -w /tmp/zhaoyun.pcap
3. 按时间抓取
tshark -i eth0 -n -a duration:60 -w /tmp/zhaoyun.pcap

3. 读取pcap包

tshark -r zhaoyun.pcap -T fields -e ip.src -e ip.dst -e data

4. 利用tshark生成的pcap包解析内容(ntop、nDPI)

pcap文件生成Metadata

复制代码
#!/usr/bin/env python
# -*- coding: utf-8 -*-

import os
import time,datetime
import struct

in_path = "/home/bonelee/dns_tunnel_tool/iodine_when_idle.pcap"
tmp_dir = "/tmp"
out_path = "/tmp/out_Metadata.txt"
tshark_path = "/usr/bin/tshark"

os.system(tshark_path + " -T fields -E separator=\"^\" "
"-e data ""-e data "
          "-e ip.src "            #  3=sourceIP
          "-e ip.dst "            #  4=destIP
          "-e udp.srcport "       #  5=sourcePort
          "-e udp.dstport "       #  6=destPort
          "-e ip.proto "          #  7=protocol
"-e data ""-e data ""-e data ""-e data " # 8-11
          "-e frame.time_epoch "  #  flowStartSeconds
                                  #  带插入
"-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data "
          "-e dns.flags.rcode "   #  54 = DNSReplyCode
          "-e dns.qry.name "      #  55 = DNSQueryName
          "-e dns.qry.type "      #  56 = DNSRequestRRType
          "-e dns.qry.class "     #  57 = DNSRRClass
          "-e dns.time "          #  58 = DNSDelay   #每个请求包和响应包的时间间隔,换算 
          "-e dns.resp.ttl "      #  59 = DNSReplyTTL
          "-e ip.addr "           #  60 = DNSReplyIPv4
          "-e ipv6.addr "         #  61 = DNSReplyIPv6
          "-e dns.resp.type "     #  62 = DNSReplyRRType
"-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data "
          "-e dns.resp.name "     #  77 = DNSReplyName
"-e data ""-e data ""-e data "
                                  #  待插payload
          "-e data ""-e data ""-e data ""-e data ""-e data ""-e data "
          "-e dns.length "        #  88 = DNSRequestLength
          "-e data "              #  89=DNSRequestErrLength
          "-e dns.resp.len "      #  90 = DNSReplyLength
          "-e data "              #  91=DNSReplyErrLength
"-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data ""-e data "
          "-Y dns -r %s  >%s/tsharkResult.txt" % (in_path,tmp_dir))


#读取pcap文件,解析相应的信息,为了在记事本中显示的方便。
payloadResultwithBlank = "%s/payloadResultwithBlank.txt" % tmp_dir
fpcap = open(in_path,'rb+')
ftxt = open(payloadResultwithBlank,'w')
string_data = fpcap.read()
#pcap文件包头解析
pcap_header = {}
pcap_header['magic_number'] = string_data[0:4]
pcap_header['version_major'] = string_data[4:6]
pcap_header['version_minor'] = string_data[6:8]
pcap_header['thiszone'] = string_data[8:12]
pcap_header['sigfigs'] = string_data[12:16]
pcap_header['snaplen'] = string_data[16:20]
pcap_header['linktype'] = string_data[20:24]
step = 0
packet_num = 0
packet_data = []
pcap_packet_header = {}
i =24
while(i<len(string_data)):
    # 数据包头各个字段
    pcap_packet_header['GMTtime'] = string_data[i:i+4]
    pcap_packet_header['MicroTime'] = string_data[i+4:i+8]
    pcap_packet_header['caplen'] = string_data[i+8:i+12]
    pcap_packet_header['len'] = string_data[i+12:i+16]
    #求出此包的包长len
    packet_len = struct.unpack('I',pcap_packet_header['len'])[0]
    #写入此包数据
    packet_data.append(string_data[i+58:i+16+packet_len])
    i = i+ packet_len+16
    packet_num+=1
# 把pacp文件里的数据包信息写入result.txt
for i in range(packet_num):
    ftxt.write(''.join(x.encode('hex') for x in packet_data[i]) + '\n')
ftxt.close()
fpcap.close()
infp = open(payloadResultwithBlank,"r")

payloadResultOver = "%s/payloadResultOver.txt" % tmp_dir
outfp = open(payloadResultOver,"w")
lines = infp.readlines()
for li in lines:
    if li.split():
        outfp.writelines(li)
infp.close()
outfp.close()

def copyTimeMetadata(string):
    string = string.split('^')
    string.insert(11,string[11])
    return string

payloadFile = open("%s/payloadResultOver.txt" % tmp_dir)
tsharkFile = open("%s/tsharkResult.txt" % tmp_dir)
tsharkData = []
payload = []
meteData = []

for line in tsharkFile:
    line = line.replace("\n","")
    line = copyTimeMetadata(line)
    tsharkData.append(line)
for line in payloadFile:
    line = line.replace("\n","")
    payload.append(line)
count1 = len(payload)
for i in range(0,count1):
    tsharkData[i].insert(80,payload[i])
    if (tsharkData[i][76]=="<Root>"):
        tsharkData[i][76]=tsharkData[i][54]

meteDataWithPayload = open("%s/meteDataWithPayload.txt" % tmp_dir,'w')
for line in tsharkData:
    meteDataWithPayload.write("^".join(line)+"\n")

finallyMetedata = []
dataListFromQuery = []
dataListFromrespon = []
QueriesName_map = {}
DNSQueryName = 55 -1
destPort = 6 -1
DNSDelay = 0


with open("%s/meteDataWithPayload.txt" % tmp_dir) as f:
    lines = f.readlines()
    for index,line in enumerate(lines):
        line = line.replace("\n","")
        dataFromQuery = line.split("^")
        if dataFromQuery[destPort] == "53":             # 此时是请求报文,合并到请求报文中
            dataListFromQuery.append(dataFromQuery)     #dataListFromQuery列表保存的全是请求字段
            QueriesName = dataFromQuery[DNSQueryName]
            QueriesName_map[QueriesName] = index
    count = len(QueriesName_map)                        #计算总共多少条请求报文
    for line in lines:
        dataFromrespon = line.split("^")
        if dataFromrespon[destPort] != "53":
            NAME = dataFromrespon[DNSQueryName]         #响应报文中的域名
            if (NAME in QueriesName_map):
                for i in range(0,count):
                    if dataListFromQuery[i][DNSQueryName] == NAME:
                        dataListFromQuery[i][12] = dataFromrespon[12]
                        dataListFromQuery[i][53] = dataFromrespon[53]
                        dataListFromQuery[i][57] = dataFromrespon[57]
                        dataListFromQuery[i][58] = dataFromrespon[58]
                        dataListFromQuery[i][89] = dataFromrespon[89]
                        DNSDelay = (float(dataListFromQuery[i][12])-float(dataListFromQuery[i][11]))*1000000
                        dataListFromQuery[i][57] = str(DNSDelay)
            else:
                print "warning: The response message Could not find the requested message",line


meteDataFile = open(out_path,'w')
for line in dataListFromQuery:
    if line[53]!="":
        line[59] = line[59].replace(",",";")
        meteDataFile.write("^".join(line) + "\n")
meteDataFile.close()
复制代码
示意结果:

^^10.0.2.15^223.5.5.5^60088^53^17^^^^^1512356312.819122000^1512356312.860855000^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^0^daisy.ubuntu.com^1^0x00000001^41733.0265045^1357^10.0.2.15;223.5.5.5^^^^^^^^^^^^^^^^^^^^^4b3601000001000000000000056461697379067562756e747503636f6d0000010001^^^^^^^^^49^^^^^^^^^^^
^^10.0.2.15^223.5.5.5^60088^53^17^^^^^1512356312.819318000^1512356312.860855000^^^^^^^^^^^^^^^

相关文章

如何用django开发一个简易个人Blog
功能概要:(目前已实现功能)公共展示部分:1.网站首页展示...
Python中的几种数据类型
大体上把Python中的数据类型分为如下几类: Number(数字) ...
django开发个人简易Blog——构建项目结构
开发之前第一步,就是构造整个的项目结构。这就好比作一幅画...
Linux下安装Apache并以mod_wsgi方式部署django站点
源码编译方式安装Apache首先下载Apache源码压缩包,地址为ht...
django开发个人简易Blog—nginx+uwsgin+django1.6+mysql 部署到CentOS6.5
前面说完了此项目的创建及数据模型设计的过程。如果未看过,...
Scrapy爬取自己的博客内容
python中常用的写爬虫的库有urllib2、requests,对于大多数比...