最近,我需要将“tcpdump -i eth0 -neXXs 0”的文本输出转换为pcap文件。因此,我编写了一个python脚本,将信息转换为text 2 pcap可理解的中间格式。由于这是我的第一个python程序,因此显然还有改进的余地。我希望有知识的人能够消除任何差异和/或增强它。
输入
tcpdump输出的格式如下:
20:11:32.001190 00:16:76:7 f:2b:b1〉00:11:5c:78:ca:c 0,以太类型IPv4(0x 0800),长度72:123.236.188.140.41756〉94.59.34.210.45931:UDP,长度30
0x0000: 0011 5c78 cac0 0016 767f 2bb1 0800 4500 ..\x....v.+...E.
0x0010: 003a 0000 4000 4011 812d 7bec bc8c 5e3b .:..@.@..-{...^;
0x0020: 22d2 a31c b36b 0026 b9bd 2033 6890 ad33 "....k.&...3h..3
0x0030: e845 4b8d 2ba1 0685 0cb3 70dd 9b98 76d8 .EK.+.....p...v.
0x0040: 8fc6 8293 bf33 325a .....32Z产出
在此输入代码
text 2 pcap可理解的格式:
20:11:32.001190
0000: 00 11 5c 78 ca c0 00 16 76 7f 2b b1 08 00 45 00 ..\x....v.+...E.
0010: 00 3a 00 00 40 00 40 11 81 2d 7b ec bc 8c 5e 3b .:..@.@..-{...^;
0020: 22 d2 a3 1c b3 6b 00 26 b9 bd 20 33 68 90 ad 33 "....k.&...3h..3
0030: e8 45 4b 8d 2b a1 06 85 0c b3 70 dd 9b 98 76 d8 .EK.+.....p...v.
0040: 8f c6 82 93 bf 33 32 5a .....32Z以下是我的代码。
import re
# Identify time of the current packet.
time = re.compile ('(..:..:..\.[\w]*) ')
# Get individual elements from the packet. ie. offset, hexdump, chars
all = re.compile('[ |\t]+0x([\w]+:) +(.+) +(.*)')
# Regex for two spaces
twoSpaces = re.compile(' +')
# Regex for single space
singleSpace = re.compile(' ')
# Single byte pattern.
singleBytePattern = re.compile(r'([\w][\w])')
# Open files.
f = open ('pcap.txt', 'r')
outfile = open ('ashu.txt', 'w')
for line in f:
result = time.match (line)
if result:
# If current line contains time format dump only time
print result.group()
outfile.write (result.group() + '\n')
else:
print line,
# Split line containing hex dump and tokenize into list elements.
result = all.split (line)
if result:
i = 0
for values in result:
if (i == 2):
# Strip off additional spaces in hex dump
# Useful when hex dump does not end in 16 bytes boundary.
val = twoSpaces.sub ('', values)
# Tokenize individual elements seperated by single space.
byteResult = singleSpace.split (val)
for twoByte in byteResult:
# Identify individual byte
singleByte = singleBytePattern.split(twoByte)
byteOffset = 0
for oneByte in singleByte:
if ((byteOffset == 1) or (byteOffset == 3)):
# Write out individual byte with a space char appended
print oneByte,
outfile.write (oneByte+ ' ')
byteOffset = byteOffset + 1
elif (i == 3):
# Write of char format of hex dump
print " "+values,
outfile.write (' ' + values+ ' ')
elif (i == 4):
outfile.write (values)
else:
print values,
outfile.write (values + ' ')
i=i+1
else:
print "could not split"
f.close ()
outfile.close ()
2条答案
按热度按时间cbjzeqam1#
使用
tcpdump的-w选项写入pcap格式文件Wireshark应该可以读取它。
ih99xse12#
我做了一个powershell的等价物。text2pcap.exe接受它,但我得到了大部分“不一致的偏移量。期望0,得到10。忽略包的其余部分”警告。Wireshark打开,但看起来不正确。我要检查我的tcpdump操作数和text2pcap操作数,看看我是否可以让它看起来更好。
下面的代码可以帮助到别人。