我的指示是阅读从Wireshark程序转储的wireshark.bin数据文件并选择数据包时间。我不知道如何跳过标题并第一次找到。
"""
reads the wireshark.bin data file dumped from the wireshark program
"""
from datetime import datetime
import struct
import datetime
#file = r"V:\workspace\Python3_Homework08\src\wireshark.bin"
file = open("wireshark.bin", "rb")
idList = [ ]
with open("wireshark.bin", "rb") as f:
while True:
bytes_read = file.read(struct.calcsize("=l"))
if not bytes_read:
break
else:
if len(bytes_read) > 3:
idList.append(struct.unpack("=l", bytes_read)[0])
o = struct.unpack("=l111", bytes_read)[0]
print( datetime.date.fromtimestamp(o))
答案 0 :(得分:1)
尝试一次读取整个文件,然后以列表形式访问它:
data = open("wireshark.bin", "rb").read() # let Python automatically close file
magic = data[:4] # magic wireshark number (also reveals byte order)
gmt_correction = data[8:12] # GMT offset
data = data[24:] # actual packets
现在,您可以循环遍历(16?)字节大小的数据块,查看每个块中适当的偏移量,以获取时间戳。
幻数是0xa1b2c3d4,需要四个字节或两个字。我们可以通过使用struct模块检查前四个字节来确定顺序(big-endian或little-endian):
magic = struct.unpack('>L', data[0:4])[0] # before the data = data[24:] line above
if magic == 0xa1b2c3d4:
order = '>'
elif magic == 0xd4c3b2a1:
order = '<'
else:
raise NotWireSharkFile()
现在我们有了订单(并知道它是一个wireshark文件),我们可以遍历数据包:
field0, field1, field2, field3 = \
struct.unpack('%sllll' % order, data[:16])
payload = data[16 : 16 + field?]
data = data[16 + field?]
我的名字含糊不清,因为这是作业,但那些field?名称代表存储在数据包标题中的信息,包括时间戳和后续数据包数据的长度。
此代码不完整,但希望足以让您前进。