Scapy:将sr的输出保存到磁盘

时间:2013-01-28 10:17:59

标签: python pickle dump scapy

Scapy 中,我想将sr的输出保存到磁盘以供日后分析。

ans, unans = sr(somePackets)

虽然unans对scapy的内置函数wrpcap没有任何问题,但我似乎无法将ans保存到磁盘。

>>> wrpcap(locationOnDisk, ans)
WARNING: PcapWriter: unknown LL type for tuple. Using type 1 (Ethernet)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/dist-packages/scapy/utils.py", line 470, in wrpcap
    PcapWriter(filename, *args, **kargs).write(pkt)
  File "/usr/lib/python2.7/dist-packages/scapy/utils.py", line 653, in write
    self._write_packet(p)
  File "/usr/lib/python2.7/dist-packages/scapy/utils.py", line 692, in _write_packet
    sec = int(packet.time)
AttributeError: 'tuple' object has no attribute 'time'

实际上,time为我最感兴趣的每个数据包添加了属性sr

所以我尝试了 pickle ,但情况更糟:

>>> pickle.dump(ans, open(locationOnDisk, "w+"))
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/pickle.py", line 1370, in dump
    Pickler(file, protocol).dump(obj)
  File "/usr/lib/python2.7/pickle.py", line 224, in dump
    self.save(obj)
  File "/usr/lib/python2.7/pickle.py", line 286, in save
    f(self, obj) # Call unbound method with explicit self
  File "/usr/lib/python2.7/pickle.py", line 725, in save_inst
    save(stuff)
  File "/usr/lib/python2.7/pickle.py", line 286, in save
    f(self, obj) # Call unbound method with explicit self
  File "/usr/lib/python2.7/pickle.py", line 649, in save_dict
    self._batch_setitems(obj.iteritems())
  File "/usr/lib/python2.7/pickle.py", line 663, in _batch_setitems
    save(v)
  File "/usr/lib/python2.7/pickle.py", line 286, in save
    f(self, obj) # Call unbound method with explicit self
  File "/usr/lib/python2.7/pickle.py", line 600, in save_list
    self._batch_appends(iter(obj))
  File "/usr/lib/python2.7/pickle.py", line 615, in _batch_appends
    save(x)
  File "/usr/lib/python2.7/pickle.py", line 286, in save
    f(self, obj) # Call unbound method with explicit self
  File "/usr/lib/python2.7/pickle.py", line 562, in save_tuple
    save(element)
  File "/usr/lib/python2.7/pickle.py", line 331, in save
    self.save_reduce(obj=obj, *rv)
  File "/usr/lib/python2.7/pickle.py", line 419, in save_reduce
    save(state)
  File "/usr/lib/python2.7/pickle.py", line 286, in save
    f(self, obj) # Call unbound method with explicit self
  File "/usr/lib/python2.7/pickle.py", line 649, in save_dict
    self._batch_setitems(obj.iteritems())
  File "/usr/lib/python2.7/pickle.py", line 663, in _batch_setitems
    save(v)
  File "/usr/lib/python2.7/pickle.py", line 286, in save
    f(self, obj) # Call unbound method with explicit self
  File "/usr/lib/python2.7/pickle.py", line 649, in save_dict
    self._batch_setitems(obj.iteritems())
  File "/usr/lib/python2.7/pickle.py", line 663, in _batch_setitems
    save(v)
  File "/usr/lib/python2.7/pickle.py", line 286, in save
    f(self, obj) # Call unbound method with explicit self
  File "/usr/lib/python2.7/pickle.py", line 725, in save_inst
    save(stuff)
  File "/usr/lib/python2.7/pickle.py", line 286, in save
    f(self, obj) # Call unbound method with explicit self
  File "/usr/lib/python2.7/pickle.py", line 649, in save_dict
    self._batch_setitems(obj.iteritems())
  File "/usr/lib/python2.7/pickle.py", line 663, in _batch_setitems
    save(v)
  File "/usr/lib/python2.7/pickle.py", line 286, in save
    f(self, obj) # Call unbound method with explicit self
  File "/usr/lib/python2.7/pickle.py", line 748, in save_global
    (obj, module, name))
pickle.PicklingError: Can't pickle <function <lambda> at 0x976c224>: it's not found as scapy.layers.inet.<lambda>

有什么方法可以解决这个问题吗?

1 个答案:

答案 0 :(得分:1)

[13:44:49][root@box:~]$ scapy    
Welcome to Scapy (2.1.0)
>>> sr
<function sr at 0x8cc3614>
>>> ans, unans = sr(IP(dst="www.slashdot.org")/ICMP()/"XXXXXXXXXXX")
Begin emission:
.Finished to send 1 packets.
.*
Received 3 packets, got 1 answers, remaining 0 packets

>>> ans
<Results: TCP:0 UDP:0 ICMP:1 Other:0>
>>> type(ans)
<type 'instance'>
>>> dir(ans)
['__add__', '__doc__', '__getattr__', '__getitem__', '__getslice__', '__init__', '__module__', '__repr__', '_dump_document', '_elt2pkt', '_elt2show', '_elt2sum', 'afterglow', 'conversations', 'diffplot', 'display', 'filter', 'hexdump', 'hexraw', 'listname', 'make_lined_table', 'make_table', 'make_tex_table', 'multiplot', 'nsummary', 'nzpadding', 'padding', 'pdfdump', 'plot', 'psdump', 'rawhexdump', 'replace', 'res', 'sessions', 'show', 'sr', 'stats', 'summary', 'timeskew_graph']

那么我们知道什么?我们现在知道ans绝对不是数据包列表,而是提供元组语义(__getitem__等)的其他实例对象,因此scapy将拒绝将其转储到捕获文件:

>>> wrpcap("test.cap", ans)
WARNING: PcapWriter: unknown LL type for tuple. Using type 1 (Ethernet)
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/usr/local/lib/python2.7/site-packages/scapy/utils.py", line 466, in wrpcap
    PcapWriter(filename, *args, **kargs).write(pkt)
  File "/usr/local/lib/python2.7/site-packages/scapy/utils.py", line 649, in write
    self._write_packet(p)
  File "/usr/local/lib/python2.7/site-packages/scapy/utils.py", line 688, in _write_packet
    sec = int(packet.time)
AttributeError: 'tuple' object has no attribute 'time'

正如我在上面的评论中所说,提示位于错误消息中。 ans不是您认为的

>>> type(ans[0])
<type 'tuple'>
>>> len(ans[0])
2
>>> ans[0]
(<IP  frag=0 proto=icmp dst=216.34.181.48 |<ICMP  |<Raw  load='XXXXXXXXXXX' |>>>, <IP  version=4L ihl=5L tos=0x0 len=39 id=51902 flags=DF frag=0L ttl=235 proto=icmp chksum=0xbe0 src=216.34.181.48 dst=10.227.33.1 options=[] |<ICMP  type=echo-reply code=0 chksum=0xee45 id=0x0 seq=0x0 |<Raw  load='XXXXXXXXXXX' |<Padding  load='\x00\x00\x00\x00\x00\x00\x00' |>>>>)
>>> ans[0][0]
<IP  frag=0 proto=icmp dst=216.34.181.48 |<ICMP  |<Raw  load='XXXXXXXXXXX' |>>>
>>> ans[0][1]
<IP  version=4L ihl=5L tos=0x0 len=39 id=51902 flags=DF frag=0L ttl=235 proto=icmp chksum=0xbe0 src=216.34.181.48 dst=10.227.33.1 options=[] |<ICMP  type=echo-reply code=0 chksum=0xee45 id=0x0 seq=0x0 |<Raw  load='XXXXXXXXXXX' |<Padding  load='\x00\x00\x00\x00\x00\x00\x00' |>>>>

那么我们现在知道什么? ans的每个元素都是两元组:

  • 元组的第一个元素是发送的数据包。
  • 元组的第二个元素是收到的相应数据包

因此,假设您在输出中需要两种数据包:

>>> all_packets = [elem[0] for elem in ans] + [elem[1] for elem in ans]
>>> import operator
>>> all_packets.sort(key=operator.attrgetter("time"))
>>> wrpcap("test.cap", all_packets)
/usr/local/lib/python2.7/site-packages/scapy/utils.py:665: DeprecationWarning: 'I' format requires 0 <= number <= 4294967295
  self.f.write(struct.pack(self.endian+"IIII", sec, usec, caplen, wirelen))
>>> exit()

[14:03:09][root@box:~]$ ls -ltra | tail -1
-rw-r--r--  1 root root       141 2013-02-13 14:02 test.cap

我已经确认这个文件在Wireshark中正确打开,所以你应该好好去;我建议进一步测试。但是,结论是:ans不是你想象的那样。

相关问题
最新问题