我的目标是从pcap文件中嗅探数据包,修改数据包的最后4个字节并发送它。现在,我这样做:
from scapy.all import *
from struct import pack
from struct import unpack
pkt = sniff(offline="my.pcap", count=1)
pkt_hex = str(pkt)
# getting output like '\x00\x04\x00 ... ... \x06j]'
last_4 = unpack('!I',pkt_hex[-4:])[0]
# getting last 4 bytes and converting it to integer
rest = pkt_hex[:-4]
# getting whole packet in string except last 4 bytes
new_pkt = rest + pack('>I',(last_4+1))
# created the whole packet again with last 4 bytes incremented by 1
# the new string is like '\x00\x04\x00 ... ... \x06j^'
现在我的问题是我无法将其转换回Scapy的分层数据包对象,因此无法使用sendp发送它。
PS:我要重新计算校验和。但是,一旦我将其转换为数据包对象,我就可以在this之后重新计算校验和。
答案 0 :(得分:2)
您可以使用原始数据包的类重建数据包,但程序中还有其他错误。
sniff函数上的official API documentation表示它返回一个列表:
sniff(prn=None, lfilter=None, count=0, store=1, offline=None, L2socket=None, timeout=None)嗅探来自网络的数据包并将其返回到数据包列表中。
因此,不是使用pkt_hex = str(pkt)提取数据包,而是提取数据包的正确格式为pkt_hex = str(pkt[0])。
完成后,您可以自由更改数据包,更新其校验和(如建议here)并使用原始数据包的类重建它,如下所示(注意我的评论):
from scapy.all import *
from struct import pack
from struct import unpack
pkts = sniff(offline="my.pcap", count=1)
pkt = pkts[0] # <--- NOTE: correctly extract the packet
del pkt.chksum # <--- NOTE: prepare for checksum recalculation
del pkt[TCP].chksum # <--- NOTE: prepare for TCP checksum recalculation (depends on the transport layer protocol in use)
pkt_hex = str(pkt)
# getting output like '\x00\x04\x00 ... ... \x06j' <--- NOTE: there is no trailing ']'
last_4 = unpack('!I',pkt_hex[-4:])[0]
# getting last 4 bytes and converting it to integer
rest = pkt_hex[:-4]
# getting whole packet in string except last 4 bytes
new_hex_pkt = rest + pack('>I',(last_4+1))
# created the whole packet again with last 4 bytes incremented by 1
# the new string is like '\x00\x04\x00 ... ... \x06k' <--- NOTE: 'j' was incremented to 'k' (rather than ']' to '^')
new_pkt = pkt.__class__(new_hex_pkt) # <--- NOTE: rebuild the packet and recalculate its checksum
sendp(new_pkt) # <--- NOTE: send the new packet
修改
请注意,这不会保留数据包的时间戳,后者会更改为当前时间。要保留原始时间戳,请将其分配给new_pkt.time:
new_pkt.time = pkt.time
但是,正如here所解释的那样,即使在更改数据包的时间戳并发送它之后,更新的时间戳也不会反映在the timestamp is set in the receiving machine as the packet is received以来另一端收到的数据包中。