我是python的新手,有一个小项目,我需要解析pcap并提取某些数据。我现在卡住了!我需要帮助的是如何解析数据包流的实际数据内容。
我想要做的是,例如使用正则表达式,如果regexp匹配数据包打印的内容。
像这样的东西
!/usr/bin/env python
import socket
import dpkt
import time
import re
f = open('pcap.pcap','r')
pcap = dpkt.pcap.Reader(f)
pktCounter = 0
for ts,buff in pcap:
pktCounter += 1
try:
ether = dpkt.ethernet.Ethernet(buff)
# Mac address
src_mac = (ether.dst).encode("hex")
dst_mac = (ether.src).encode("hex")
smac = ':'.join([src_mac[i:i+2] for i in range(0, len(src_mac), 2)])
dmac = ':'.join([dst_mac[i:i+2] for i in range(0, len(dst_mac), 2)])
# Packet
ip = ether.data
tcp = ip.data
src = socket.inet_ntoa(ip.src)
srcport = tcp.sport
dst = socket.inet_ntoa(ip.dst)
dstport = tcp.dport
# Definition of Time
showTime = time.gmtime(ts)
timeF = time.strftime("%Y/%m/%d %H:%M:%S", showTime)
# Packet Size
sizeP = len(buff)
# Data filtering
p = re.compile("<Line>(.*?)\</Line>", re.IGNORECASE|re.DOTALL)
# Packet print
print "PktNr: %s" %(pktCounter)
print "PktSize: %s" %(sizeP)
print "Time: %s" %(timeF)
print "src: (MAC: %s) \033[1;32m(IP:%s)\033[1;m (port:%s) --> dest: (MAC: %s) \033[1;31m(IP:%s)\033[1;m (port:%s)" % (smac,src,srcport,dmac,dst,dstport) + "\n"
print ip
except AttributeError:
pass