Scapy:使用PacketListField解析数据包中包含的多个数据包

时间:2015-11-17 11:58:57

标签: python packet scapy bacnet

我正在尝试剖析数据包,它封装了另一个类似于数据包的结构,名为" tags"。结构看起来像这样

+---------+
|Ether    |
+---------+
|IP       |                   a tag
+---------+
|UDP      |                +------------+
+---------+                |tagNumber   |
|BVLC     |                +------------+
+---------+                |tagClass    |
|NPDU     |                +------------+
+---------+           +-+  |LVT field   |
|APDU     |           |    +------------+
|  +------+--+        |    |            |
|  |Tag 1    | <------+    |  data      |
|  +---------+             |            |
|  |Tag 2    |             +------------+
|  +---------+
|  |Tag n    |
+------------+

为此,我创建了一个派生自现有PacketListField的类,如下所示:

class TagListField(PacketListField):
    def __init__(self):
        PacketListField.__init__(
            self,
            "tags",
            [],
            guessBACNetTagClass,

引用的guessBACNetTagClass是一个函数,它返回解析标记所需的正确类。

BACNetTagClasses = {
    0x2: "BACNetTag_U_int",
    0xC: "BACNetTag_Object_Identifier"
}

def guessBACNetTagClass(packet, **kargs):

    """ Returns the correct BACNetTag Class needed to dissect
        the current tag

        @type    packet:    binary string
        @param   packet:    the current packet

        @type    cls:       class
        @param   cls:       the correct class for dissection
    """

    tagByteBinary = "{0:b}".format(int(struct.unpack("!B", packet[0])[0]))
    tagNumber = int(tagByteBinary[0:4],2)
    clsName = BACNetTagClasses.get(tagNumber)
    cls = globals()[clsName]
    return cls(packet, **kargs)

目前,您可以从上面的BACNetTagClasses字典中看到其中两个类。

class BACNetTag_Object_Identifier(Packet):
    name = "BACNetTag_Object_Identifier"
    fields_desc =[
        # fields
    ]

class BACNetTag_U_int(Packet):
    name = "BACNetTag_U_int"
    fields_desc = [
        # fields
    ]

在名为APDU的封装层中,我添加了TagListField,就像另一个字段一样。 

class APDU(Packet):

    name = "APDU"
    fields_desc = [
        # Some other fields

        TagListField()
    ]

我目前正在尝试剖析的数据包包含多个标记。可以正确解析第一个(类型BACNetTag_Object_Identifier),但其余标记仅作为原始有效负载列出。 

[<Ether |<UDP |<BVLC |<NPDU |<APDU 
pduType=UNCONFIRMED_SERVICE_REQUEST reserved=None serviceChoice=I_AM
tags=[<BACNetTag_Object_Identifier  tagNumber=BACNET_OBJECT_IDENTIFIER
tagClass=APPLICATION lengthValueType=4L objectType=DEVICE
instanceNumber=640899L |<Raw  load='"\x01\xe0\x91\x00!\xde'
|>>] |>>>>>>]

我的PacketListField实施有问题吗?据我了解,该字段应尝试剖析剩余的标记,直到不再留下字节为止。

更新:

使用.show()可以了解有关数据包结构的更多信息

###[ APDU ]###
  pduType   = UNCONFIRMED_SERVICE_REQUEST
  reserved  = None
  serviceChoice= I_AM
  \tags      \
   |###[ BACNetTag_Object_Identifier ]###
   |  tagNumber = BACNET_OBJECT_IDENTIFIER
   |  tagClass  = APPLICATION
   |  lengthValueType= 4L
   |  objectType= DEVICE
   |  instanceNumber= 640899L
   |###[ Raw ]###
   |     load      = '"\x01\xe0\x91\x00!\xde'

Scapy只会将剩余的字节作为Raw图层附加到现有的tags字段。这很有趣,但我仍然不知道为什么会这样做。

1 个答案:

答案 0 :(得分:2)

尝试使用以下方法覆盖extract_padding类的BACNet_Tag*方法:

def extract_padding(self, s):
return '', s

我在PacketListField上遇到了类似的问题,并发现了这个stackoverflow帖子:

Scapy: Adding new protocol with complex field groupings

相关问题
最新问题