我从Python开始。 我有一个Wireshark捕获的.pcap文件,其中包含DNS查询和响应。我需要打开此文件并提取所请求的主机名并返回记录类型和IP地址。 我发现有几个库能够读取pcap文件,但我不知道哪一个最适合这个。你能推荐一下吗?
答案 0 :(得分:2)
Scapy是个好人。
from scapy.all import *
from scapy.layers.dns import DNS, DNSQR
types = {0: 'ANY', 255: 'ALL',1: 'A', 2: 'NS', 3: 'MD', 4: 'MD', 5: 'CNAME',
6: 'SOA', 7: 'MB',8: 'MG',9: 'MR',10: 'NULL',11: 'WKS',12: 'PTR',
13: 'HINFO',14: 'MINFO',15: 'MX',16: 'TXT',17: 'RP',18: 'AFSDB',
28: 'AAAA', 33: 'SRV',38: 'A6',39: 'DNAME'}
dns_packets = rdpcap('file.pcap')
for packet in dns_packets:
if packet.haslayer(DNS):
print(packet.show())
dst = packet[IP].dst
rec_type = packet[DNSQR].qtype
print(dst, types[rec_type])
输出示例:
###[ Ethernet ]###
dst = 00:16:e3:19:27:15
src = 00:04:76:96:7b:da
type = 0x800
###[ IP ]###
version = 4L
ihl = 5L
tos = 0x0
len = 70
id = 0
flags = DF
frag = 0L
ttl = 64
proto = udp
chksum = 0xb753
src = 192.168.1.2
dst = 192.168.1.1
\options \
###[ UDP ]###
sport = 2128
dport = domain
len = 50
chksum = 0x8397
###[ DNS ]###
id = 12575
qr = 0L
opcode = QUERY
aa = 0L
tc = 0L
rd = 1L
ra = 0L
z = 0L
ad = 0L
cd = 0L
rcode = ok
qdcount = 1
ancount = 0
nscount = 0
arcount = 0
\qd \
|###[ DNS Question Record ]###
| qname = '2.1.168.192.in-addr.arpa.'
| qtype = PTR
| qclass = IN
an = None
ns = None
ar = None
('192.168.1.1', 'PTR')
最后一行是传出IP地址和记录类型。有大量数据,只需选择您需要的数据。