Question

我正在尝试从文件sample.conv构造数据包。我在正确查找数据包边界方面存在一些问题。我已经显示了当前输出，现有输出和源代码。非常感谢任何帮助。

sample.conv

15:16:11.235743 IP 192.168.0.1 > 192.168.1.1:  ip 26
    0x0000:  00ca fe00 0000 aabb ccdd eeff 8100 6000
    0x0010:  0800 4500 002e 0001 0000 4000 f87c c0a8
    0x0020:  0001 c0a8 0101 909c ea0d dd0b 8ece 45d9
    0x0030:  d0be 5399 d922 b0e5 eeec d8d5 ae3d faa9
    0x0040:  bbcd 5976
15:16:11.239125 IP 192.168.0.1 > 192.168.1.1:  ip 27
    0x0000:  00ca fe00 0000 aabb ccdd eeff 8100 6001
    0x0010:  0800 4500 002f 0001 0000 4000 f87b c0a8
    0x0020:  0001 c0a8 0101 8a9b c997 35a3 24a2 c546
    0x0030:  39b9 a44d 97e5 6542 3c92 3552 9bb8 7f48
    0x0040:  2ceb de91 f1
15:16:11.239639 IP 192.168.0.1 > 192.168.1.1:  ip 28
    0x0000:  00ca fe00 0000 aabb ccdd eeff 8100 6002
    0x0010:  0800 4500 0030 0001 0000 4000 f87a c0a8
    0x0020:  0001 c0a8 0101 6f1a f8a7 a2d6 6def bed3
    0x0030:  0af1 f563 a7cf 0042 054a a0c7 c72d 8862
    0x0040:  dd87 a9fe e5c9

预期输出

sample.conv
15:16:11.235743
00cafe000000aabbccddeeff8100600008004500002e000100004000f87cc0a80001c0a80101909cea0ddd0b8ece45d9d0be5399d922b0e5eeecd8d5ae3dfaa9bbcd5976
15:16:11.239125
00cafe000000aabbccddeeff8100600108004500002f000100004000f87bc0a80001c0a801018a9bc99735a324a2c54639b9a44d97e565423c9235529bb87f482cebde91f1
15:16:11.239639
00cafe000000aabbccddeeff81006002080045000030000100004000f87ac0a80001c0a801016f1af8a7a2d66defbed30af1f563a7cf0042054aa0c7c72d8862dd87a9fee5c9
3

实际输出

sample.conv
15:16:11.235743

15:16:11.239125
00cafe000000aabbccddeeff8100600008004500002e000100004000f87cc0a80001c0a80101909cea0ddd0b8ece45d9d0be5399d922b0e5eeecd8d5ae3dfaa9bbcd5976
15:16:11.239639
00cafe000000aabbccddeeff8100600108004500002f000100004000f87bc0a80001c0a801018a9bc99735a324a2c54639b9a44d97e565423c9235529bb87f482cebde91f1
3

packet_maker.py

import os import glob import re



for file in glob.glob("sample.conv"):
        print(file)
        pcap_file = open(file)
        pkt_count = 0 
        pkts = []

        pkt_data = ""
        show_out = ""

    for line_data in pcap_file.readlines():
       line_array_data=re.findall(r"[\S']+", line_data)

       for line_word in line_array_data:
          if (line_word == "0x0000:"):
             pkt_count=pkt_count+1

          if (bool(re.compile(r'(^([0-9]|0[0-9]|1[0-9]|2[0-3]):[0-5][0-9]:[0-6][0-9].\d+$)').match(line_word))):
             print line_word
             pkt_data=""
             print show_out


          elif (bool(re.compile(r'(0x)(\w+)(?=\:$)').match(line_word))):
             pkt_line_data = "".join(line_array_data[1:])
             pkt_data=pkt_data+pkt_line_data
             show_out= pkt_data

    print pkt_count
    pkts.append(pkt_data)

for line_data in pcap_file.readlines(): line_array_data=re.findall(r"[\S']+", line_data) for line_word in line_array_data: if (line_word == "0x0000:"): pkt_count=pkt_count+1 if (bool(re.compile(r'(^([0-9]|0[0-9]|1[0-9]|2[0-3]):[0-5][0-9]:[0-6][0-9].\d+$)').match(line_word))): print line_word pkt_data="" print show_out elif (bool(re.compile(r'(0x)(\w+)(?=\:$)').match(line_word))): pkt_line_data = "".join(line_array_data[1:]) pkt_data=pkt_data+pkt_line_data show_out= pkt_data print pkt_count pkts.append(pkt_data)

Answer 1

python packet_pars.py sample.conv | awk -F'\0' '/timestamp/{ print } /cafe/{if (length>128) print }'

从tcpdump日志构造序列化数据包

sample.conv

预期输出

实际输出

packet_maker.py

1 个答案: