PCAP file method for parsing Wireshark using PYTHON
- 2021-07-24 11:30:23
- OfStack
PYTHON first installs the scapy module
PY3 installation scapy-python3, use PIP installation is good, note, PY3 can not use pyinstaller package file, PY2 is normal
Installing scapy for PY2 is troublesome
from scapy.all import *
pcaps = rdpcap("file.pcap")
pcaps is the parsed structure-like thing
<pre name="code" class="python">packet=pcaps[0] # No. 1 1 Packet structure
packet.time# Packet timestamp
packet[Raw].load#PY3 Method for reading node data ,packet[IP].src;packet[IP].dst
packet['Raw'].load#PY2 Method for reading node data ,PY3 It should also be possible
lambda="lambda pcap:IP in pcap and UDP in pcap and pcap[IP].src=='192.168.1.1' and pcap[UDP].sport==80"
results=pcaps.filter(eval(lambda))#lambda Yes 1 Kinds of expressions , Strings are used here , You can also not use it eval, Write expression directly , Then the filtered packet is returned
python parsing data packet takes up 10 minutes of memory. It is recommended to use tshark command line preprocessing to filter data packet once before PYTHON processing
cmd_filter="%s && ip.src==%s && ip.dst==%s && %s.srcport==%s && %s.port==%s"% \
(Node['proto'].lower(),Node['src'],Node['dst'],Node['proto'].lower(),Node['sport'],Node['proto'].lower(),Node['dport'])
os.system('start /WAIT "" "%s\tshark" -r "%s" -R "%s" -w "%s"'%(Wireshark_path,pcap_filename,cmd_filter,Temp_pcap_File))
Then work on the Temp_pcap_File file