功能

讀取pcap包，打印詳細的icmp/tcp/udp協議

讀取pcap包或網絡接口

1. 打印詳細的tcp會話／udp報文數據，目前支持mysql/pgsql/smtp/ftp/redis/mongodb認證協議解析，http/dns完整協議解析

2. IP數據包統計信息，用于監控網絡異常流量

安裝

pip install -r requirements.txt

mac

brew install libnids

linux

sudo apt-get install libnet1-dev libpcap-dev

git clone https://github.com/MITRECND/pynids.git

cd pynids

sudo python setup.py build

sudo python setup.py install

pip install dpkt

或者

git clone https://github.com/kbandla/dpkt.git

使用

讀取pcap包，打印詳細的icmp/tcp/udp協議

python print_pcap.py --help

python print_pcap.py --pcapfile=data/pcap_pub/http_gzip.pcap --assetport=80

詳細使用可以參看Documents 二

讀取pcap包或網絡接口，打印詳細的tcp會話數據

第二步: python print_tcp_session.py

詳細使用可以參看Documents 十一 、 十二

Bugs

libnids

不支持ipv6格式的數據包

當server.yaml中配置為重組雙向流量時

data_stream_direct: 2

只在tcp flag為RST或FIN時才會打印數據

不支持多進程

Documents

示例

python print_tcp_session.py

1. UDP-DNS協議詳解

pcap_file: data/pcap_pub/dns/netforensics_evidence05.pcap

UDP-DNS 協議解析

{

"ts": 1268758265.098157,

"src_ip": "192.168.23.2",

"src_port": 53,

"dst_ip": "192.168.23.129",

"dst_port": 52499,

"header": {

"aa": 0,

"qr": 1,

"num_of_answers": 1,

"tc": 0,

"num_of_additional": 4,

"rd": 1,

"opcode": "QUERY",

"ra": 1,

"num_of_authority": 4,

"rcode": "NOERROR",

"id": 48291,

"num_of_questions": 1

},

"questions": [

{

"qclass": "IN",

"qtype": "A",

"qname": "freeways.in."

}

],

"answers": [

{

"ttl": 5,

"rname": "freeways.in.",

"rtype": "A",

"rclass": 1,

"rdata": "212.252.32.20"

}

],

"authority": [

{

"ttl": 5,

"rname": "freeways.in.",

"rtype": "NS",

"rclass": 2,

"rdata": "ns4.everydns.net."

}

],

"additional": [

{

"ttl": 5,

"rname": "ns4.everydns.net.",

"rtype": "A",

"rclass": 1,

"rdata": "208.76.60.100"

}

]

}

2. TCP-HTTP 協議詳解

pcap_file: data/pcap_pub/cve/cve-2016-4971.pcap

{

"ts_start": 1467904494.307728,

"ts_end": 1467904494.392242,

"src_ip": "192.168.186.128",

"src_port": 41352,

"dst_ip": "192.168.186.128",

"dst_port": 80,

"req_method": "GET",

"req_uri": "/file",

"req_version": "1.1",

"req_headers": {

"user-agent": "Wget/1.17 (linux-gnu)",

"accept": "*/*",

"accept-encoding": "identity",

"host": "192.168.186.128",

"connection": "Keep-Alive"

},

"req_body": "",

"resp_version": "1.0",

"resp_status": "301",

"resp_reason": "Moved Permanently",

"resp_headers": {

"server": "SimpleHTTP/0.6 Python/2.7.12",

"date": "Thu, 07 Jul 2016 15:14:54 GMT",

"location": "ftp://anonymous@192.168.186.128:21/.wgetrc"

},

"resp_body": ""

}

3. IP 數據包元信息

數據包方向 時間戳 協議類型 源IP:源端口(IP歸屬地)(服務類型)目的IP:目的端口(IP歸屬地)(服務類型) 數據包大小

IN2017-08-18 13:23:41TCP58.217.200.117:14000(江蘇省南京市-None-None-NONE)(scotty-ft)10.0.0.2:58747(局域網-None-None-NONE)(NONE)240

OUT2017-08-18 13:23:41TCP10.0.0.2:58747(局域網-None-None-NONE)(NONE)58.217.200.117:14000(江蘇省南京市-None-None-NONE)(scotty-ft)40

備注: 14000(scotty-ft) 為微信、QQ發送語音文件的協議

python print_pcap.py

UDP報文

python print_pcap.py --pcapfile=data/pcap_pub/dns/dns.pcap

[UDP][1112201545.382005-03-30 16:52:25]217.13.4.24:53(00:12:a9:00:32:23) ----->192.168.170.56:1711(00:60:08:45:e4:55)ttl=58DATA_BINARY=76 63 85 83 00 01 00 00 00 00 00 00 05 47 52 49 4d 4d 0b 75 74 65 6c 73 79 73 74 65 6d 73 05 6c 6f 63 61 6c 00 00 01 00 01LEN=41

TCP報文

python print_pcap.py --pcapfile=data/pcap_pub/cve/httpoxy.pcap

[TCP] [1469135972.46 2016-07-21 21:19:32] 192.168.235.135:55034(00:0c:29:92:67:d7) ----->192.168.235.136:8080(00:0c:29:79:fd:94) SEQ=618963631 ACK=2424513936 FLAGS=['ACK', 'PSH'] WIN=229 DATA=GET /index.py HTTP/1.1

Host: 192.168.235.136:8080

User-Agent: curl/7.43.0

Accept: */*

Proxy: 192.168.235.135:11000

ICMP報文

[ICMP_Unreach][1500285748.082017-07-17 10:02:28]10.0.0.5:500(98:01:a7:9e:dd:c1) ----->10.0.0.2:63816(58:f3:9c:51:90:c7)3:3[host:port unreachable]ttl=43DATA_BINARY=LEN=0

聯系

原博客 被封號了

新浪微博weibo

豆瓣讀書 分享最近看的書籍

baidu網盤 分享一些網絡安全資料(但基本很快就被刪掉了)

與50位技術專家面對面20年技術見證，附贈技術全景圖

總結

以上是生活随笔為你收集整理的python数据包分析_packet_analysis: 数据包分析工具的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。