1 使用tshark命令捕获报文
import threading
import time
import os
filter = "udp port 9007"
def capturePackets(index='', path='', filter='', duration=30):
sTsharkFileName = sDirectory + '/' + time.strftime("%Y_%m_%d %H_%M_%S") + '.pcap'
filterCMD = 'tshark -i %s -w \"%s\" -f %s -a duration=%s' % (index, sTsharkFileName, filter, duration)
t = threading.Thread(target=os.system, args=(filterCMD,))
t = setDaemon(Ture)
t.start()
time.sleep(2)
return True
def checkSpecifiedReply(path='', filter='', wordlist='', expect=True):
filterCMD = "tshark -r \"D:/log/12_20.pcap\" -Y \"udp.port == 9007\" -V"
p = subprocess.Popen(filterCMD, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
outdata, errdata = p.communicte()
rawData = "%s%s" % (outdata.decode("utf8", "ignore"), errdata.decode("utf8", "ignore"))
if rawData == "" and expect == True:
print("no packets which was filter")
packetList = []
packetContent = ""
for line in rawData.split('\n'):
if re.match('Frame [\d]+', line) is not None:
packetList.append(packetContent)
packetContent = ""
packetContent += line
packetList.append(packetContent)
2 分解学习源码
time.strftime()
import time
time.strftime("%Y_%m_%d %H_%M_%S")
'2020_12_20 12_08_15'
2.1 tshark 命令
tshark 帮助
tshark -h
Usage: tshark [options] …
- 列出当前所有可用的网卡
tshark -D
C:\Users\liuzhiqiang>tshark -D 1 \Device\NPF{F8E8E4CD-F2CA-475D-A50B-E20010AC90AF} (WLAN-lzq) 2 \Device\NPF{D3E8E934-73C8-4BAC-9FD9-D5ED7D6CF6B2} (inetup) 3 \Device\NPF{D0CD5B78-5F40-4812-89BE-480A68D3EB05} (eth0)
- 抓指定网卡的流量
tshark -i 1
或tshark -i WLAN-lzq
- 将捕获的包保存在文件中
tshark -i inet_up -w packet.pcap
ortshark -i 1 -w "D:\lzq\tshark\speci_dir\packet.pcap"
- 过滤
捕获过滤,使用-f
:
tshark -i inet_up -w packet.pcap -f "tcp port 9005"
显示过滤,使用-Y
:
tshark -i inet_up -w packet.pcap -Y "tcp.port == 9005"
- 时间显示格式
使用 -t ad
显示绝对时间(包被捕获的带日期的所在时区的实际时间),如:tshark -i inet_up -w packet.pcap -Y "tcp.port == 9005" -t ad
- 扩展冗余(一个数据包里的细节窗口内容)
显示每行数据包更多细节内容(小窗口中每层协议内容),使用 -V
获取tshark -i inet_up -w packet.pcap -Y "tcp.port == 9005" -t ad -V
- 回显打印到屏幕
要想从保存的文件中回读数据包,使用 -r
后加文件名就可:tshark -r .\packet.pcap
or tshark -r .\packet.pcap -V
2.2 subprocess.Popen()
subprocess
模块允许我们启动一个新进程,并连接到它们的输入/输出/错误管道,从而获取返回值。
这个模块用来创建和管理子进程。subprocess提供了一个名为Popen的类启动和设置子进程的参数:
Popen
类,该类生成的对象用来代表子进程。
- subprocess模块中基本的进程创建和管理由Popen类来处理
- subprocess.popen是用来替代os.popen的
- Popen 是 subprocess的核心,子进程的创建和管理都靠它处理。
构造函数:
class subprocess.Popen(args, bufsize=-1, executable=None, stdin=None, stdout=None, stderr=None, preexec_fn=None, close_fds=True, shell=False, cwd=None, env=None, universal_newlines=False, startupinfo=None, creationflags=0,restore_signals=True, start_new_session=False, pass_fds=(), *, encoding=None, errors=None)
常用参数:args
:shell命令,可以是字符串或者序列类型(如:list,元组)stdin
stdout
stderr
:分别表示程序的标准输入、输出、错误句柄shell
:如果该参数为 True,将通过操作系统的 shell 执行指定的命令cwd
:用于设置子进程的当前目录
pwd
'/home/lzqiang/projects/py353/magedu/week11_并发&线程&进程'
ls
tshark_capturePackets.ipynb tshark_packet.pcap 线程与进程.ipynb
import subprocess
filCMD = "tshark -r tshark_packet.pcap" # 回显报文
pro = subprocess.Popen(filCMD, shell=True, stdout=subprocess.PIPE)
捕获报文命令:tshark -i 1 tshark_packet.pcap
type(pro)
subprocess.Popen
len(pro.communicate())
2
a
b' 1 0.000000000 27.17.246.252 -> 172.21.0.3 TCP 54 22569 > ssh [ACK] Seq=1 Ack=1 Win=257 Len=0\n 2 0.500798524 172.21.0.3 -> 27.17.246.252 SSH 122 Encrypted response packet len=68\n 3 0.577744902 27.17.246.252 -> 172.21.0.3 TCP 54 22569 > ssh [ACK] Seq=1 Ack=69 Win=257 Len=0\n'
a.decode("utf8").split('\n')
[' 1 0.000000000 27.17.246.252 -> 172.21.0.3 TCP 54 22569 > ssh [ACK] Seq=1 Ack=1 Win=257 Len=0',
' 2 0.500798524 172.21.0.3 -> 27.17.246.252 SSH 122 Encrypted response packet len=68',
' 3 0.577744902 27.17.246.252 -> 172.21.0.3 TCP 54 22569 > ssh [ACK] Seq=1 Ack=69 Win=257 Len=0',
'']
data = a.decode("utf8").split('\n')
for i in data:
print(i)
1 0.000000000 27.17.246.252 -> 172.21.0.3 TCP 54 22569 > ssh [ACK] Seq=1 Ack=1 Win=257 Len=0
2 0.500798524 172.21.0.3 -> 27.17.246.252 SSH 122 Encrypted response packet len=68
3 0.577744902 27.17.246.252 -> 172.21.0.3 TCP 54 22569 > ssh [ACK] Seq=1 Ack=69 Win=257 Len=0