python解析pcap转储为sqlite
来源:互联网 发布:淘宝名不虚传 生意参谋 编辑:程序博客网 时间:2024/06/02 13:31
最近有需求对pcap包进行处理,要求提取数据包中的字段,并存储到sqlite数据库中,于是乎利用scapy写了一个简单的脚本,其中包括了对IP、TCP、UDP、ICMP包的解析,其实代码重复了许多,但是为了追求工作的效率,暂且留下这段代码吧,后续慢慢优化~大神莫见怪。
#! -- coding:utf-8 --
from scapy.all import *
import sqlite3
import getopt
global output_database
def ip_insert_db(packet_dict):
db = sqlite3.connect(output_database)
cur = db.cursor()
#cur.execute('DROP TABLE IF EXISTS APACHE_LOG')
cur.execute('''CREATE TABLE IF NOT EXISTS IP_PACKET(
eventno INTEGER,
eventtype TEXT,
timestamp INTEGER,
timestampusec INTEGER,
sipaddr TEXT,
dipaddr TEXT,
totalpacketlen INTEGER,
protocol INTEGER,
tos INTEGER,
ipid INTEGER,
ipcksum INTEGER,
ipttl INTEGER
)''')
query = '''insert into IP_PACKET (eventno,eventtype,timestamp,timestampusec,sipaddr,dipaddr,totalpacketlen,
protocol,tos,ipid,ipcksum,ipttl) values ('%d','%s','%d','%d','%s','%s','%d','%d','%d','%d','%d','%d');''' \
% (packet_dict['evento'],packet_dict['eventtype'],packet_dict['timestamp'],packet_dict['timestampusec'],packet_dict['sipaddr'],packet_dict['dipaddr'],
packet_dict['totalpacketlen'],packet_dict['protocol'],packet_dict['tos'],packet_dict['ipid'],packet_dict['ipcksum'],packet_dict['ipttl'])
cur.execute(query)
db.commit()
cur.close()
db.close()
return
def tcp_insert_db(packet_dict):
db = sqlite3.connect(output_database)
cur = db.cursor()
#cur.execute('DROP TABLE IF EXISTS APACHE_LOG')
cur.execute('''CREATE TABLE IF NOT EXISTS TCP_PACKET(
eventno INTEGER,
eventtype TEXT,
timestamp INTEGER,
timestampusec INTEGER,
sipaddr TEXT,
dipaddr TEXT,
sport INTEGER,
dport INTEGER,
totalpacketlen INTEGER,
protocol INTEGER,
tos INTEGER,
ipid INTEGER,
ipcksum INTEGER,
ipttl INTEGER,
tcpseq TEXT,
tcpack TEXT,
tcpflags TEXT
)''')
query = '''insert into TCP_PACKET (eventno,eventtype,timestamp,timestampusec,sipaddr,dipaddr,sport,dport,totalpacketlen,
protocol,tos,ipid,ipcksum,ipttl,tcpseq,tcpack,tcpflags) values (%d,'%s','%d','%d','%s','%s','%d','%d','%d','%d','%d','%d','%d','%d',
'%s','%s','%s');''' \
% (packet_dict['evento'],packet_dict['eventtype'],packet_dict['timestamp'],packet_dict['timestampusec'],packet_dict['sipaddr'],packet_dict['dipaddr'],
packet_dict['sport'], packet_dict['dport'],packet_dict['totalpacketlen'],packet_dict['protocol'],packet_dict['tos'],packet_dict['ipid'],
packet_dict['ipcksum'],packet_dict['ipttl'],packet_dict['tcpseq'],packet_dict['tcpack'],packet_dict['tcpflags'])
cur.execute(query)
db.commit()
cur.close()
db.close()
return
def udp_insert_db(packet_dict):
db = sqlite3.connect(output_database)
cur = db.cursor()
#cur.execute('DROP TABLE IF EXISTS APACHE_LOG')
cur.execute('''CREATE TABLE IF NOT EXISTS UDP_PACKET(
eventno INTEGER,
eventtype TEXT,
timestamp INTEGER,
timestampusec INTEGER,
sipaddr TEXT,
dipaddr TEXT,
sport INTEGER,
dport INTEGER,
totalpacketlen INTEGER,
protocol INTEGER,
tos INTEGER,
ipid INTEGER,
ipcksum INTEGER,
ipttl INTEGER,
udplen INTEGER,
udpcksum INTEGER
)''')
query = '''insert into UDP_PACKET (eventno,eventtype,timestamp,timestampusec,sipaddr,dipaddr,sport,dport,totalpacketlen,
protocol,tos,ipid,ipcksum,ipttl,udplen,udpcksum) values (%d,'%s','%d','%d','%s','%s','%d','%d','%d','%d','%d','%d','%d','%d',
'%d','%d');''' \
% (packet_dict['evento'],packet_dict['eventtype'],packet_dict['timestamp'],packet_dict['timestampusec'],packet_dict['sipaddr'],packet_dict['dipaddr'],
packet_dict['sport'], packet_dict['dport'],packet_dict['totalpacketlen'],packet_dict['protocol'],packet_dict['tos'],packet_dict['ipid'],
packet_dict['ipcksum'],packet_dict['ipttl'],packet_dict['udplen'],packet_dict['udpcksum'])
cur.execute(query)
db.commit()
cur.close()
db.close()
return
def icmp_insert_db(packet_dict):
db = sqlite3.connect(output_database)
cur = db.cursor()
#cur.execute('DROP TABLE IF EXISTS APACHE_LOG')
cur.execute('''CREATE TABLE IF NOT EXISTS ICMP_PACKET(
eventno INTEGER,
eventtype TEXT,
timestamp INTEGER,
timestampusec INTEGER,
sipaddr TEXT,
dipaddr TEXT,
totalpacketlen INTEGER,
protocol INTEGER,
tos INTEGER,
ipid INTEGER,
ipcksum INTEGER,
ipttl INTEGER,
icmptype INTEGER,
icmpcode INTEGER,
icmpcksum INTEGER
)''')
query = '''insert into ICMP_PACKET (eventno,eventtype,timestamp,timestampusec,sipaddr,dipaddr,totalpacketlen,
protocol,tos,ipid,ipcksum,ipttl,icmptype,icmpcode,icmpcksum) values (%d,'%s','%d','%d','%s','%s','%d','%d','%d','%d','%d','%d',
'%d','%d','%d');''' \
% (packet_dict['evento'],packet_dict['eventtype'],packet_dict['timestamp'],packet_dict['timestampusec'],packet_dict['sipaddr'],packet_dict['dipaddr'],
packet_dict['totalpacketlen'],packet_dict['protocol'],packet_dict['tos'],packet_dict['ipid'],packet_dict['ipcksum'],packet_dict['ipttl'],
packet_dict['icmptype'],packet_dict['icmpcode'],packet_dict['icmpcksum'])
cur.execute(query)
db.commit()
cur.close()
db.close()
return
def tcp_parse(pcaps):
'''
evento i
eventtype
timestamp i
timestampusec i
sipaddr
dipaddr
sport i
dport
totalpacketlen
protocol
tos
ipid
ipcksum
ipttl i
tcpseq
tcpack
tcpflags
:param pcaps:
:return:
'''
tcp_dict = dict()
tcp_object = pcaps[TCP]
count = 0
tcp_dict['eventtype']="TCP_PACKET"
try:
while (tcp_object[count]):
tcp_dict['evento'] = count
tcp_dict['timestamp'] = tcp_object[count][TCP].time
tcp_dict['timestampusec'] = 1
tcp_dict['sipaddr'] = tcp_object[count][IP].src
tcp_dict['dipaddr'] = tcp_object[count][IP].dst
tcp_dict['sport'] = tcp_object[count][TCP].sport
tcp_dict['dport'] = tcp_object[count][TCP].dport
tcp_dict['totalpacketlen'] = tcp_object[count][IP].len
tcp_dict['protocol'] = tcp_object[count][IP].proto
tcp_dict['tos'] = tcp_object[count][IP].tos
tcp_dict['ipid'] = tcp_object[count][IP].id
tcp_dict['ipcksum'] = tcp_object[count][IP].chksum
tcp_dict['ipttl'] = tcp_object[count][IP].ttl
tcp_dict['tcpseq'] = tcp_object[count][TCP].seq
tcp_dict['tcpack'] = tcp_object[count][TCP].ack
tcp_dict['tcpflags'] = tcp_object[count][TCP].flags
tcp_insert_db(tcp_dict)
count = count + 1
except Exception as e:
print e
return
def icmp_parse(pcaps):
'''
eventno
eventtype t
timestamp
timestampusec
sipaddr t
dipaddr t
totalpacketlen
protocol
tos
ipid
ipoffset
ipcksum
ipttl
icmptype
icmpcode
icmpcksum
:param pcaps:
:return:
'''
icmp_dict = dict()
icmp_object = pcaps[ICMP]
count = 0
icmp_dict['eventtype']="ICMP_PACKET"
try:
while (icmp_object[count]):
icmp_dict['evento'] = count
icmp_dict['timestamp'] = icmp_object[count][ICMP].time
icmp_dict['timestampusec'] = 1
icmp_dict['sipaddr'] = icmp_object[count][IP].src
icmp_dict['dipaddr'] = icmp_object[count][IP].dst
icmp_dict['totalpacketlen'] = icmp_object[count][IP].len
icmp_dict['protocol'] = icmp_object[count][IP].proto
icmp_dict['tos'] = icmp_object[count][IP].tos
icmp_dict['ipid'] = icmp_object[count][IP].id
icmp_dict['ipcksum'] = icmp_object[count][IP].chksum
icmp_dict['ipttl'] = icmp_object[count][IP].ttl
icmp_dict['icmptype'] = icmp_object[count][ICMP].type
icmp_dict['icmpcode'] = icmp_object[count][ICMP].code
icmp_dict['icmpcksum'] = icmp_object[count][ICMP].chksum
icmp_insert_db(icmp_dict)
count = count + 1
except Exception as e:
print e
return
def udp_parse(pcaps):
'''
udp:
evento
eventtype
timestamp
timestampusec
sipaddr
dipaddr
sport
dport
totalpacketlen
protocol
tos
ipid
ipcksum
ipttl
udplen
udpchksum
:param pcaps:
:return:
'''
udp_dict = dict()
udp_object = pcaps[UDP]
count = 0
udp_dict['eventtype']="UDP_PACKET"
try:
while (udp_object[count]):
udp_dict['evento'] = count
udp_dict['timestamp'] = udp_object[count][UDP].time
udp_dict['timestampusec'] = 1
udp_dict['sipaddr'] = udp_object[count][IP].src
udp_dict['dipaddr'] = udp_object[count][IP].dst
udp_dict['sport'] = udp_object[count][UDP].sport
udp_dict['dport'] = udp_object[count][UDP].dport
udp_dict['totalpacketlen'] = udp_object[count][IP].len
udp_dict['protocol'] = udp_object[count][IP].proto
udp_dict['tos'] = udp_object[count][IP].tos
udp_dict['ipid'] = udp_object[count][IP].id
udp_dict['ipcksum'] = udp_object[count][IP].chksum
udp_dict['ipttl'] = udp_object[count][IP].ttl
udp_dict['udplen'] = udp_object[count][UDP].len
udp_dict['udpcksum'] = udp_object[count][UDP].chksum
udp_insert_db(udp_dict)
count = count + 1
except Exception as e:
print e
return
def ip_parse(pcaps):
'''
evento i
eventtype
timestamp i
timestampusec i
sipaddr
dipaddr
totalpacketlen
protocol
tos
ipid
ipcksum
ipttl i
:param pcaps:
:return:
'''
ip_dict = dict()
ip_object = pcaps[IP]
count = 0
ip_dict['eventtype']="IP_PACKET"
try:
while (ip_object[count]):
ip_dict['evento'] = count
ip_dict['timestamp'] = ip_object[count][IP].time
ip_dict['timestampusec'] = 1
ip_dict['sipaddr'] = ip_object[count][IP].src
ip_dict['dipaddr'] = ip_object[count][IP].dst
ip_dict['totalpacketlen'] = ip_object[count][IP].len
ip_dict['protocol'] = ip_object[count][IP].proto
ip_dict['tos'] = ip_object[count][IP].tos
ip_dict['ipid'] = ip_object[count][IP].id
ip_dict['ipcksum'] = ip_object[count][IP].chksum
ip_dict['ipttl'] = ip_object[count][IP].ttl
ip_insert_db(ip_dict)
count = count + 1
except Exception as e:
print e
return
def usage():
print '''
###########################################################
# #
# Plugin for Datadump #
# #
# Description: #
# Data dump can parse the pcap file and store it in #
# the SQLite database. #
# Currently can handle IP, TCP, UDP, ICMP types of #
# data packets. #
# #
# Author:test #
###########################################################
./packet_parse.py -i <pcapfile> -o <sqlitedatabase>
Parameter
===========
-i/--input : input pcapfile
-o/--output : output sqlite file
example:
python packet_parse.py -i input.pcap -o output.sqlite
or
python packet_parse.py --input=input.pcap --ouput=output.sqlite
'''
sys.exit()
return
def main():
filename=""
global output_database
try:
opts,args = getopt.getopt(sys.argv[1:],'hi:o:',["help","input=","output="])
except getopt.GetoptError:
print 'please input -h or --help'
sys.exit()
for key,value in opts:
if key in ("-h","--help"):
usage()
if key in ("-i","--input"):
filename = value
if key in ("-o","--output"):
output_database = value
pcaps = rdpcap(filename)
tcp_parse(pcaps)
udp_parse(pcaps)
icmp_parse(pcaps)
ip_parse(pcaps)
return
if __name__ == '__main__':
main()
帮助说明:
处理结果:
- python解析pcap转储为sqlite
- python 抓包保存为pcap文件并解析
- python解析pcap文件中的http数据包
- python-pcap模块解析mac地址
- 使用PYTHON解析Wireshark的PCAP文件
- pcap文件的python解析实例
- python-pcap
- pcap编程深入解析
- pcap编程深入解析
- pcap文件解析
- pcap文件解析
- pcap文件格式解析
- PCAP on Python 2.7
- Python读取pcap文件
- Python读取pcap文件
- Wireshark的Pcap文件格式分析及解析源码【转】
- Winpcap 的PCap文件格式解析
- pcap-简单数据格式解析(初级)
- 一个不错的shell 脚本教程 入门级
- Java---IO加强(1)
- UINavigationBar的Back按钮手势失灵解决办法
- 图解密码技术笔记(八)密钥——秘密的精华
- Resource Type
- python解析pcap转储为sqlite
- 图像增强之(二) --- sobel变换
- Best Time to Buy and Sell Stock
- 两个Android选择文件对话框
- 计算最大子段(分治法)
- 剑指offer面试题 二进制中1的个数
- shell脚本中一些特殊符号
- 冒泡排序
- Matlab调试功能详解