使用python和wincap抓包
环境安装
easy_install winpcapyeasy_install pcapy
在这第2步安装pcapy时报错了:1
2
3
4
5
6
7
8Searching for pcapy
Reading https://pypi.python.org/simple/pcapy/
Best match: pcapy 0.11.1
Downloading https://pypi.python.org/packages/7f/12/626c6c1ee949b6d447f887a65388aa83faec6feb247e1bdf2478139a6078/pcapy-0.11.1.tar.gz#md5=24f8f339f1f1b00b2b43fe3c6910cbc1
Processing pcapy-0.11.1.tar.gz
Writing c:\users\terry\appdata\local\temp\easy_install-vf9ep5\pcapy-0.11.1\setup.cfg
Running pcapy-0.11.1\setup.py -q bdist_egg --dist-dir c:\users\terry\appdata\local\temp\easy_install-vf9ep5\pcapy-0.11.1\egg-dist-tmp-0vrahf
error: Setup script exited with error: Microsoft Visual C++ 9.0 is required (Unable to find vcvarsall.bat). Get it from http://aka.ms/vcpython27
原来pcapy下载下来不是直接可用的,而是需要先编译,按照提示在浏览器中打开了http://aka.ms/vcpython27链接,跳转到微软官网上下载了Microsoft Visual C++ Compiler for Python 2.7,然后安装,安装位置是%appdata%\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0,安装后继续easy_install,结果又报一错误。
1 | ... |
由上可以看出来在编译pcapy时,还需要引用winpcap的头文件pcap.h,可以从winpcap网站下载,截止目前最新的版本是https://www.winpcap.org/install/bin/WpdPack_4_1_2.zip。由于我机器上已经有些c++的项目带了一些pcap的库,所以我直接在Visual C++ for Python的安装目录下找到了vcvarsall.bat,然后编辑之,修改INCLUDE和LIB路径加上winpcap开发sdk的安装目录(D:\VC_INCLUDE\winpcap那个是我加的):
1 | set INCLUDE=D:\VC_INCLUDE\winpcap\Include;%VCINSTALLDIR%Include;%WindowsSdkDir%Include;%INCLUDE% |
然后再编译,就成功了。
示例代码
使用pcap抓包,再使用dpkt解析包1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115#! python3
# coding: utf-8
__author__ = 'terry'
import logging
from winpcapy import WinPcapDevices
from winpcapy import WinPcapUtils
logging.basicConfig(level=logging.DEBUG,
format='%(asctime)s %(filename)s[line:%(lineno)d] %(levelname)s %(message)s',
datefmt='%a, %d %b %Y %H:%M:%S',
filename='myapp.log',
filemode='w')
logging.debug('This is debug message')
logging.info('This is info message')
logging.warning('This is warning message')
logging.info("当前机器上有以下网卡")
logging.info(WinPcapDevices.list_devices())
# Example Callback function to parse IP packets
def packet_callback(win_pcap, param, header, pkt_data):
# Assuming IP (for real parsing use modules like dpkt)
ip_frame = pkt_data[14:]
# Parse ips
src_ip = ".".join([str(ord(b)) for b in ip_frame[0xc:0x10]])
dst_ip = ".".join([str(ord(b)) for b in ip_frame[0x10:0x14]])
print("%s -> %s" % (src_ip, dst_ip))
# WinPcapUtils.capture_on("*Ethernet*", packet_callback)
import pcap
import dpkt
sniffer = pcap.pcap()
sniffer.setfilter('tcp port 80') # 过滤功能,可以设置需要显示的
def process_packet(ptime, packet):
tem = dpkt.ethernet.Ethernet(packet)
if tem.data.data.__class__.__name__ == 'TCP':
http_data = tem.data.data.data
if len(http_data) > 0:
if http_data.startswith(b"HTTP"):
# http response
response = dpkt.http.Response(http_data)
pass
else:
# http request
req = dpkt.http.Request(http_data)
host = str(req.headers["host"])
cookie = str(req.headers["cookie"])
path = str(req.uri)
if host.index("qianka.com"):
logging.info("QianKa message:" + host + cookie + path)
pass
def print_http_packet(ts, buf):
eth = dpkt.ethernet.Ethernet(buf)
ip = eth.data
# This is an oversimplification - IP packets can fragment if an MTU in the path is smaller than the MTU of the LAN
# Also, this changes a little bit with IPv6. To tell the difference between IPv4 and IPv6, you have to look
# at the ethertype field, which is given by http://www.iana.org/assignments/ethernet-numbers. IPv4 is 0x800 or 2048
# and IPv6 is 0x86DD or 34525
tcp = ip.data
# This is an oversimplification - this is true if and only if the protocol field of the IP packet is 6.
# See http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml for details of protocol numbers.
# See http://tools.ietf.org/html/rfc791 for details on IPv4
# If the destination port is 80 and there is data in the packet, then probably this is an HTTP request.
# TO be certain, there should
# be a TCP finite state machine in here.
if tcp.dport == 80 and len(tcp.data) > 0:
http_req = dpkt.http.Request(tcp.data)
print("URI is ", http_req.uri)
for header in http_req.headers.keys():
print(header, http_req.headers[header])
# ['_Request__methods', '_Request__proto', '__class__', '__delattr__', '__dict__', '__doc__',
# '__format__', '__getattribute__', '__getitem__', '__hash__', '__hdr_defaults__', '__init__',
# '__len__', '__metaclass__', '__module__', '__new__', '__reduce__', '__reduce_ex__', '__repr__',
# '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__', 'body', 'data',
# 'headers', 'method', 'pack', 'pack_hdr', 'unpack', 'uri', 'version']
print("method is ", http_req.method)
# 'body', 'data', 'headers', 'method', 'pack', 'pack_hdr', 'unpack', 'uri', 'version'
print("HTTP headers, packed ", http_req.pack())
print("HTTP version", http_req.version)
print("HTTP data ", http_req.data) # I think this is valid if the method is POST
if tcp.sport == 80 and len(tcp.data) > 0:
try:
http = dpkt.http.Response(tcp.data)
print("HTTP version is ", http.version)
print("Status code is ", http.status)
print("Status reason ", http.reason)
for header in http.headers.keys():
print(header, http.headers[header])
# print "date", http.headers['date']
# print "accept-ranges", http.headers['accept-ranges']
# print "content-type", http.headers['content-type']
# print "connection", http.headers['connection']
# print "server", http.headers['server']
except dpkt.dpkt.UnpackError:
print("Encounted an unpacking error")
for ptime, packet in sniffer:
try:
# process_packet(ptime, packet)
print_http_packet(ptime, packet)
except Exception as e:
# print(e)
pass