tcpdump 抓包与 scapy 解析（qbit）

OS: Ubuntu 18.04 LTStcpdump: 4.9.3libpcap: 1.8.1Python: 3.8.8Scapy: 2.4.5

tcpdump -c 3# ORtcpdump -c 3 -n --number

# 原地址段为 192.168.0.0/16# 目标地址为 192.168.1.176（实际上是本机）# 网卡为 enp4s0# -n 不解析 ip# -G 60 每 60s 保持一次文件# -w %Y-%m-%d_%H:%M:%S.pcap 按秒存取文件名sudo tcpdump tcp and src net 192.168.0.0/16 and dst 192.168.1.176 -i enp4s0 -n -G 60 -w %Y-%m-%d_%H:%M:%S.pcap

# encoding: utf-8# author: qbit# date: 2021-09-10# summary: 使用 scapy 解析 tcpdump 抓取的 pcap 文件
from scapy import packetfrom scapy.all import rdpcap, IP, TCPfrom scapy.layers.http import HTTP, HTTPRequest
pcapfile = './data/2021-09-10_15:35:35.pcap'
portlist = range(8001, 9000)for dport in portlist:    packet.bind_layers(TCP, HTTP, dport=dport)packets = rdpcap(pcapfile)for pkt in packets:    if pkt.haslayer(HTTPRequest):        print(f"*** IP *** \n{pkt[IP].fields}")        print(f"*** TCP *** \n{pkt[TCP].fields}")        print(f"*** HTTP *** \n{pkt[HTTPRequest].fields}")        print('------------------------')        srcAddr = f"{pkt[IP].fields['src']}:{pkt[TCP].fields['sport']}"        dstAddr = f"{pkt[IP].fields['dst']}:{pkt[TCP].fields['dport']}"        uri = ''        if 'Host' in pkt[HTTPRequest].fields:            uri = pkt[HTTPRequest].fields['Host']        elif 'Path' in pkt[HTTPRequest].fields:            uri = pkt[HTTPRequest].fields['Path']        print(f"{srcAddr} -> {dstAddr} {uri}")        print('========================')