Scapy Sniffer的用法



Sniff方法定义:

sniff(filter="",iface="any", prn=function, count=N)

filter的规则使用 Berkeley Packet Filter (BPF)语法,具体参考http://blog.csdn.net/qwertyupoiuytr/article/details/54670477

iface用来指定要在哪个网络接口上进行抓包(通常不指定即所有网络接口)

prn指定回调函数,每当一个符合filter的报文被探测到时,就会执行回调函数,通常使用lambda表达式来写回调函数

count指定最多嗅探多少个报文(是指符合filter条件的报文,而非所有报文)

 

filter写法举例:

抓取源地址为172.31.100.222的端口为80tcp报文:

>>> sniff(filter="ip src 172.31.100.222 and tcp and tcp port 80", prn=lambda x:x.summary())

Ether / IP / TCP 172.31.100.222:ssh > 172.31.100.149:57386 PA / Raw

Ether / IP / TCP 172.31.100.222:http > 172.31.100.149:59163 RA

Ether / IP / TCP 172.31.100.222:http > 172.31.100.149:59163 RA

Ether / IP / TCP 172.31.100.222:http > 172.31.100.149:59163 RA

Ether / IP / TCP 172.31.100.222:http > 172.31.100.149:59164 RA

Ether / IP / TCP 172.31.100.222:http > 172.31.100.149:59164 RA

抓取目的地址网段为139.219.0.0/24的报文:

>>> sniff(filter="dst net 139.219", prn=lambda x:x.summary())

Ether / IP / TCP 172.31.100.222:ssh > 172.31.100.149:57386 PA / Raw

Ether / IP / TCP 172.31.100.149:58879 > 139.219.224.155:https PA / Raw

Ether / IP / TCP 172.31.100.149:58879 > 139.219.224.155:https PA / Raw

Ether / IP / TCP 172.31.100.149:58879 > 139.219.224.155:https PA / Raw

Ether / IP / TCP 172.31.100.149:58879 > 139.219.224.155:https A / Padding

Ether / IP / TCP 172.31.100.149:58879 > 139.219.224.155:https PA / Raw

Ether / IP / TCP 172.31.100.149:58879 > 139.219.224.155:https PA / Raw

抓取非ICMP的报文:

>>> sniff(filter="not icmp", prn=lambda x:x.summary())

Ether / IP / TCP 172.31.100.222:ssh > 172.31.100.149:57386 PA / Raw

Ether / IP / TCP 172.31.100.222:ssh > 172.31.100.149:57386 PA / Raw

Ether / IP / TCP 172.31.100.149:57386 > 172.31.100.222:ssh A / Padding

Ether / IP / TCP 172.31.100.222:ssh > 172.31.100.149:57386 PA / Raw

 

prn函数举例:

将抓取到的报文的summary打印出来:

>>> sniff(filter="icmp", prn=lambda x:x.summary(), count=10)

Ether / IP / TCP 172.31.100.222:ssh > 172.31.100.149:57212 PA / Raw

Ether / IP / ICMP 172.31.100.149 > 172.31.100.222 echo-request 0 / Raw

Ether / IP / ICMP 172.31.100.222 > 172.31.100.149 echo-reply 0 / Raw

Ether / IP / ICMP 172.31.100.149 > 172.31.100.222 echo-request 0 / Raw

Ether / IP / ICMP 172.31.100.222 > 172.31.100.149 echo-reply 0 / Raw

Ether / IP / ICMP 172.31.100.149 > 172.31.100.222 echo-request 0 / Raw

Ether / IP / ICMP 172.31.100.222 > 172.31.100.149 echo-reply 0 / Raw

Ether / IP / ICMP 172.31.100.149 > 172.31.100.222 echo-request 0 / Raw

Ether / IP / ICMP 172.31.100.222 > 172.31.100.149 echo-reply 0 / Raw

Ether / IP / ICMP 172.31.100.149 > 172.31.100.222 echo-request 0 / Raw

 

将所有IP报文的源地址打印出来:

>>> sniff(filter="icmp", prn=lambda x:x[IP].src, count=10)

172.31.100.222

172.31.100.149

172.31.100.222

172.31.100.149

172.31.100.222

172.31.100.149

172.31.100.222

172.31.100.149

172.31.100.222

172.31.100.149

 

或者定义一个回调函数:

def packet_callback(packet):

    print packet.show()

 

sniff(prn=packet_callback, count=10)

你可能感兴趣的:(计算机网络)