该程序的作用是将pcap文件里的前三个ssl/tls包的数据,转化成十进制提取到txt文件里:
- dataset里有很多域名文件夹,每个文件夹下有很多的txt文件,记录着数据包,我们使不同域名文件夹下的txt文件个数相同
- pcapnum_per_txt:每个txt文件,是由pcapnum_per_txt个pcap处理得到的
- filelist是所有pcap文件名的列表,这些pcap要分txt_num次处理,每次处理的文件名存进new_list里
if __name__ == '__main__':
path = '/home/new3/https/lx/login.weixin.qq.com'
filelist = os.listdir(path)
#print (len(filelist))
pcapnum_per_txt = len(filelist) // txt_num
for i in range(txt_num):
print(str(i)+'.txt')
new_list = filelist[i*pcapnum_per_txt:i*pcapnum_per_txt + pcapnum_per_txt]
for file in new_list:
print('The pcap file is: ' + file)
filepath = os.path.join(path,file)
parse_pcap(filepath)
txt_name = str(i) + '.txt'
fw = open(txt_name, "a+")
for key in flow.keys():
if key in new_list:
if(len(flow[key]) == 3):
print(key)
for pkts in flow[key]:
for bytes in pkts:
fw.write(str(bytes)+" ")
fw.write("\n")
print('The above pcap file is written in the txt file.')
print ('\n')
parse_pcap
- 先读取24字节的pcap文件头,然后在循环读【先16字节数据包头包含这个数据包的大小iplensave,再读iplensave大小的数据包】
- 参数iplensave记录了当前数据包的长度
确定当前包是ssl/tls的方法:
- tls是基于tcp的,由tcp封装
- tls包的第一个字段标明了tls类型(content type),接下来的一个字段标明了version,大多数(目前发现)的content type 值只有20(0x14),22(0x16),23(0x17)三个值,version的第一个字节都是由0x03开头的
tls.png
- mac层有14B,ip层一般有20B,tcp的长度不定长,由首部的header length字段给出了tcp层的长度,该字段只有4bits,位于tcp首部的第13B的前4b,该值转化为十进制再乘4就是整个tcp的长度
- 首先判断包长度iplensave > 54,因为mac+ip+tcp最少需要54B,小于54B一定没有tls层
- 判断iplensave - tcplen - iplen - maclen > 0,如果=0也没有tls层
-
两个条件都满足,再判断tcp的下一字节是不是20,22或者23,version是不是3,两者都满足,则是tls包(巧合的概率很小可以忽略)
tcp
def parse_pcap(filename):
with open(filename, "rb") as file:
# Read 24-bytes pcap header
data = file.read(pcaphdrlen)
(tag, maj, min, tzone, ts, ppsize, lt) = struct.unpack("=L2p2pLLLL", data)
# pocket counter
cnt = 0
while data:
# read packet header
data = file.read(pkthdrlen)
if not data:
break
(sec, microsec, iplensave, origlen) = struct.unpack("=LLLL", data)
# print (sec, microsec, iplensave, origlen)
#print iplensave
data = file.read(iplensave)
if iplensave > 54:
tcplen = ord(data[46])//16*4
if iplensave - tcplen - iplen - maclen > 0:
tlstype = maclen + iplen + tcplen
tlsversion = tlstype + 1
if (ord(data[tlstype]) == 20 or ord(data[tlstype]) == 22 or ord(data[tlstype]) == 23) and ord(data[tlsversion]) == 3:
processpacket(data)
cnt = cnt + 1
print('The number of ssl/tls packets: ' + str(cnt))
print('----------------------------------------------------------------------------------')
processpacket
- 定义一个字典flow,key是pcap的文件名,因为我们输入的是一个域名文件夹下的所有pcap文件,使用文件名作为key不会有重复,value是该pcap文件下满足筛选条件(tls)的包,最多取三个
def processpacket(pkt):
pkt = [ord(b) for b in str(pkt)]
proto = pkt[23]
srcip = "{0}.{1}.{2}.{3}".format(pkt[26], pkt[27], pkt[28], pkt[29])
dstip = "{0}.{1}.{2}.{3}".format(pkt[30], pkt[31], pkt[32], pkt[33])
sport = pkt[34] * 256 + pkt[35]
dport = pkt[36] * 256 + pkt[37]
pkt = preprocess(pkt, proto)
# print file
tuple = file
if tuple in flow:
value = flow[tuple]
if len(value) < 3:
value.append(pkt)
flow[tuple] = value
else:
value = []
value.append(pkt)
flow[tuple] = value
preprocess
- 取1000字节,去掉mac和ip层的信息,从tcp开始截取
def preprocess(packet, proto):
# remove mac and ip layer, start from tcp layer
packet = packet[34:]
#TCP
if len(packet) < 1000:
for j in range(1000 - len(packet)):
packet.append(0)
else:
packet = packet[:1000]
return packet
结果:
- 横线部分是程序处理的pcap文件,ssl/tls包的个数是3的才会被写进txt里,小于3的不处理
- 横线底下列出的是写进txt的pcap文件,列出的顺序就是写入txt的顺序
new3@new3:~/https/lx$ python parsepcap.py
0.txt
The pcap file is: 159.226.121.15_54806_101.226.76.164_443_1556368053.pcap
The number of ssl/tls packets: 2
----------------------------------------------------------------------------------
The pcap file is: 159.226.117.158_44082_101.227.160.102_443_1556357309.pcap
The number of ssl/tls packets: 2
----------------------------------------------------------------------------------
The pcap file is: 159.226.171.251_5794_101.227.160.102_443_1556370252.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.35.244_60644_101.227.160.102_443_1556357290.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.35.253_12310_223.166.152.108_443_1556368139.pcap
The number of ssl/tls packets: 2
----------------------------------------------------------------------------------
The pcap file is: 159.226.25.81_7116_101.226.76.164_443_1556368107.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.20.7_35292_101.226.76.164_443_1556368849.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.117.215_1098_101.227.160.102_443_1556357592.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
159.226.25.81_7116_101.226.76.164_443_1556368107.pcap
159.226.171.251_5794_101.227.160.102_443_1556370252.pcap
159.226.117.215_1098_101.227.160.102_443_1556357592.pcap
159.226.35.244_60644_101.227.160.102_443_1556357290.pcap
159.226.20.7_35292_101.226.76.164_443_1556368849.pcap
The above pcap file is written in the txt file.
1.txt
The pcap file is: 159.226.171.251_34568_101.226.76.164_443_1556369112.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.121.15_49579_101.226.76.164_443_1556357432.pcap
The number of ssl/tls packets: 2
----------------------------------------------------------------------------------
The pcap file is: 159.226.171.251_34358_101.227.160.102_443_1556368031.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.113.225_14779_101.226.76.164_443_1556369020.pcap
The number of ssl/tls packets: 2
----------------------------------------------------------------------------------
The pcap file is: 159.226.118.121_53831_101.226.76.164_443_1556357383.pcap
The number of ssl/tls packets: 2
----------------------------------------------------------------------------------
The pcap file is: 159.226.171.251_14133_101.227.160.102_443_1556368271.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.182.51_49968_117.135.169.34_443_1556368833.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.25.91_36511_101.226.76.164_443_1556368921.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
159.226.25.91_36511_101.226.76.164_443_1556368921.pcap
159.226.171.251_14133_101.227.160.102_443_1556368271.pcap
159.226.182.51_49968_117.135.169.34_443_1556368833.pcap
159.226.171.251_34568_101.226.76.164_443_1556369112.pcap
159.226.171.251_34358_101.227.160.102_443_1556368031.pcap
The above pcap file is written in the txt file.
2.txt
The pcap file is: 159.226.95.33_12289_101.226.76.164_443_1556370074.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.43.54_48313_101.226.76.164_443_1556357346.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.118.132_54887_101.227.160.102_443_1556357319.pcap
The number of ssl/tls packets: 2
----------------------------------------------------------------------------------
The pcap file is: 159.226.118.121_58915_101.226.76.164_443_1556368004.pcap
The number of ssl/tls packets: 2
----------------------------------------------------------------------------------
The pcap file is: 159.226.25.91_32511_101.227.160.102_443_1556367961.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.35.172_5276_101.227.160.102_443_1556370303.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.113.225_33547_101.226.76.164_443_1556370161.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.118.121_58948_101.226.76.164_443_1556368244.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
159.226.25.91_32511_101.227.160.102_443_1556367961.pcap
159.226.95.33_12289_101.226.76.164_443_1556370074.pcap
159.226.43.54_48313_101.226.76.164_443_1556357346.pcap
159.226.35.172_5276_101.227.160.102_443_1556370303.pcap
159.226.118.121_58948_101.226.76.164_443_1556368244.pcap
159.226.113.225_33547_101.226.76.164_443_1556370161.pcap
The above pcap file is written in the txt file.
3.txt
The pcap file is: 159.226.117.158_7200_101.227.160.102_443_1556369012.pcap
The number of ssl/tls packets: 2
----------------------------------------------------------------------------------
The pcap file is: 159.226.199.87_60649_101.227.160.102_443_1556368176.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.110.25_65292_101.226.76.164_443_1556368947.pcap
The number of ssl/tls packets: 2
----------------------------------------------------------------------------------
The pcap file is: 159.226.171.251_1215_101.227.160.102_443_1556357407.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.113.225_55106_101.226.76.164_443_1556357379.pcap
The number of ssl/tls packets: 2
----------------------------------------------------------------------------------
The pcap file is: 159.226.25.81_7611_101.226.76.164_443_1556368229.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.117.158_23010_101.226.76.164_443_1556370332.pcap
The number of ssl/tls packets: 2
----------------------------------------------------------------------------------
The pcap file is: 159.226.118.138_51823_101.226.76.164_443_1556370162.pcap
The number of ssl/tls packets: 2
----------------------------------------------------------------------------------
159.226.171.251_1215_101.227.160.102_443_1556357407.pcap
159.226.199.87_60649_101.227.160.102_443_1556368176.pcap
159.226.25.81_7611_101.226.76.164_443_1556368229.pcap
The above pcap file is written in the txt file.
4.txt
The pcap file is: 159.226.35.244_53259_101.226.76.164_443_1556368032.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.21.20_53148_101.227.160.102_443_1556357379.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.35.244_53897_101.227.160.102_443_1556368813.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.117.158_12623_101.227.160.102_443_1556368952.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.35.244_55147_101.226.76.164_443_1556370313.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.231.165_52310_101.226.76.164_443_1556367992.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.25.81_6935_101.226.76.164_443_1556368047.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
The pcap file is: 159.226.35.177_55157_101.226.76.164_443_1556357535.pcap
The number of ssl/tls packets: 3
----------------------------------------------------------------------------------
159.226.35.177_55157_101.226.76.164_443_1556357535.pcap
159.226.35.244_55147_101.226.76.164_443_1556370313.pcap
159.226.35.244_53259_101.226.76.164_443_1556368032.pcap
159.226.21.20_53148_101.227.160.102_443_1556357379.pcap
159.226.25.81_6935_101.226.76.164_443_1556368047.pcap
159.226.231.165_52310_101.226.76.164_443_1556367992.pcap
159.226.35.244_53897_101.227.160.102_443_1556368813.pcap
159.226.117.158_12623_101.227.160.102_443_1556368952.pcap
The above pcap file is written in the txt file.
new3@new3:~/https/lx$