参考链接
安装库

sudo pip install scapy-ssl_tls

提取ssl/tls中的server_name字段

#from scapy.all import *
from scapy_ssl_tls.ssl_tls import *
pcaps = rdpcap("159.226.20.6_7609_113.207.81.81_443.pcap")
packet = pcaps[2]
#print packet[TLSExtension].show()
print packet[TLSExtension].server_names[0]
print type(packet[TLSExtension].server_names[0])
print str(packet[TLSExtension].server_names[0])

print type(str(packet[TLSExtension].server_names[0]))

结果

new3@new3:~/https/lx$ python pcap.py 
kyfw.12306.cn

kyfw.12306.cn

判断一个packet是不是client hello包

rom scapy_ssl_tls.ssl_tls import *
pcaps = rdpcap("159.226.20.6_7609_113.207.81.81_443.pcap")
packet = pcaps[2]

print 'IP layer:',packet.haslayer('IP')
print 'UDP layer:',packet.haslayer('UDP')
print 'TCP layer:',packet.haslayer('TCP')
print 'TLS layer:',packet.haslayer('TLS')
print 'Client Hello layer:',packet.haslayer('TLSClientHello')
print 'TLS Extension:',packet.haslayer('TLSExtension')

if packet.haslayer('TLSClientHello'):
    print packet[TLSExtension].server_names[0]
    print type(packet[TLSExtension].server_names[0])
    print str(packet[TLSExtension].server_names[0])
    print type(str(packet[TLSExtension].server_names[0]))
    # print packet[TLSClientHello].show()

IP layer: 1
UDP layer: 0
TCP layer: 1
TLS layer: 0
Client Hello layer: 1
TLS Extension: 1
kyfw.12306.cn

kyfw.12306.cn

pcap2.py:
packet[TLSExtServerNameIndication]可以提取包的server_name字段，类型是的，将其转化成str类型后，使用os.rename()函数重新命名的时候会报错，原因是后面有一个\0，将其去掉，再使用os.rename()函数，发现重命名的文件前面都多了一个乱码(?)，查看编码的类型是ascii，尝试转码也不对，print server_name[0]，打印为空，一直到[3]才出现我们想要的server_name的第一个字符，其他的tls client hello包也是这样，所以就从第三位开始提取，就没问题了。

import os

import shutil
import time
import chardet
from scapy_ssl_tls.ssl_tls import *

def mkdir(path):
    folder = os.path.exists(path)
    if not folder:
        os.makedirs(path)

pcaps = rdpcap("159.226.1.186_29646_221.122.179.15_443.pcap")
packet = pcaps[2]

path = '/home/new3/https/https'
print 'TLS layer:',packet.haslayer('TLS')
print 'Client Hello layer:',packet.haslayer('TLSClientHello')


if packet.haslayer('TLSClientHello'):
    server_name = str(packet[TLSExtServerNameIndication].server_names[0])
    server_name = server_name[3:]
    server_name = server_name.strip('\0')


#os.rename('159.226.1.186_29646_221.122.179.15_443.pcap',server_name)
dir = os.path.join(path,server_name)
print dir
mkdir(dir)

scapy解析SSL/TLS加密包

提取ssl/tls中的server_name字段

判断一个packet是不是client hello包

你可能感兴趣的:(scapy解析SSL/TLS加密包)