- \n
- HTTP – Hypertext Transfer Protocol Overview<\/a><\/li>\n
- Internet protocol suite – Wikipedia, the free encyclopedia<\/a><\/li>\n
- The TCP\/IP Guide – TCP\/IP Protocols<\/a><\/li>\n
- IP Packet Structure<\/a><\/li>\n
- TCP Header Format<\/a><\/li>\n
- TCP\/IP\u534f\u8bae\u5934\u90e8\u7ed3\u6784\u4f53\uff08\u7f51\u6458\u5c0f\u7ed3\uff09<\/a><\/li>\n
- IP\u5934\uff0cTCP\u5934\uff0cUDP\u5934\uff0cMAC\u5e27\u5934\u5b9a\u4e49<\/a><\/li>\n
- Packet splitting and reassembly<\/a><\/li>\n<\/ul>\n
IP\u5305\u7684\u9996\u90e8\u7ed3\u6784\uff08\u8fd9\u91cc\u6682\u65f6\u53ea\u8ba8\u8bba\u5e38\u7528\u3001\u7b80\u5355\u7684IPv4\uff0cIPv6\u6682\u65f6\u4e0d\u6d89\u53ca\uff09\uff1a<\/p>\n
![\"ipv4_header\"](\"http:\/\/ixyzero.com\/blog\/wp-content\/uploads\/2014\/12\/ipv4_header.png\")
<\/a><\/p>\nTCP\u5305\u7684\u9996\u90e8\u7ed3\u6784\uff1a<\/p>\n
![\"tcp_header_struct\"](\"http:\/\/ixyzero.com\/blog\/wp-content\/uploads\/2014\/12\/tcp_header_struct.png\")
<\/a><\/p>\nStep.3 \u7528Python\u8fdb\u884c\u7b80\u5355\u7684\u7f51\u7edc\u7f16\u7a0b<\/h5>\n
\u8fd9\u91cc\u4e3b\u8981\u53c2\u8003\u4ece\u7f51\u4e0a\u627e\u51fa\u7684\u4e00\u4e9b\u4f8b\u5b50\uff1a<\/p>\n
- \n
- Google\u3001AOL\u3001Bing\u3001Baidu\u641c\u7d22<\/li>\n
- Stackoverflow\u4e0a\u7684\u95ee\u9898<\/li>\n
- GitHub\u4e0a\u7684\u4e00\u4e9b\u4ee3\u7801<\/li>\n<\/ul>\n
\u4ee3\u7801\u4e00\uff1a\u7528pcap\u8fdb\u884c\u6293\u5305\u3001\u7528dpkt\u8fdb\u884c\u89e3\u5305<\/h6>\n
#!\/usr\/bin\/env python\r\n# -*- coding: utf-8 -*-\r\nimport socket\r\nimport dpkt\r\nimport pcap\r\n\r\npc = pcap.pcap() #\u8bbe\u7f6e\u76d1\u542c\u7f51\u5361\uff0c\u5982\uff1aeth0\r\npc.setfilter('tcp') #\u8bbe\u7f6e\u76d1\u542c\u8fc7\u6ee4\u5668\r\n\r\ntry:\r\n for ptime, pdata in pc: #ptime\u4e3a\u6536\u5230\u65f6\u95f4\uff0cpdata\u4e3a\u6536\u5230\u6570\u636e\r\n eth = dpkt.ethernet.Ethernet(pdata)\r\n if eth.type != 2048 and eth.data.p != 6: #\u53ea\u5904\u7406\u4ee5\u592a\u7f51IP\u534f\u8bae & TCP\u534f\u8bae\uff0c\u548c\u4e0b\u9762\u7684\u8868\u8fbe\u7b49\u4ef7\r\n #if eth.type != dpkt.ethernet.ETH_TYPE_IP and ip.p != dpkt.ip.IP_PROTO_TCP:\r\n continue #\r\n ip = eth.data\r\n tcp = ip.data\r\n src_ip = socket.inet_ntoa(ip.src)\r\n src_port = tcp.sport\r\n dst_ip = socket.inet_ntoa(ip.dst)\r\n dst_port = tcp.dport\r\n\r\n if tcp.dport == 80 and len(tcp.data) > 0:\r\n http = dpkt.http.Request(tcp.data)\r\n print http.method, http.uri, len(http.body)\r\n if tcp.sport == 80 and len(tcp.data) > 0:\r\n http_r = dpkt.http.Response(tcp.data)\r\n print http_r.status, len(http_r.body)\r\n\r\nexcept Exception as e:\r\n print \"Error\", e<\/pre>\n\u4ee3\u7801\u4e8c\uff1a\u7528socket\u8fdb\u884c\u5904\u7406<\/h6>\n
#!\/usr\/bin\/env python\r\n# coding=utf-8\r\n# Packet sniffer in python for Linux\r\n# Sniffs only incoming TCP packet\r\n\r\nimport socket, sys\r\nfrom struct import *\r\n\r\n#create an INET, STREAMing socket\r\ntry:\r\n s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP)\r\nexcept socket.error, msg:\r\n print 'Socket could not be created. Error Code : ' + str(msg[0]) + ' Message ' + msg[1]\r\n sys.exit()\r\n\r\n# receive a packet\r\nwhile True:\r\n packet = s.recvfrom(65565)\r\n\r\n #packet string from tuple\r\n packet = packet[0]\r\n\r\n #take first 20 characters for the ip header\r\n ip_header = packet[0:20]\r\n\r\n #now unpack them :)\r\n iph = unpack('!BBHHHBBH4s4s', ip_header)\r\n\r\n version_ihl = iph[0]\r\n version = version_ihl >> 4\r\n ihl = version_ihl & 0xF\r\n\r\n iph_length = ihl * 4\r\n\r\n ttl = iph[5]\r\n protocol = iph[6]\r\n s_addr = socket.inet_ntoa(iph[8]);\r\n d_addr = socket.inet_ntoa(iph[9]);\r\n\r\n print 'Version : ' + str(version) + ' IP Header Length : ' + str(ihl) + ' TTL : ' + str(ttl) + ' Protocol : ' + str(protocol) + ' Source Address : ' + str(s_addr) + ' Destination Address : ' + str(d_addr)\r\n\r\n tcp_header = packet[iph_length:iph_length+20]\r\n\r\n #now unpack them :)\r\n tcph = unpack('!HHLLBBHHH', tcp_header)\r\n\r\n source_port = tcph[0]\r\n dest_port = tcph[1]\r\n sequence = tcph[2]\r\n acknowledgement = tcph[3]\r\n doff_reserved = tcph[4]\r\n tcph_length = doff_reserved >> 4\r\n\r\n print 'Source Port : ' + str(source_port) + ' Dest Port : ' + str(dest_port) + ' Sequence Number : ' + str(sequence) + ' Acknowledgement : ' + str(acknowledgement) + ' TCP header length : ' + str(tcph_length)\r\n\r\n h_size = iph_length + tcph_length * 4\r\n data_size = len(packet) - h_size\r\n\r\n #get data from the packet\r\n data = packet[h_size:]\r\n print type(data), len(data), data<\/pre>\n\u4ee3\u7801\u4e09\uff1a\u7528http_parser\u8fdb\u884c\u5904\u7406<\/h6>\n
#!\/usr\/bin\/env python\r\nimport socket\r\n\r\n# try to import C parser then fallback in pure python parser.\r\ntry:\r\n from http_parser.parser import HttpParser\r\nexcept ImportError:\r\n from http_parser.pyparser import HttpParser\r\n\r\ndef main():\r\n p = HttpParser()\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n body = []\r\n try:\r\n s.connect(('ixyzero.com', 80))\r\n s.send(\"GET \/ HTTP\/1.1rnHost: ixyzero.comrnrn\")\r\n\r\n while True:\r\n data = s.recv(1024)\r\n if not data:\r\n break\r\n\r\n recved = len(data)\r\n nparsed = p.execute(data, recved)\r\n assert nparsed == recved\r\n\r\n if p.is_headers_complete():\r\n print p.get_headers()\r\n\r\n if p.is_partial_body():\r\n body.append(p.recv_body())\r\n\r\n if p.is_message_complete():\r\n break\r\n\r\n print \"\".join(body)\r\n finally:\r\n s.close()\r\n\r\nif __name__ == \"__main__\":\r\n main()<\/pre>\n\u4ee3\u7801\u56db\uff1a\u7528Scapy\u8fdb\u884c\u5904\u7406<\/h6>\n
#!\/usr\/bin\/env python\r\n'''\r\nhttp:\/\/www.secdev.org\/projects\/scapy\/\r\nhttps:\/\/github.com\/invernizzi\/scapy-http\r\n'''\r\nfrom scapy.all import *\r\nfrom scapy.error import Scapy_Exception\r\nimport scapy_http.http\r\nm_iface=\"eth0\"\r\ncount=0\r\ndef pktTCP(pkt):\r\n global count\r\n count=count+1\r\n if scapy_http.http.HTTPConnection or scapy_http.http.HTTPResponse in pkt:\r\n src=pkt[IP].src\r\n srcport=pkt[IP].sport\r\n dst=pkt[IP].dst\r\n dstport=pkt[IP].dport\r\n test=pkt[TCP].payload\r\n if scapy_http.http.HTTPConnection in pkt:\r\n print \"HTTP Request:\"\r\n print test\r\n print \"============================================================\"\r\n if scapy_http.http.HTTPResponse in pkt:\r\n print \"HTTP Response:\"\r\n print test\r\n print \"============================================================\"\r\n\r\nsniff(filter=\"tcp and ( port 80 or port 8080 )\", iface=m_iface, prn=pktTCP)<\/pre>\n
\u4e0a\u9762\u4ee3\u7801\u7684\u6700\u5927\u95ee\u9898\u5c31\u5728\u4e8e\uff0c\u672c\u8eab\u5e76\u6ca1\u6709\u591a\u5c11\u5904\u7406\u201cTCP segments \u91cd\u7ec4\u201d\u7684\u903b\u8f91\uff0c\u6216\u8005\u662f\u4f9d\u8d56\u7684\u5e93\u5b9e\u73b0\u4e86\uff0c\u6216\u8005\u662f\u6839\u672c\u5c31\u6ca1\u5b9e\u73b0\uff0c\u4f46\u662f\uff0c\u5bf9\u4e8e\u4e00\u4e2a\u9700\u8981HTTP\u54cd\u5e94\u4f53\u7684\u9700\u6c42\u6765\u8bf4\uff0c\u4e0a\u9762\u7684\u4ee3\u7801\u529f\u80fd\u5168\u90fd\u65e0\u6cd5\u6ee1\u8db3\uff0c\u4f46\u662f\uff0c\u81ea\u5df1\u8981\u5728\u77ed\u65f6\u95f4\u5185\u5b9e\u73b0\u4e00\u4e2a\u7a33\u5b9a\u7684TCP\u5305\u91cd\u7ec4\u529f\u80fd\uff0c\u660e\u663e\u4e5f\u4e0d\u73b0\u5b9e\uff0c\u6240\u4ee5\uff0c\u8fd9\u65f6\u5019\u6211\u9700\u8981\u5bfb\u6c42\u65b0\u7684\u89e3\u51b3\u529e\u6cd5\u3002<\/p>\n
Step.4 \u76f8\u5173\u7684\u5de5\u5177\/\u5e93<\/h5>\n
- \n
- https:\/\/jon.oberheide.org\/pynids\/<\/a><\/li>\n
- http:\/\/libnids.sourceforge.net\/<\/a><\/li>\n
- http:\/\/tcpreplay.synfin.net\/<\/a><\/li>\n
- http:\/\/justniffer.sourceforge.net\/<\/a><\/li>\n
- https:\/\/github.com\/simsong\/tcpflow<\/a><\/li>\n
- https:\/\/github.com\/jwiegley\/scapy<\/a><\/li>\n
- https:\/\/github.com\/invernizzi\/scapy-http<\/a><\/li>\n
- https:\/\/github.com\/jbittel\/httpry<\/a><\/li>\n
- https:\/\/github.com\/benoitc\/http-parser<\/a><\/li>\n
- https:\/\/github.com\/xiaxiaocao\/pycapture<\/a><\/li>\n
- http:\/\/code.google.com\/p\/pypcap\/<\/a><\/li>\n
- http:\/\/code.google.com\/p\/dpkt\/<\/a><\/li>\n
- sniffing network traffic in python<\/a><\/li>\n
- tcpflow
\nflowgrep
\nngrep
\ntcpkill
\ndsniff
\ndriftnet<\/li>\n- \u2026\u2026<\/li>\n<\/ul>\n
Step.5 \u540e\u9762\u7684\u8def<\/h5>\n
\u6682\u5b9a\u7684\u5de5\u5177\u662ftcpflow<\/a>\uff0c\u90e8\u5206\u6ee1\u8db3\u8981\u6c42\uff0c\u7ec6\u5316\u7684\u529f\u80fd\u9700\u8981\u81ea\u5df1\u5728\u6e90\u7801\u7684\u57fa\u7840\u4e0a\u8fdb\u884c\u4fee\u6539\uff0c\u4f46\u603b\u5f52\u6709\u4e86\u4e2a\u6a21\u7248\u548c\u76ee\u6807\uff0c\u5426\u5219\u4ece\u5934\u505a\u8d77\u7684\u8bdd\uff0c\u6050\u6015\u662f\u7740\u4e0d\u4f4f\u54e6\uff01<\/p>\n
<\/p>\n
\u9644\u5f55A. \u53c2\u8003\u94fe\u63a5<\/h5>\n
Stackoverflow\u4e0a\u7684\u7c7b\u4f3c\u95ee\u9898\uff1a<\/h6>\n
http:\/\/stackoverflow.com\/questions\/15906308\/how-to-sniff-http-packets-in-python\r\nhttp:\/\/stackoverflow.com\/questions\/5216332\/how-to-reassemble-tcp-packets-in-python\r\nhttp:\/\/stackoverflow.com\/questions\/4481914\/reassembling-tcp-segments\r\nhttp:\/\/stackoverflow.com\/questions\/13017797\/how-to-add-http-headers-to-a-packet-sniffed-using-scapy\r\nhttp:\/\/stackoverflow.com\/questions\/16279661\/scapy-fails-to-sniff-packets-when-using-multiple-threads\r\nhttp:\/\/stackoverflow.com\/questions\/7155050\/capture-tcp-packets-with-python\r\nhttp:\/\/stackoverflow.com\/questions\/25606358\/how-to-and-reassemble-a-segmented-http-packet\r\nhttp:\/\/stackoverflow.com\/questions\/4750793\/python-scapy-or-the-like-how-can-i-create-an-http-get-request-at-the-packet-leve\r\nhttp:\/\/stackoverflow.com\/questions\/15906308\/how-to-sniff-http-packets-in-python\r\nhttp:\/\/stackoverflow.com\/questions\/4948043\/pcap-python-library\r\nhttp:\/\/stackoverflow.com\/questions\/17616773\/how-to-dump-http-traffic\r\nhttp:\/\/stackoverflow.com\/questions\/2259458\/how-to-reassemble-tcp-segment\r\nhttp:\/\/stackoverflow.com\/questions\/692880\/tcp-how-are-the-seq-ack-numbers-generated\r\nhttp:\/\/stackoverflow.com\/questions\/600087\/can-libpcap-reassemble-tcp-segments\r\nhttp:\/\/stackoverflow.com\/questions\/12836944\/how-wireshark-marks-some-packets-as-tcp-segment-of-a-reassembled-pdu\r\nhttp:\/\/stackoverflow.com\/questions\/5705058\/watching-http-in-wireshark-whats-the-relation-between-reassembled-tcp-vs-hyper\r\nhttp:\/\/stackoverflow.com\/questions\/2372365\/is-there-a-way-to-save-a-reassembled-tcp-in-wireshark\r\nhttp:\/\/stackoverflow.com\/questions\/2650261\/determining-http-packets\r\nhttp:\/\/stackoverflow.com\/questions\/9798120\/how-to-reassemble-tcp-and-decode-http-info-in-c-code\r\nhttp:\/\/stackoverflow.com\/questions\/7411734\/some-question-of-reassembling-tcp-stream\r\nhttp:\/\/stackoverflow.com\/questions\/2916612\/reconstructing-data-from-pcap-sniff\r\nhttp:\/\/stackoverflow.com\/questions\/2346446\/how-to-know-which-is-the-last-tcp-segment-received-by-the-server-when-data-is-tr\r\nhttp:\/\/stackoverflow.com\/questions\/756765\/when-will-a-tcp-network-packet-be-fragmented-at-the-application-layer\r\nhttp:\/\/stackoverflow.com\/questions\/5658833\/good-library-for-tcp-reassembly\r\nhttp:\/\/stackoverflow.com\/questions\/6151417\/complete-reconstruction-of-tcp-session-html-pages-from-wireshark-pcaps-any-to\r\nhttp:\/\/stackoverflow.com\/questions\/8862196\/network-sniffing-with-python<\/pre>\n
\u51e0\u4e2a\u6bd4\u8f83\u6709\u4ee3\u8868\u6027\u7684\u8bf4\u660e\uff1a<\/h6>\n
- \n
- jon.oberheide.org – blog – dpkt tutorial #2: parsing a pcap file<\/a><\/li>\n
- pypcap – Python\u7f51\u7edc\u6293\u5305\u5e93<\/a><\/li>\n
- Code a network packet sniffer in python for Linux<\/a><\/li>\n
- Follow HTTP Stream (with decompression) | bramp.net<\/a><\/li>\n
- Simple Sniffer HTTP Request and HTTP Response with Python Scapy<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
\u6700\u8fd1\u5de5\u4f5c\u4e0a\u9047\u5230\u4e86\u548cTCP\/IP\u534f\u8bae\u7d27\u5bc6\u76f8\u5173\u7684\u4efb\u52a1\uff0c\u6240\u4ee5\uff0c\u5f97\u518d\u53bb\u597d\u597d\u5b66\u4e60\u5b66\u4e60TCP\/IP\u534f\u8bae\uff0c\u61c2\u4e86\u539f\u7406\u4e4b\u540e\u624d\u597d\u5bf9 […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[407,408,409,410,411],"class_list":["post-1648","post","type-post","status-publish","format-standard","hentry","category-other","tag-dpkt","tag-pcap","tag-pypcap","tag-scapy","tag-tcpflow"],"views":7592,"_links":{"self":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/1648","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/comments?post=1648"}],"version-history":[{"count":2,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/1648\/revisions"}],"predecessor-version":[{"id":3248,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/1648\/revisions\/3248"}],"wp:attachment":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/media?parent=1648"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/categories?post=1648"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/tags?post=1648"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- pypcap – Python\u7f51\u7edc\u6293\u5305\u5e93<\/a><\/li>\n
- http:\/\/libnids.sourceforge.net\/<\/a><\/li>\n
- https:\/\/jon.oberheide.org\/pynids\/<\/a><\/li>\n
- Internet protocol suite – Wikipedia, the free encyclopedia<\/a><\/li>\n