PCAP modification with Python

后端 未结 2 1120
北荒
北荒 2021-01-23 23:23

I need to read a PCAP file, modify some fields (actually IPv4 source and destination and Ethernet source and destination). The PCAP is pre-filtered to only include IPv4 over Eth

2条回答
  •  栀梦
    栀梦 (楼主)
    2021-01-24 00:12

    Scapy seems to have "a severe memory problem", as you state, probably because you read the whole PCAP file in memory with rdpcap() and then modify it (still in memory), and then write it back to another file, all at once, from your memory, with wrpcap().

    But the most "Pythonic" and "Scapyist" way to do such a thing would be to use generators (PcapReader and PcapWriter). Here is an example:

    from scapy.all import *
    
    ETHER_ADDR_TRANSLATION = {
        "orig_mac_1": "new_mac_1",
        # [...]
    }
    
    IP_ADDR_TRANSLATION = {
        "orig_ip_1": "new_ip_1",
        # [...]
    }
    
    def addr_translation_pcap(source, destination):
        out = PcapWriter(destination)
        for pkt in PcapReader(source):
            # In case we have complex encapsulations, like IP-in-IP, etc.,
            # we have to do something like this. If we know for sure that's
            # not the case, there's no need for such a (time-consuming) code.
            layer = pkt
            while not isinstance(layer, NoPayload):
                if isinstance(layer, Ether):
                    for field in ['src', 'dst']:
                        fval = getattr(layer, field)
                        if fval in ETHER_ADDR_TRANSLATION:
                            setattr(layer, field, ETHER_ADDR_TRANSLATION[fval])
                # Let's not forget IP-in-ICMP-error
                elif isinstance(layer, (IP, IPerror)):
                    for field in ['src', 'dst']:
                        fval = getattr(layer, field)
                        if fval in IP_ADDR_TRANSLATION:
                            setattr(layer, field, IP_ADDR_TRANSLATION[fval])
                elif isinstance(layer, ARP):
                    fields = {}
                    if layer.hwtype == 1:
                        fields.update({'hwsrc': ETHER_ADDR_TRANSLATION,
                                       'hwdst': ETHER_ADDR_TRANSLATION})
                    if layer.ptype == 2048:
                        fields.update({'psrc': IP_ADDR_TRANSLATION,
                                       'pdst': IP_ADDR_TRANSLATION})
                    for field, translator in fields.iteritems():
                        fval = getattr(layer, field)
                        if fval in translator:
                            setattr(layer, field, translator[fval])
                layer = layer.payload
            out.write(pkt)
        out.close()
    

提交回复
热议问题