How to generate a Pcap traffic from Text file with the help of Scapy

徘徊边缘 提交于 2020-03-23 09:53:11

问题


I have multiple text file which I have previously captured via TCPDump, but I didn't set the config correctly and as a result I don't have a complete dump to convert it to pcap file with the help of text2pcap. Therefore, I have tried to write a python script to convert my text files to pcaps.

Following is what my captured file looks like:

tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
1509471560.944080 MAC1 > MAC2, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 23237, offset 0, flags [DF], proto TCP (6), length 60)
    IP1.port > IP2.port: Flags [S], cksum 0x6d2f (incorrect -> 0x0b4a), seq 1127096708, win 65535, options [mss 1460,sackOK,TS val 817985 ecr 0,nop,wscale 6], length 0
1509471561.042855 MAC2 > MAC1, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 64, id 3107, offset 0, flags [none], proto TCP (6), length 44)
    IP2.port > IP1.port: Flags [S.], cksum 0x85d8 (correct), seq 449984001, ack 1127096709, win 65535, options [mss 1460], length 0
1509471561.044008 MAC1 > MAC2, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 23238, offset 0, flags [DF], proto TCP (6), length 40)
    IP1.port > IP2.port: Flags [.], cksum 0x6d1b (incorrect -> 0x9d95), seq 1, ack 1, win 65535, length 0
1509471914.089046 MAC1 > MAC2, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 64, id 54304, offset 0, flags [DF], proto UDP (17), length 68)
    IP1.port > IP3.port: [bad udp cksum 0xfe91 -> 0xd1d7!] 10474+ A? 2.android.pool.ntp.org. (40)
1509471914.090059 MAC2 > MAC1, ethertype IPv4 (0x0800), length 520: (tos 0x0, ttl 64, id 3241, offset 0, flags [none], proto UDP (17), length 506)
    IP3.port > IP1.port: [udp sum ok] 10474 q: A? 2.android.pool.ntp.org. 4/9/11 2.android.pool.ntp.org. A 91.220.110.116, 2.android.pool.ntp.org. A 195.46.37.22, 2.android.pool.ntp.org. A 209.208.79.69, 2.android.pool.ntp.org. A 198.206.133.14 ns: pool.ntp.org. NS c.ntpns.org., pool.ntp.org. NS a.ntpns.org., pool.ntp.org. NS i.ntpns.org., pool.ntp.org. NS g.ntpns.org., pool.ntp.org. NS b.ntpns.org., pool.ntp.org. NS e.ntpns.org., pool.ntp.org. NS f.ntpns.org., pool.ntp.org. NS h.ntpns.org., pool.ntp.org. NS d.ntpns.org. ar: a.ntpns.org. A 207.171.17.42, a.ntpns.org. AAAA 2620:101:d007::42, b.ntpns.org. A 193.243.171.138, b.ntpns.org. A 212.25.19.23, b.ntpns.org. A 174.127.124.192, b.ntpns.org. AAAA 2001:8e0:ffff:1::282, c.ntpns.org. A 199.249.224.53, c.ntpns.org. A 85.214.25.217, c.ntpns.org. A 89.36.18.22, c.ntpns.org. AAAA 2a01:238:426b:900:4535:f84f:5043:4854, c.ntpns.org. AAAA 2a00:14b0:4200:32e0::1e5 (478)
1509471914.090469 MAC1 > MAC2, ethertype IPv4 (0x0800), length 90: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 76)
    IP1.port > IP4.port: [bad udp cksum 0xd7a8 -> 0x11f4!] NTPv3, length 48
    Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 0 (1s), precision 0
    Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
      Reference Timestamp:  0.000000000
      Originator Timestamp: 0.000000000
      Receive Timestamp:    0.000000000
      Transmit Timestamp:   3718460714.090000003 (2017/10/31 21:15:14)
        Originator - Receive Timestamp:  0.000000000
        Originator - Transmit Timestamp: 3718460714.090000003 (2017/10/31 21:15:14)

And Here is the python script in which I have tried to generate a pcap file from my text file using Scapy package:

from scapy.all import *
import secrets

def generatePcapfromText(inputtxt,output):
    with open (inputtxt,encoding='cp850') as input:
        framenum=0
        for line in input:
            if "ARP" in line:
                continue
            if line[0].isdigit(): # For Processing the line having Mac address info
                framenum += 1
                frametime=line[:16]
                srcmac= line[18:34]
                dstmac= line[38:54]
               # ethertype = hex(int(line[line.find('(')+1:line.find(')')], 16))
                frameLen=int(line[line.find('length')+7:line.find(': (')])
                frameTos=line[line.find('tos')+4:line.find(', ttl')]
                frameTtl=int(line[line.find('ttl')+4:line.find(', id')])
                frameId=int(line[line.find('id')+3:line.find(', offset')])
                frameOffset=line[line.find('offset')+7:line.find(', flags')]
                frameFlags=line[line.find('[')+1:line.find(']')]
                protocol = line[line.find('proto')+6:line.rfind('(')-1]
                ipLen = int(line[line.rfind('length')+6:line.rfind(')')])

                ether = Ether(dst=dstmac, src=srcmac, type=0x0800)

            elif len(line)>5: # For processing lines having IP addresses info 
                if line[5].isdigit(): # line two
                    srcinfo = line[4:line.find ( '>' )]
                    dstinfo = line[line.find ( '>' ) + 2:line.find ( ':' )]
                    ipsrc = srcinfo[:srcinfo.rfind ( '.' )]
                    ipdst = dstinfo[:dstinfo.rfind ( '.' )]
                    srcport = int(srcinfo[srcinfo.rfind ( '.' ) + 1:])
                    dstport = int(dstinfo[dstinfo.rfind ( '.' ) + 1:])

              ***      ip = ether/IP(src=ipsrc, dst=ipdst, len=frameLen, tos=frameTos, ttl=frameTtl,
                                 id=frameId, flags=frameFlags, proto=protocol.lower())

                    if protocol == "TCP":
                        frameFlag = line[line.find ( '[' ) + 1:line.find ( ']' )]
                        cksum = hex(int(line[line.find ( 'cksum' ) + 6:line.find ( '(' )],16))
                        if ", ack" in line:      
                            seq_n = line[line.find ( ', seq' ) + 6:line.find ( ', ack' )]
                            ack_n = int(line[line.find ( 'ack' ) + 4:line.find ( ', win' )])
                        else:
                            seq_n = line[line.find ( ', seq' ) + 6:line.find ( ', win' )]
                            ack_n = 0

                        if "options" in line:
                            win = int(line[line.find ( 'win' ) + 4:line.find ( ', options' )])
                            options= line[line.find ( 'options' ) + 8:line.find ( ', length' )]
                        else:    
                            win = int(line[line.find ( 'win' ) + 4:line.find ( ', length' )])
                            options="[]"

                        pktlen = int(line[line.find ( ', length' ) + 9:])

                        pkt = ip / TCP(sport=srcport, dport=dstport, flags=frameFlag, seq=seq_n, 
                                       ack=ack_n, chksum=cksum, options=options, window=win) / secrets.token_hex(pktlen)


                    elif protocol == "UDP":
                        if "ok" in line:                            
                            cksum = int(line[line.find ( ']' ) + 2:line.find ( 'q:' )])
                            content = line[line.find ( 'q:' ) + 3:]
                        else:
                            cksum = int(line[line.find ( 'cksum' ) + 6:line.find ( '->' )])
                            content = line[line.find ( ']' ) + 2:]

                        pkt = ip / UDP(sport=srcport, dport=dstport, flags=frameFlag, chksum=cksum) / content

                    wrpcap(output, pkt, append=True)

                elif "Client" in line:
                    continue
                elif "Root" in line:
                    continue
                elif "Originator" in line:
                    continue
                elif "Reference" in line:
                    continue
                elif "Receive" in line:
                    continue
                elif "Transmit" in line:
                    continue

However, I get following error. It occurs at the line marked with three stars (***). Moreover, I couldn't find a field to add packet's timestamp, as timestamp is important in my case.

File "C:\Users\*\Anaconda3\lib\site-packages\scapy\base_classes.py", line 101, in _parse_net tmp[0] = socket.gethostbyname(tmp[0])

gaierror: [Errno 11004] getaddrinfo failed

How to solve this error, then?

The problem was with the destination IP which contains the leading space, I have corrected that part of script above. Now, I getting another error. Let see whether I could solve it or I should start another thread.

PS: You can find my original question at ask.wireshark.


回答1:


The error gives us the information we need:

tmp[0] = socket.gethostbyname(tmp[0])

Python's socket library is trying to do a hostname lookup with gethostbyname and it's failing.

For example, this is what usage of this function looks like:

>>> import socket
>>> socket.gethostbyname('google.com')
'172.217.0.46'

You may want to try running this on a different computer, because I do not see the same error on my system.




回答2:


You are doing IP(dst=..., src=...)

If the IPs you pass are invalid, Scapy will try to resolve them with socket.gethostbyname (Could it be a domain name?). If those fail, it will raise as so: you are building a packet with something that isn't an IP.

You should check what exactly you are feeding it



来源:https://stackoverflow.com/questions/58097621/how-to-generate-a-pcap-traffic-from-text-file-with-the-help-of-scapy

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!