问题
I have multiple text file which I have previously captured via TCPDump, but I didn't set the config correctly and as a result I don't have a complete dump to convert it to pcap file with the help of text2pcap. Therefore, I have tried to write a python script to convert my text files to pcaps.
Following is what my captured file looks like:
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
1509471560.944080 MAC1 > MAC2, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 23237, offset 0, flags [DF], proto TCP (6), length 60)
IP1.port > IP2.port: Flags [S], cksum 0x6d2f (incorrect -> 0x0b4a), seq 1127096708, win 65535, options [mss 1460,sackOK,TS val 817985 ecr 0,nop,wscale 6], length 0
1509471561.042855 MAC2 > MAC1, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 64, id 3107, offset 0, flags [none], proto TCP (6), length 44)
IP2.port > IP1.port: Flags [S.], cksum 0x85d8 (correct), seq 449984001, ack 1127096709, win 65535, options [mss 1460], length 0
1509471561.044008 MAC1 > MAC2, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 23238, offset 0, flags [DF], proto TCP (6), length 40)
IP1.port > IP2.port: Flags [.], cksum 0x6d1b (incorrect -> 0x9d95), seq 1, ack 1, win 65535, length 0
1509471914.089046 MAC1 > MAC2, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 64, id 54304, offset 0, flags [DF], proto UDP (17), length 68)
IP1.port > IP3.port: [bad udp cksum 0xfe91 -> 0xd1d7!] 10474+ A? 2.android.pool.ntp.org. (40)
1509471914.090059 MAC2 > MAC1, ethertype IPv4 (0x0800), length 520: (tos 0x0, ttl 64, id 3241, offset 0, flags [none], proto UDP (17), length 506)
IP3.port > IP1.port: [udp sum ok] 10474 q: A? 2.android.pool.ntp.org. 4/9/11 2.android.pool.ntp.org. A 91.220.110.116, 2.android.pool.ntp.org. A 195.46.37.22, 2.android.pool.ntp.org. A 209.208.79.69, 2.android.pool.ntp.org. A 198.206.133.14 ns: pool.ntp.org. NS c.ntpns.org., pool.ntp.org. NS a.ntpns.org., pool.ntp.org. NS i.ntpns.org., pool.ntp.org. NS g.ntpns.org., pool.ntp.org. NS b.ntpns.org., pool.ntp.org. NS e.ntpns.org., pool.ntp.org. NS f.ntpns.org., pool.ntp.org. NS h.ntpns.org., pool.ntp.org. NS d.ntpns.org. ar: a.ntpns.org. A 207.171.17.42, a.ntpns.org. AAAA 2620:101:d007::42, b.ntpns.org. A 193.243.171.138, b.ntpns.org. A 212.25.19.23, b.ntpns.org. A 174.127.124.192, b.ntpns.org. AAAA 2001:8e0:ffff:1::282, c.ntpns.org. A 199.249.224.53, c.ntpns.org. A 85.214.25.217, c.ntpns.org. A 89.36.18.22, c.ntpns.org. AAAA 2a01:238:426b:900:4535:f84f:5043:4854, c.ntpns.org. AAAA 2a00:14b0:4200:32e0::1e5 (478)
1509471914.090469 MAC1 > MAC2, ethertype IPv4 (0x0800), length 90: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 76)
IP1.port > IP4.port: [bad udp cksum 0xd7a8 -> 0x11f4!] NTPv3, length 48
Client, Leap indicator: (0), Stratum 0 (unspecified), poll 0 (1s), precision 0
Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
Reference Timestamp: 0.000000000
Originator Timestamp: 0.000000000
Receive Timestamp: 0.000000000
Transmit Timestamp: 3718460714.090000003 (2017/10/31 21:15:14)
Originator - Receive Timestamp: 0.000000000
Originator - Transmit Timestamp: 3718460714.090000003 (2017/10/31 21:15:14)
And Here is the python script in which I have tried to generate a pcap file from my text file using Scapy package:
from scapy.all import *
import secrets
def generatePcapfromText(inputtxt,output):
with open (inputtxt,encoding='cp850') as input:
framenum=0
for line in input:
if "ARP" in line:
continue
if line[0].isdigit(): # For Processing the line having Mac address info
framenum += 1
frametime=line[:16]
srcmac= line[18:34]
dstmac= line[38:54]
# ethertype = hex(int(line[line.find('(')+1:line.find(')')], 16))
frameLen=int(line[line.find('length')+7:line.find(': (')])
frameTos=line[line.find('tos')+4:line.find(', ttl')]
frameTtl=int(line[line.find('ttl')+4:line.find(', id')])
frameId=int(line[line.find('id')+3:line.find(', offset')])
frameOffset=line[line.find('offset')+7:line.find(', flags')]
frameFlags=line[line.find('[')+1:line.find(']')]
protocol = line[line.find('proto')+6:line.rfind('(')-1]
ipLen = int(line[line.rfind('length')+6:line.rfind(')')])
ether = Ether(dst=dstmac, src=srcmac, type=0x0800)
elif len(line)>5: # For processing lines having IP addresses info
if line[5].isdigit(): # line two
srcinfo = line[4:line.find ( '>' )]
dstinfo = line[line.find ( '>' ) + 2:line.find ( ':' )]
ipsrc = srcinfo[:srcinfo.rfind ( '.' )]
ipdst = dstinfo[:dstinfo.rfind ( '.' )]
srcport = int(srcinfo[srcinfo.rfind ( '.' ) + 1:])
dstport = int(dstinfo[dstinfo.rfind ( '.' ) + 1:])
*** ip = ether/IP(src=ipsrc, dst=ipdst, len=frameLen, tos=frameTos, ttl=frameTtl,
id=frameId, flags=frameFlags, proto=protocol.lower())
if protocol == "TCP":
frameFlag = line[line.find ( '[' ) + 1:line.find ( ']' )]
cksum = hex(int(line[line.find ( 'cksum' ) + 6:line.find ( '(' )],16))
if ", ack" in line:
seq_n = line[line.find ( ', seq' ) + 6:line.find ( ', ack' )]
ack_n = int(line[line.find ( 'ack' ) + 4:line.find ( ', win' )])
else:
seq_n = line[line.find ( ', seq' ) + 6:line.find ( ', win' )]
ack_n = 0
if "options" in line:
win = int(line[line.find ( 'win' ) + 4:line.find ( ', options' )])
options= line[line.find ( 'options' ) + 8:line.find ( ', length' )]
else:
win = int(line[line.find ( 'win' ) + 4:line.find ( ', length' )])
options="[]"
pktlen = int(line[line.find ( ', length' ) + 9:])
pkt = ip / TCP(sport=srcport, dport=dstport, flags=frameFlag, seq=seq_n,
ack=ack_n, chksum=cksum, options=options, window=win) / secrets.token_hex(pktlen)
elif protocol == "UDP":
if "ok" in line:
cksum = int(line[line.find ( ']' ) + 2:line.find ( 'q:' )])
content = line[line.find ( 'q:' ) + 3:]
else:
cksum = int(line[line.find ( 'cksum' ) + 6:line.find ( '->' )])
content = line[line.find ( ']' ) + 2:]
pkt = ip / UDP(sport=srcport, dport=dstport, flags=frameFlag, chksum=cksum) / content
wrpcap(output, pkt, append=True)
elif "Client" in line:
continue
elif "Root" in line:
continue
elif "Originator" in line:
continue
elif "Reference" in line:
continue
elif "Receive" in line:
continue
elif "Transmit" in line:
continue
However, I get following error. It occurs at the line marked with three stars (***). Moreover, I couldn't find a field to add packet's timestamp, as timestamp is important in my case.
File "C:\Users\*\Anaconda3\lib\site-packages\scapy\base_classes.py", line 101, in _parse_net tmp[0] = socket.gethostbyname(tmp[0])
gaierror: [Errno 11004] getaddrinfo failed
How to solve this error, then?
The problem was with the destination IP which contains the leading space, I have corrected that part of script above. Now, I getting another error. Let see whether I could solve it or I should start another thread.
PS: You can find my original question at ask.wireshark.
回答1:
The error gives us the information we need:
tmp[0] = socket.gethostbyname(tmp[0])
Python's socket
library is trying to do a hostname lookup with gethostbyname and it's failing.
For example, this is what usage of this function looks like:
>>> import socket
>>> socket.gethostbyname('google.com')
'172.217.0.46'
You may want to try running this on a different computer, because I do not see the same error on my system.
回答2:
You are doing IP(dst=..., src=...)
If the IPs you pass are invalid, Scapy will try to resolve them with socket.gethostbyname
(Could it be a domain name?). If those fail, it will raise as so: you are building a packet with something that isn't an IP.
You should check what exactly you are feeding it
来源:https://stackoverflow.com/questions/58097621/how-to-generate-a-pcap-traffic-from-text-file-with-the-help-of-scapy