支持纳秒级、无依赖关系的pcap工具和解析库
NanoPcap的Python项目详细描述
NanoPCAP
nanopcap是一个python库和一组用于处理纳秒的工具 分辨率PCAP数据。它的设计是最小的,不需要依赖性。
工具
Dump
转储短格式(每个数据包1行)或长格式(每个数据包1行)的PCAP 价值)。
> NanoPcap/Tools/Dump.py -h
usage: Dump.py [-h] [-d DATA_BYTES] [-l] [-j] [-o DATA_OFFSET] [-H] [-R] [-s]
pcap
PCAP Dump Diagnostic
positional arguments:
pcap PCAP file to dump.
optional arguments:
-h, --help show this help message and exit
-d DATA_BYTES, --data-bytes DATA_BYTES
Show a certain number of bytes as hex for each packet
record.
-l, --long Enable long form which generally puts one value per
line for easy diffing.
-j, --json Enable JSON output with either one object per line
(short mode) or one value per line (long mode).
-o DATA_OFFSET, --data-offset DATA_OFFSET
Offset of the data to show.
-H, --no-header Do not show the header.
-R, --no-records Do not show records.
-s, --strict Enables strict validation rules.
Filter
根据设置的条件筛选PCAP,并可以选择执行其他编辑,如快照 长度截断、数据包重复数据消除,甚至像随机丢弃和重复那样的模糊处理。
> NanoPcap/Tools/Filter.py -h
usage: Filter.py [-h] [--strict] [-l SNAPLEN] [-o DATA_OFFSET]
[-x DATA_END_OFFSET] [-H] [-R] [-a]
[--required-link-type REQUIRED_LINK_TYPE]
[--link-type LINK_TYPE]
[--time-shift-seconds TIME_SHIFT_SECONDS] [-s START] [-e END]
[-D DROP_FRACTION] [--duplicate-fraction DUPLICATE_FRACTION]
[--deduplication-window DEDUPLICATION_WINDOW]
input output
PCAP Filter Tool
positional arguments:
input PCAP file to use as input.
output Output file. May include time format strings to roll
the file based on packet time stamps, e.g.
%Y/%m/%d/%H.pcap for hourly output files in daily
folders.
optional arguments:
-h, --help show this help message and exit
--strict Enables strict validation rules.
-l SNAPLEN, --snaplen SNAPLEN
Add a certain number of bytes for each packet record.
-o DATA_OFFSET, --data-offset DATA_OFFSET
Offset of the data to include.
-x DATA_END_OFFSET, --data-end-offset DATA_END_OFFSET
Offset from the end of the data to include.
-H, --no-header Do not output the header.
-R, --no-records Do not output records.
-a, --append Append to the file (implies no header).
--required-link-type REQUIRED_LINK_TYPE
The required link type of the file being edited (e.g.
1 for Ethernet, 228 for IPv4, 229 for IPv6).
--link-type LINK_TYPE
A value to set the link type in the header to (e.g. 1
for Ethernet, 228 for IPv4, 229 for IPv6).
--time-shift-seconds TIME_SHIFT_SECONDS
The amount of time in seconds to shift timestamps in
the output PCAP.
-s START, --start START
Start time as either epoch nanoseconds or a datetime
(with only microsecond resolution).
-e END, --end END End time as either epoch nanoseconds or a relative
offset in nanoseconds to the start (e.g. +100 would
yield a 100ns PCAP).
-D DROP_FRACTION, --drop-fraction DROP_FRACTION
Fraction of the time to drop packagets (from 0 to 1
inclusive).
--duplicate-fraction DUPLICATE_FRACTION
Fraction of the time to duplicate packagets (from 0 to
1 inclusive).
--deduplication-window DEDUPLICATION_WINDOW
Sets the number of the packets in the deduplication
window (based on contents).
例如,下面是如何删除以太网头(L2)以在TestData中生成文件:
> NanoPcap/Tools/Filter.py --required-link-type 1 --link-type 228 -o 14 -x 4 SSH.pcap TestData/SSH_L3.pcap
> NanoPcap/Tools/Filter.py --required-link-type 1 --link-type 228 -o 14 -x 4 SSH2.pcap TestData/SSH2_L3.pcap
还有一个方便的转换脚本:
> ./strip_ethernet_header.sh SSH.pcap TestData/SSH_L3.pcap
Merge
合并两个具有可能交错时间戳的PCAP文件。
> NanoPcap/Tools/Merge.py -h
usage: Merge.py [-h] [--strict] input1 input2 output
PCAP Filter Tool
positional arguments:
input1 PCAP file to use as input.
input2 PCAP file to use as other input.
output Output file
optional arguments:
-h, --help show this help message and exit
--strict Enables strict validation rules.
Split
将pCAP分割成具有最大数量的包、字节等的片。
> NanoPcap/Tools/Split.py -h
usage: Split.py [-h] [--gzip-output] [--strict] [-b MAX_BYTES]
[-p MAX_PACKETS] [-l SNAPLEN] [-o DATA_OFFSET]
[-x DATA_END_OFFSET] [-H] [-a]
input output
PCAP Splitting Tool
positional arguments:
input PCAP file to use as input.
output Output path -- output files will be named based on the
identifying attributes.
optional arguments:
-h, --help show this help message and exit
--gzip-output Enables gzip for the output files.
--strict Enables strict validation rules.
-b MAX_BYTES, --max-bytes MAX_BYTES
The maximum number of bytes in a slice.
-p MAX_PACKETS, --max-packets MAX_PACKETS
The maximum number of packets in a slice.
-l SNAPLEN, --snaplen SNAPLEN
Add a certain number of bytes for each packet record.
-o DATA_OFFSET, --data-offset DATA_OFFSET
Offset of the data to include.
-x DATA_END_OFFSET, --data-end-offset DATA_END_OFFSET
Offset from the end of the data to include.
-H, --no-header Do not output the header.
-a, --append Append to the file (implies no header).
SplitFlows
将一个pcap拆分为多个pcap,在顶层协议中每个流一个。
> mkdir -p SplitData && NanoPcap/Tools/SplitEthernetFlows.py TestData/SSH_L3.pcap SplitData/ && ls SplitData/
192.168.1.192_192.168.1.241.pcap
> NanoPcap/Tools/SplitFlows.py -h
usage: SplitFlows.py [-h] [--strict] [-l SNAPLEN] [-o DATA_OFFSET]
[-x DATA_END_OFFSET] [-H] [-a] [--link-type LINK_TYPE]
input output
PCAP Filter Tool
positional arguments:
input PCAP file to use as input.
output Output path -- output files will be named based on the
identifying attributes.
optional arguments:
-h, --help show this help message and exit
--strict Enables strict validation rules.
-l SNAPLEN, --snaplen SNAPLEN
Add a certain number of bytes for each packet record.
-o DATA_OFFSET, --data-offset DATA_OFFSET
Offset of the data to include.
-x DATA_END_OFFSET, --data-end-offset DATA_END_OFFSET
Offset from the end of the data to include.
-H, --no-header Do not output the header.
-a, --append Append to the file (implies no header).
--link-type LINK_TYPE
A value to set the link type in the header to (e.g. 1
for Ethernet, 228 for IPv4, 229 for IPv6).
Summary
总结了PCAP。例如:
> NanoPcap/Tools/Summary.py TestData/SSH_L3.pcap -u
Epoch times: 1472402096321502000 - 1472402096321652000 (150000ns) (2016-08-28 16:34:56.321501 - 2016-08-28 16:34:56.321651)
Name Count Total Average Std Dev Min 25th % 50th % 75th % 95th % 99th % 99.9th % Max
Included Length 21 8.6K 421.43 502.94 34 34 102 582 1482 1482 1482 1482
Original Length 21 8.6K 421.43 502.94 34 34 102 582 1482 1482 1482 1482
Interpacket Time (ns) 20 150.0us 7.5us 20.9us 0.0 0.0 1.0us 1.0us 74.0us 74.0us 74.0us 74.0us
Packet Rate (pps) 20 133.3K 13.5K 1.0M inf inf inf inf inf inf
Data Rate (Bps) 20 448.7K 539.8M inf inf inf inf inf inf
或不带单位:
> NanoPcap/Tools/Summary.py TestData/SSH_L3.pcap
Epoch times: 1472402096321502000 - 1472402096321652000 (150000ns) (2016-08-28 16:34:56.321501 - 2016-08-28 16:34:56.321651)
Name Count Total Average Std Dev Min 25th % 50th % 75th % 95th % 99th % 99.9th % Max
Included Length 21 8850.0 421.43 502.94 34 34 102 582 1482 1482 1482 1482
Original Length 21 8850.0 421.43 502.94 34 34 102 582 1482 1482 1482 1482
Interpacket Time (ns) 20 150000.0 7500.0 20884.2 0.0 0.0 1000.0 1000.0 74000.0 74000.0 74000.0 74000.0
Packet Rate (pps) 20 133333.3 13513.5 1000000.0 inf inf inf inf inf inf
Data Rate (Bps) 20 459459.5 566000000.0 inf inf inf inf inf inf
欢迎加入QQ群-->: 979659372
