将Wireshark PDML聚合到流
pdml2flow的Python项目详细描述
使用插件将wireshark pdml聚合到流中
在分析网络流量时,有时将
捕获的帧。例如,通过端口号获取网络流或
对硬件流使用mac地址。在里面做这个
Wireshark或
tshark是
很难。pdml2flow设计用于解决此用例。
pdml2flow读取
tshark输出
使用Packet Description Markup
Language并将流写入
json或xml。这些流也可以从python插件访问
接口。如果不需要流聚合,pdml2frame可以是
用于使用插件处理pdml。 从接口嗅探并编写json: 读取.pcap文件 基于以太网源和以太网目标地址的聚合 使用jq 后处理流程使用
FluentFlow 以下实用程序是本项目的一部分 wireshark pdml到帧,带有插件 欢迎加入QQ群-->: 979659372
Branch Build Coverage master develop 安装
$ sudo pip install pdml2flow
用法
$ pdml2flow -h
usage: pdml2flow [-h][--version][-f FLOW_DEF_STR][-t FLOW_BUFFER_TIME][-l DATA_MAXLEN][-c][-a][-s][-d][+json [args]][+xml [args]]
Aggregates wireshark pdml to flows
optional arguments:
-h, --help show this help message and exit
--version Print version and exit
-f FLOW_DEF_STR Fields which define the flow, nesting with: '.'[default: ['vlan.id', 'ip.src', 'ip.dst', 'ipv6.src',
'ipv6.dst', 'udp.stream', 'tcp.stream']]
-t FLOW_BUFFER_TIME Lenght (in seconds) to buffer a flow before writing the
packets [default: 180]
-l DATA_MAXLEN Maximum lenght of data in tshark pdml-field [default:
200]
-c Removes duplicate data when merging objects, will not
preserve order of leaves [default: False]
-a Instead of merging the frames will append them to an
array [default: False]
-s Extract show names, every data leaf will now look like
{ raw : [] , show: []}[default: False]
-d Debug mode [default: False]
Plugins:
+json [args] usage: JSON output [-h][-0] optional arguments: -h,
--help show this help message and exit -0 Terminates
lines with null character
+xml [args] usage: XML output [-h][-0] optional arguments: -h,
--help show this help message and exit -0 Terminates
lines with null character
环境变量
Name Descripton LOAD_PLUGINS If set to ^{tt4}$, skips loading of all plugins 示例
$ tshark -i interface -Tpdml | pdml2flow +json
$ tshark -r pcap_file -Tpdml | pdml2flow +json
$ tshark -i interface -Tpdml | pdml2flow -f eth.src -f eth.dst +json
$ tshark -i interface -Tpdml | pdml2flow +json | jq
$ tshark -i interface -Tpdml | pdml2flow +json | fluentflow rules.js
插件
接口
# vim: set fenc=utf8 ts=4 sw=4 et :classPlugin2(object):# pragma: no cover"""Version 2 plugin interface."""@staticmethoddefhelp():"""Return a help string."""passdef__init__(self,*args):"""Called once during startup."""passdef__deinit__(self):"""Called once during shutdown."""passdefflow_new(self,flow,frame):"""Called every time a new flow is opened."""passdefflow_expired(self,flow):"""Called every time a flow expired, before printing the flow."""passdefflow_end(self,flow):"""Called every time a flow ends, before printing the flow."""passdefframe_new(self,frame,flow):"""Called for every new frame."""pass
创建新插件
实用程序
PDML2框架
$ pdml2frame -h
usage: pdml2frame [-h][--version][-s][-d][+json [args]][+xml [args]]
Converts wireshark pdml to frames
optional arguments:
-h, --help show this help message and exit
--version Print version and exit
-s Extract show names, every data leaf will now look like { raw :
[] , show: []}[default: False]
-d Debug mode [default: False]
Plugins:
+json [args] usage: JSON output [-h][-0] optional arguments: -h, --help
show this help message and exit -0 Terminates lines with null
character
+xml [args] usage: XML output [-h][-0] optional arguments: -h, --help
show this help message and exit -0 Terminates lines with null
character
推荐PyPI第三方库
