能實時監測流量,
只顯示有問題的流量,
可疑流量要顯示出在那個數據包里
所有流量都保存到為pcap
每5000個包保存一個
第3個自動下載到本地
def sniff(count=0, store=1, offline=None, prn=None,filter=None, L2socket=None, timeout=None, opened_socket=None, stop_filter=None, iface=None,*args,**kargs)
count:抓包的數量,0表示無限制;
store:保存抓取的數據包或者丟棄,1保存,0丟棄
offline:從 pcap 文件讀取數據包,而不進行嗅探,默認為None
prn:為每一個數據包定義一個函數,如果返回了什么,則顯示。例如:prn = lambda x: x.summary(); ( packct.summar()函數返回的是對包的統計性信息 )
filter:過濾規則,使用wireshark里面的過濾語法
L2socket:使用給定的 L2socket
timeout:在給定的時間后停止嗅探,默認為 None
opened_socket:對指定的對象使用 .recv() 進行讀取;
stop_filter:定義一個函數,決定在抓到指定數據包后停止抓包,如:stop_filter = lambda x: x.haslayer(TCP);
iface:指定抓包的接口
嗅探一個數據包
#coding=utf-8
from scapy.all import *
def packet_callbacke(packet):
print packet.show()
sniff(prn=packet_callbacke,count=1)
設置過濾器
實時捕獲數據包
#coding=utf-8
from scapy.all import *
# 數據包回調函數
def packet_callback(packet):
if packet[TCP].payload:
mail_packet = str(packet[TCP].payload)
if "user" in mail_packet.lower() or "pass" in mail_packet.lower():
print "[*] Server: %s" % packet[IP].dst
print "[*] %s" % packet[TCP].payload
# 開啟嗅探器
sniff(filter="tcp port 80",prn=packet_callback,store=0)
30秒抓一次並保存
#coding=utf-8
from scapy.all import *
import os
# 數據包回調函數
def packet_callback(packet):
if packet[TCP].payload:
mail_packet = str(packet[TCP].payload)
#print packet
#print mail_packet.lower()
if "user" in mail_packet.lower() or "pass" in mail_packet.lower():
print "[*] Server: %s" % packet[IP].dst
print "[*] %s" % packet[TCP].payload
# 開啟嗅探器,過濾出tcp協議,一次抓30秒,
package=sniff(filter="tcp",timeout=30 ,prn=packet_callback,store=1)
#30s抓完后確定文件名,現在你目錄下放一個test.pcap,不然會報錯
#第二個包保存的文件名就是5000
j = 1
flowName = "test" + str(j) + ".pcap"
wrpcap(flowName,package) #將抓取到的包保存為test.pcap文件
從數據包中提取出部分信息,重要的是
raw_http = p["TCP"].payload.original
#coding=utf-8
from scapy.all import *
try:
import scapy.all as scapy
except ImportError:
import scapy
def parse_http_pcap(pcap_path):
pcap_infos = list()
packets = scapy.rdpcap(pcap_path)
for p in packets:
print "----"
# 判斷是否包含某一層,用haslayer
if p.haslayer("IP"):
src_ip = p["IP"].src
dst_ip = p["IP"].dst
print "sip: %s" % src_ip
print "dip: %s" % dst_ip
if p.haslayer("TCP"):
#獲取某一層的原始負載用.payload.original
raw_http = p["TCP"].payload.original
sport = p["TCP"].sport
dport = p["TCP"].dport
print "sport: %s" % sport
print "dport: %s" % dport
print "raw_http:\n%s" % raw_http
if p.haslayer("HTTPRequest"):
host = p["HTTPRequest"].Host
uri = p["HTTPRequest"].Path
# 直接獲取提取好的字典形式的http數據用fields
http_fields = p["HTTPRequest"].fields
http_payload = p["HTTPRequest"].payload.fields
print "host: %s" % host
print "uri: %s" % uri
print "http_fields:\n%s" % http_fields
print "http_payload:\n%s" % http_payload
parse_http_pcap("test.pcap")
嗅探登陸密碼
def ftpsniff(pkt):
dest = pkt.getlayer(IP).dst
raw = pkt.sprintf('%Raw.load%')
user = re.findall('(?i)USER (.*)', raw)
pswd = re.findall('(?i)PASS (.*)', raw)
if user:
print '[*] Detected FTP Login to ' + str(dest)
print '[+] Username: ' + str(user[0])
elif pswd:
print '[+] Password: ' + str(pswd[0])