在python上显示捕获并保存在.pcap中的数据包的协议

Question

我正在捕获实时空中WiFi流量，并且只保存--数据包的报头()--在.pcap文件中捕获。有没有可能找出在整个捕获过程中使用了哪些协议？如果是，我如何跟踪每个协议下的数据包数量？

我发现了很多关于用Scapy注入数据包的信息，但没有进行分析。

到目前为止，我已经尝试过：

from scapy.all import * # import scapy package
from scapy.utils import rdpcap # import module for loading pcaps
pkts = rdpcap("./traffic/capture20131120-001.pcap") # load pcap
pkts.summary(lambda(r): r.sprintf("%Dot11.proto%")) # protocol?
print -(256-ord(pkts[24].notdecoded[-4:-3])) # signal strength of packet 24

似乎pkts.summary(lambda(r): r.sprintf("%Dot11.proto%"))返回了0L，我不明白。

Answer 1

目前，Scapy不支持很多协议，因此它适合于某些任务，但不支持其他任务。相反，使用pyshark (Wireshark的Python )，还有更多支持的协议。

使用Scapy：

from scapy.all import *

def process_with_scapy(fileName):
    protocol_count = {}

    pcap_data = rdpcap(fileName)
    sessions = pcap_data.sessions()
    for session in sessions:
        for packet in sessions[session]:
            for i in range(len(packet.layers())):
                layer = packet.getlayer(i)
                protocol = layer.name

                # Count the number of occurences for each protocol type
                if protocol not in protocol_count: protocol_count[protocol] = 1
                else: protocol_count[protocol] += 1

    # Sort the dictionary in descending order
    protocol_count = dict(sorted(protocol_count.items(), key=lambda item: item[1], reverse=True))
    
    # Print the output
    for protocol in protocol_count:
        print(f'{protocol_count[protocol]} packets have layer "{protocol}"')

process_with_scapy('./traffic/capture20131120-001.pcap')

文档：https://readthedocs.org/projects/scapy/downloads/pdf/latest

使用PyShark (较慢但更受支持)：

import pyshark

def process_with_pyshark(fileName):
    protocol_count = {}

    pcap_data = pyshark.FileCapture(fileName)
    for packet in pcap_data:
        for layer in packet:
            protocol = layer.layer_name

            # Count the number of occurences for each protocol type
            if protocol not in protocol_count: protocol_count[protocol] = 1
            else: protocol_count[protocol] += 1

    # Sort the dictionary in descending order
    protocol_count = dict(sorted(protocol_count.items(), key=lambda item: item[1], reverse=True))

    # Print the output
    for protocol in protocol_count:
        print(f'{protocol_count[protocol]} packets have layer "{protocol}"')


process_with_pyshark('./traffic/capture20131120-001.pcap')

• 有关特定协议的信息：https://www.wireshark.org/docs/dfref/
• 特定协议分解的源代码有时也是有用的：https://github.com/wireshark/wireshark/tree/master/epan/dissectors