我正在尝试剖析数据包,它封装了另一个类似于数据包的结构,称为“标记”。结构看起来像这样
+---------+
|Ether |
+---------+
|IP | a tag
+---------+
|UDP | +------------+
+---------+ |tagNumber |
|BVLC | +------------+
+---------+ |tagClass |
|NPDU | +------------+
+---------+ +-+ |LVT field |
|APDU | | +------------+
| +------+--+ | | |
| |Tag 1 | <------+ | data |
| +---------+ | |
| |Tag 2 | +------------+
| +---------+
| |Tag n |
+------------+
为此,我创建了一个派生自现有PacketListField
的类,如下所示:
class TagListField(PacketListField):
def __init__(self):
PacketListField.__init__(
self,
"tags",
[],
guessBACNetTagClass,
引用的guessBACNetTagClass
是一个返回解析标签所需的正确类的函数。
BACNetTagClasses = {
0x2: "BACNetTag_U_int",
0xC: "BACNetTag_Object_Identifier"
}
def guessBACNetTagClass(packet, **kargs):
""" Returns the correct BACNetTag Class needed to dissect
the current tag
@type packet: binary string
@param packet: the current packet
@type cls: class
@param cls: the correct class for dissection
"""
tagByteBinary = "{0:b}".format(int(struct.unpack("!B", packet[0])[0]))
tagNumber = int(tagByteBinary[0:4],2)
clsName = BACNetTagClasses.get(tagNumber)
cls = globals()[clsName]
return cls(packet, **kargs)
从上面的BACNetTagClasses
字典中可以看到,目前有两个类。
class BACNetTag_Object_Identifier(Packet):
name = "BACNetTag_Object_Identifier"
fields_desc =[
# fields
]
class BACNetTag_U_int(Packet):
name = "BACNetTag_U_int"
fields_desc = [
# fields
]
在封装层,称为APDU
我添加了TagListField
就像另一个字段。
class APDU(Packet):
name = "APDU"
fields_desc = [
# Some other fields
TagListField()
]
我目前正在尝试剖析的数据包包含多个标记。第一个(BACNetTag_Object_Identifier
类型)可以被正确解剖,但其余的标签只是作为原始有效载荷列出。
[<Ether |<UDP |<BVLC |<NPDU |<APDU
pduType=UNCONFIRMED_SERVICE_REQUEST reserved=None serviceChoice=I_AM
tags=[<BACNetTag_Object_Identifier tagNumber=BACNET_OBJECT_IDENTIFIER
tagClass=APPLICATION lengthValueType=4L objectType=DEVICE
instanceNumber=640899L |<Raw load='"\x01\xe0\x91\x00!\xde'
|>>] |>>>>>>]
我执行PacketListField
有什么问题吗?据我了解,该字段应尝试剖析其余标记,直到不再留下字节为止。
更新:
使用.show()
可以更多地了解数据包结构
###[ APDU ]###
pduType = UNCONFIRMED_SERVICE_REQUEST
reserved = None
serviceChoice= I_AM
\tags \
|###[ BACNetTag_Object_Identifier ]###
| tagNumber = BACNET_OBJECT_IDENTIFIER
| tagClass = APPLICATION
| lengthValueType= 4L
| objectType= DEVICE
| instanceNumber= 640899L
|###[ Raw ]###
| load = '"\x01\xe0\x91\x00!\xde'
Scapy只是将剩余的字节作为Raw
层附加到现有的tags
字段。这很有趣,但我仍然不知道为什么会这样做。
尝试用以下方法覆盖extract_padding
类的BACNet_Tag*
方法:
def extract_padding(self, s):
return '', s
我和PacketListField
有类似的问题,发现这个stackoverflow帖子: