Scapy:使用PacketListField解析数据包中包含的多个数据包

问题描述 投票:6回答:1

我正在尝试剖析数据包,它封装了另一个类似于数据包的结构,称为“标记”。结构看起来像这样

+---------+
|Ether    |
+---------+
|IP       |                   a tag
+---------+
|UDP      |                +------------+
+---------+                |tagNumber   |
|BVLC     |                +------------+
+---------+                |tagClass    |
|NPDU     |                +------------+
+---------+           +-+  |LVT field   |
|APDU     |           |    +------------+
|  +------+--+        |    |            |
|  |Tag 1    | <------+    |  data      |
|  +---------+             |            |
|  |Tag 2    |             +------------+
|  +---------+
|  |Tag n    |
+------------+

为此,我创建了一个派生自现有PacketListField的类,如下所示:

class TagListField(PacketListField):
    def __init__(self):
        PacketListField.__init__(
            self,
            "tags",
            [],
            guessBACNetTagClass,

引用的guessBACNetTagClass是一个返回解析标签所需的正确类的函数。

BACNetTagClasses = {
    0x2: "BACNetTag_U_int",
    0xC: "BACNetTag_Object_Identifier"
}

def guessBACNetTagClass(packet, **kargs):

    """ Returns the correct BACNetTag Class needed to dissect
        the current tag

        @type    packet:    binary string
        @param   packet:    the current packet

        @type    cls:       class
        @param   cls:       the correct class for dissection
    """

    tagByteBinary = "{0:b}".format(int(struct.unpack("!B", packet[0])[0]))
    tagNumber = int(tagByteBinary[0:4],2)
    clsName = BACNetTagClasses.get(tagNumber)
    cls = globals()[clsName]
    return cls(packet, **kargs)

从上面的BACNetTagClasses字典中可以看到,目前有两个类。

class BACNetTag_Object_Identifier(Packet):
    name = "BACNetTag_Object_Identifier"
    fields_desc =[
        # fields
    ]

class BACNetTag_U_int(Packet):
    name = "BACNetTag_U_int"
    fields_desc = [
        # fields
    ]

在封装层,称为APDU我添加了TagListField就像另一个字段。

class APDU(Packet):

    name = "APDU"
    fields_desc = [
        # Some other fields

        TagListField()
    ]

我目前正在尝试剖析的数据包包含多个标记。第一个(BACNetTag_Object_Identifier类型)可以被正确解剖,但其余的标签只是作为原始有效载荷列出。

[<Ether |<UDP |<BVLC |<NPDU |<APDU 
pduType=UNCONFIRMED_SERVICE_REQUEST reserved=None serviceChoice=I_AM
tags=[<BACNetTag_Object_Identifier  tagNumber=BACNET_OBJECT_IDENTIFIER
tagClass=APPLICATION lengthValueType=4L objectType=DEVICE
instanceNumber=640899L |<Raw  load='"\x01\xe0\x91\x00!\xde'
|>>] |>>>>>>]

我执行PacketListField有什么问题吗?据我了解,该字段应尝试剖析其余标记,直到不再留下字节为止。

更新:

使用.show()可以更多地了解数据包结构

###[ APDU ]###
  pduType   = UNCONFIRMED_SERVICE_REQUEST
  reserved  = None
  serviceChoice= I_AM
  \tags      \
   |###[ BACNetTag_Object_Identifier ]###
   |  tagNumber = BACNET_OBJECT_IDENTIFIER
   |  tagClass  = APPLICATION
   |  lengthValueType= 4L
   |  objectType= DEVICE
   |  instanceNumber= 640899L
   |###[ Raw ]###
   |     load      = '"\x01\xe0\x91\x00!\xde'

Scapy只是将剩余的字节作为Raw层附加到现有的tags字段。这很有趣,但我仍然不知道为什么会这样做。

python packet scapy bacnet
1个回答
2
投票

尝试用以下方法覆盖extract_padding类的BACNet_Tag*方法:

def extract_padding(self, s):
return '', s

我和PacketListField有类似的问题,发现这个stackoverflow帖子:

Scapy: Adding new protocol with complex field groupings

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.