我有一段用于制作 pcap 文件的代码,取自这里: https://www.codeproject.com/tips/612847/generate-a-quick-and-easy-custom-pcap-file-using-p
port = 9600
#Custom Foo Protocol Packet
message = ('01 01 00 08' #Foo Base Header
'01 02 00 00' #Foo Message (31 Bytes)
'00 00 12 30'
'00 00 12 31'
'00 00 12 32'
'00 00 12 33'
'00 00 12 34'
'D7 CD EF' #Foo flags
'00 00 12 35')
"""----------------------------------------------------------------"""
""" Do not edit below this line unless you know what you are doing """
"""----------------------------------------------------------------"""
import sys
import binascii
#Global header for pcap 2.4
pcap_global_header = ('D4 C3 B2 A1'
'02 00' #File format major revision (i.e. pcap <2>.4)
'04 00' #File format minor revision (i.e. pcap 2.<4>)
'00 00 00 00'
'00 00 00 00'
'FF FF 00 00'
'01 00 00 00')
#pcap packet header that must preface every packet
pcap_packet_header = ('AA 77 9F 47'
'90 A2 04 00'
'XX XX XX XX' #Frame Size (little endian)
'YY YY YY YY') #Frame Size (little endian)
eth_header = ('00 00 00 00 00 00' #Source Mac
'00 00 00 00 00 00' #Dest Mac
'08 00') #Protocol (0x0800 = IP)
ip_header = ('45' #IP version and header length (multiples of 4 bytes)
'00'
'XX XX' #Length - will be calculated and replaced later
'00 00'
'40 00 40'
'11' #Protocol (0x11 = UDP)
'YY YY' #Checksum - will be calculated and replaced later
'7F 00 00 01' #Source IP (Default: 127.0.0.1)
'7F 00 00 01') #Dest IP (Default: 127.0.0.1)
udp_header = ('80 01'
'XX XX' #Port - will be replaced later
'YY YY' #Length - will be calculated and replaced later
'00 00')
def getByteLength(str1):
return len(''.join(str1.split())) / 2
def writeByteStringToFile(bytestring, filename):
bytelist = bytestring.split()
bytes = binascii.a2b_hex(''.join(bytelist))
bitout = open(filename, 'wb')
bitout.write(bytes)
def generatePCAP(message,port,pcapfile):
udp = udp_header.replace('XX XX',"%04x"%port)
udp_len = getByteLength(message) + getByteLength(udp_header)
udp = udp.replace('YY YY',"%04x"%udp_len)
ip_len = udp_len + getByteLength(ip_header)
ip = ip_header.replace('XX XX',"%04x"%ip_len)
checksum = ip_checksum(ip.replace('YY YY','00 00'))
ip = ip.replace('YY YY',"%04x"%checksum)
pcap_len = ip_len + getByteLength(eth_header)
hex_str = "%08x"%pcap_len
reverse_hex_str = hex_str[6:] + hex_str[4:6] + hex_str[2:4] + hex_str[:2]
pcaph = pcap_packet_header.replace('XX XX XX XX',reverse_hex_str)
pcaph = pcaph.replace('YY YY YY YY',reverse_hex_str)
bytestring = pcap_global_header + pcaph + eth_header + ip + udp + message
writeByteStringToFile(bytestring, pcapfile)
#Splits the string into a list of tokens every n characters
def splitN(str1,n):
return [str1[start:start+n] for start in range(0, len(str1), n)]
#Calculates and returns the IP checksum based on the given IP Header
def ip_checksum(iph):
#split into bytes
words = splitN(''.join(iph.split()),4)
csum = 0;
for word in words:
csum += int(word, base=16)
csum += (csum >> 16)
csum = csum & 0xFFFF ^ 0xFFFF
return csum
"""------------------------------------------"""
""" End of functions, execution starts here: """
"""------------------------------------------"""
if len(sys.argv) < 2:
print 'usage: pcapgen.py output_file'
exit(0)
generatePCAP(message,port,sys.argv[1])
上述代码适用于有效负载中的单个数据包
message
。
message = ('01 01 00 08' #Foo Base Header
'01 02 00 00' #Foo Message (31 Bytes)
'00 00 12 30'
'00 00 12 31'
'00 00 12 32'
'00 00 12 33'
'00 00 12 34'
'D7 CD EF' #Foo flags
'00 00 12 35')
我想将第二个数据包添加到带有有效负载的 pcap 文件中
message2 = ('f1 b1 a0 08' #
'01 02 00 00' #
'00 00 12 30'
'00 00 12 31'
'00 00 12 32'
'00 00 12 33'
'00 00 12 34'
'e7 CD EF' #
'00 00 12 35')
具有不同的时间戳(从第一个数据包延迟 1.52345 秒)。在 Wireshark 查看器的“时间”列中,我必须看到第二个数据包的值为 1.52345。我尝试改变部分
bytelist = bytestring.split()
bytes = binascii.a2b_hex(''.join(bytelist))
喜欢
bytelist.append(bytelist)
等等。但徒劳无功。正如 Wireshark 所说,数据包无效。
共享的代码片段似乎是以二进制/十六进制创建数据包,然后写入 pcap 文件。但时间戳不是写在数据包中的,而是由操作系统数据包捕获机制标记的。
如果需要添加时间,可以通过scapy读取创建的文件并添加时间,然后再次写入文件。
未经测试的代码 -
from scapy.utils import PcapReader, wrpcap
packets = PcapReader('filename.pcap')
pkt = packets[0] # Since we know it has only singly packet.
pkt2 = pkt # Duplicate packet.
pkt2.time = pkt2.time + delay # Add your delay here.
wrpcap('filename.pcap', pkt2, append=True)