Python 带状TZSP封装-实时流量
我正在创建一个日志服务器,它将传入和传出连接(任何类型)写入TXT文件。一切正常,以下是我的代码:Python 带状TZSP封装-实时流量,python,logging,header,scapy,Python,Logging,Header,Scapy,我正在创建一个日志服务器,它将传入和传出连接(任何类型)写入TXT文件。一切正常,以下是我的代码: from scapy.all import * import datetime from threading import Thread from Queue import Queue, Empty from scapy.layers.dns import DNS, DNSQR firstime = 0 times = time.time()+86400 def print_summary(pkt
from scapy.all import *
import datetime
from threading import Thread
from Queue import Queue, Empty
from scapy.layers.dns import DNS, DNSQR
firstime = 0
times = time.time()+86400
def print_summary(pkt):
global firstime
global times
if IP in pkt:
ip_src=pkt[IP].src
ip_dst=pkt[IP].dst
else:
ip_src="Null"
ip_dst="Null"
mac_src="Null"
mac_dst="Null"
if TCP in pkt:
tcp_sport=pkt[TCP].sport
tcp_dport=pkt[TCP].dport
else:
tcp_sport="Null"
tcp_dport="Null"
if DNSQR in pkt:
dns = pkt.qd.qname
else:
dns = "NULL"
if Ether in pkt:
mac_src = pkt[Ether].src
mac_dst = pkt[Ether].dst
else:
mac_src = "Null"
mac_dst = "Null"
Clog = " IP src: " + str(ip_src) +" ,MAC src: " + str(mac_src) + " , IP dst: " + str(ip_dst) +" ,MAC dst: "+str(mac_dst)+" ,TCP sport: " + str(tcp_sport) + ",TCP dport: " + str(tcp_dport) +", Time: " + str(time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(pkt.time))) + " Dns: "+dns
if(times > pkt.time):
if(firstime == 0):
f = open("/root/Desktop/LOG-SERVER/"+time.strftime('%Y-%m-%d %H:%M:', time.localtime(time.time()))+".txt",'a')
f.write(Clog+"\n")
f.close()
else:
f.write(Clog+"\n")
f.close()
else:
f = open("/root/Desktop/LOG-SERVER/"+time.strftime('%Y-%m-%d %H:%M:', time.localtime(time.time()))+".txt",'a')
f.write(Clog+"\n")
f.close()
times=times+86400
def startsnif():
sniff(prn=print_summary, store=0)
# you can filter with something like that
#if ( ( pkt[IP].src == "192.168.0.1") or ( pkt[IP].dst == "192.168.0.1") ):
# print("!")
#def writing(log,indexp):
#if(indexp == 0):
#f = open("/root/Desktop/LOG-SERVER/"+time.strftime('%Y-%m-%d %H:%M:', time.localtime(time.time()))+".txt",'a')
#f.write(log+"\n")
#f.close()
#else:
#f.write(log+"\n")
#f.close()
thread.start_new_thread(startsnif,());
while 1:
pass
# or it possible to filter with filter parameter...!
#sniff(filter="ip and host 192.168.0.1",prn=print_summary)
输出为:
IP Src: 192.168.10.1 MAC Src: 54:55:12:FC:2D:CA IP Dst:192.168.10.15 MAC Src: 54:55:12:FC:1F:3A TCP sport: 80 TCP dport: 51233 Time:2015-12-16 13:25:11 DNS:Null(IF available DNS Name)
问题是,该公司通过一种称为TZSP Sniff的技术获得了mikrotics,mikrotics镜像流量,该技术将数据包封装为路由器的IP和目标PC的路由器IP的MAC,目标PC的MAC,我正在搜索,但找不到任何合适的解决方案,但我读到您需要删除数据包的前5个字节
有没有一种方法可以在不保存PCAP的情况下实时剥离TZSP封装,请您解释一下这个过程,因为我对这个东西不熟悉
如果你有任何问题,请问我,我不太擅长解释
谢谢大家! 在检查TZSP数据包头的二进制文件后,TZSP似乎在添加了自己的mac地址后删除了原始mac地址,因此项目结束。谢谢您的帮助