問題描述
如何將解碼的數據包數據和標頭輸出組合到單個變量/字典中以進行字符串搜索 (How to combine decoded packet data and header output into a single variable/dictionary for string searches)
I'm somewhat of a Python novice, but I've taken up a small personal project to teach myself a bit more. Basically, I'm writing a packet sniffer using sockets and impacket. However, where I am getting stuck at is one particular point: combining the output from header and packet into one variable (I was thinking of a dictionary, but it didn't like that...) so that I can simply search out the IP header for one particular partial source IP (i.e., the first two octets). Or would there be a more efficient way of handling this? Any help is appreciated. :‑)
EDIT: When I was trying the dictionary, I was doing
ip_dict = { header: packet }
However, the output I get is akin to this:
{<impacket.ImpactPacket.IP instance at 0x02563440>: <impacket.ImpactPacket.Data instance at 0x02563530>}
As opposed to the actual output of said IP header and data.
HOST = socket.gethostbyname(socket.gethostname())
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_IP)
s.bind((HOST, 0))
while True:
# Include IP headers
s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
# receive all packages
s.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON)
# receive a packet
packet = s.recvfrom(42028)[0]
# look at IP info
h_decode = ImpactDecoder.IPDecoder()
header = h_decode.decode(packet)
# disabled promiscuous mode
s.ioctl(socket.SIO_RCVALL, socket.RCVALL_OFF)
decoder = ImpactDecoder.DataDecoder()
packet = decoder.decode(packet)
print header
print packet
time.sleep(1)
‑‑‑‑‑
參考解法
方法 1:
Dictionaries are sets of key/value pairs. When you used
ip_dict = { header: packet }
You told it to build a dictionary with the header instance as the key and the packet instance as the value, which is what it did:
{<impacket.ImpactPacket.IP instance at 0x02563440>: <impacket.ImpactPacket.Data instance at 0x02563530>}
If you want something from inside those instances, you have to extract it yourself. For example, although I've never used the impacket
library before, the objects seem to have lots of methods living inside them. For example [suppressing the real numbers and data and replacing them with nonsense]:
In [25]: z
Out[25]: <impacket.ImpactPacket.IP instance at 0xb6151fac>
In [26]: z.[here I hit TAB in the IPython interpreter]
z.add_option z.get_ip_offmask z.set_bytes_from_string
z.auto_checksum z.get_ip_p z.set_checksum_from_data
z.calculate_checksum z.get_ip_rf z.set_ip_address
z.child z.get_ip_src z.set_ip_df
z.compute_checksum z.get_ip_sum z.set_ip_dst
z.contains z.get_ip_tos z.set_ip_hl
z.ethertype z.get_ip_ttl z.set_ip_id
z.fragment_by_list z.get_ip_v z.set_ip_len
z.fragment_by_size z.get_long z.set_ip_mf
z.get_buffer_as_string z.get_packet z.set_ip_off
z.get_byte z.get_pseudo_header z.set_ip_offmask
z.get_bytes z.get_size z.set_ip_p
z.get_data_as_string z.get_word z.set_ip_rf
z.get_header_size z.is_BSD z.set_ip_src
z.get_ip_address z.list_as_hex z.set_ip_sum
z.get_ip_df z.load_header z.set_ip_tos
z.get_ip_dst z.normalize_checksum z.set_ip_ttl
z.get_ip_hl z.packet_printable z.set_ip_v
z.get_ip_id z.parent z.set_long
z.get_ip_len z.protocol z.set_parent
z.get_ip_mf z.set_byte z.set_word
z.get_ip_off z.set_bytes
In [26]: z.get_ip_src()
Out[26]: '1.2.3.4' # fake
In [27]: z.get_ip_dst()
Out[27]: '5.6.7.8' # fake
In [29]: z.get_data_as_string()
Out[29]: '\x00abcde' # fake
I have no idea what half of the methods do, or which of them are important, but you can easily build a dictionary out of whatever you like:
In [31]: {(z.get_ip_src(), z.get_ip_dst()): z.get_bytes()}
Out[31]:
{('1.2.3.4',
'5.6.7.8'): array('B', [1,2,3,4,5,6,7,8])} # fake
or combine bits from the IPDecoder and the DataDecoder, whatever. The point is that the issue isn't about Python dictionaries, it's about the impacket
library's data structures, and what information you want to extract from them. The docs will probably describe how to get what you need.
(by user1630698、DSM)