I have PcapNG由 Wireshark 创建的文件,我尝试用它来解析python-pcapng.
However, I cannot figure out how to reconcile the output I receive from FileScanner's packet_payload_info with the 802.11 Data frame format: 
这是我得到的输出(我的代码位于底部):
magic_number 0xa0d0d0a
SectionHeader(version_major=1, version_minor=0, section_length=-1, options=Options({'shb_userappl': [u'Dumpcap 1.12.4 (v1.12.4-0-gb4861da from master-1.12)'], 'shb_os': [u'Mac OS X 10.10.2, build 14C109 (Darwin 14.1.0)']}))
magic_number 0x1
InterfaceDescription(link_type=127, reserved='\x00\x00', snaplen=262144, options=Options({'if_os': [u'Mac OS X 10.10.2, build 14C109 (Darwin 14.1.0)'], 'if_tsresol': [6], 'if_name': [u'en1']}))
magic_number 0x6
EnhancedPacket(interface_id=0, timestamp_high=332139, timestamp_low=2801116064L, packet_payload_info=(45, 45, '\x00\x00\x19\x00o\x08\x00\x00`I\xb2&\x00\x00\x00\x00\x12\x18q\x16@\x01\xb1\xaa\x00\xb4\x00\x90\x00\xf4\x0f\x1b\xb8sL`\x92\x175\x00\x01\xe3\xcf\x00\x12'), options=Options({}))
packet_payload_info : (45, 45, '\x00\x00\x19\x00o\x08\x00\x00`I\xb2&\x00\x00\x00\x00\x12\x18q\x16@\x01\xb1\xaa\x00\xb4\x00\x90\x00\xf4\x0f\x1b\xb8sL`\x92\x175\x00\x01\xe3\xcf\x00\x12')
packet_payload_data (hex): 00 00 19 00 6F 08 00 00 60 49 B2 26 00 00 00 00 12 18 71 16 40 01 B1 AA 00 B4 00 90 00 F4 0F 1B B8 73 4C 60 92 17 35 00 01 E3 CF 00 12
packet_payload_data (bin): 00000000 00000000 00011001 00000000 01101111 00001000 00000000 00000000 01100000 01001001 10110010 00100110 00000000 00000000 00000000 00000000 00010010 00011000 01110001 00010110 01000000 00000001 10110001 10101010 00000000 10110100 00000000 10010000 00000000 11110100 00001111 00011011 10111000 01110011 01001100 01100000 10010010 00010111 00110101 00000000 00000001 11100011 11001111 00000000 00010010
packet_payload_data适合 802.11 数据框吗?*Python代码:
#!/usr/bin/env python
from pcapng import FileScanner
def hex_str_to_num(hex_str,out_format='X'):
if out_format.upper() == 'B':
return ' '.join(format(ord(x), out_format).zfill(8) for x in hex_str)
else:
return ' '.join(format(ord(x), out_format).zfill(2) for x in hex_str)
PCAPNG = "/cygdrive/c/tmp/trace3.pcapng"
MAX = 3
ENHANCEDPACKET_ID = 6
with open(PCAPNG, "r") as pcapng_file:
scanner = FileScanner(pcapng_file)
counter = MAX
for block in scanner:
print
print "magic_number",hex(block.magic_number)
print block
if block.magic_number == ENHANCEDPACKET_ID:
print
payload_data = block.packet_payload_info[2]
print "packet_payload_info :",block.packet_payload_info,"\n"
print "packet_payload_data (hex):",hex_str_to_num(payload_data,"X"),"\n"
print "packet_payload_data (bin):",hex_str_to_num(payload_data,"b")
counter -= 1
if not counter:
break
如果我打印几张EnhancedPacket's packet_payload_data,我注意到它们都以00 00 19 00 6F 08 00 00。现在08是数据框标记,这让我怀疑packet_payload_data不仅仅是有效负载数据,还包括帧控制 bits.
packet_payload_data (hex): 00 00 19 00 6F 08 00 00 60 49 B2 26 00 00 00 00 12 18 71 16 40 01 B1 AA 00 B4 00 90 00 F4 0F 1B B8 73 4C 60 92 17 35 00 01 E3 CF 00 12
packet_payload_data (hex): 00 00 19 00 6F 08 00 00 92 49 B2 26 00 00 00 00 12 18 71 16 40 01 CD AA 00 C4 00 60 00 60 92 17 35 00 01 F7 65 6E 79
packet_payload_data (hex): 00 00 19 00 6F 08 00 00 09 4A B2 26 00 00 00 00 12 18 71 16 40 01 CA AA 00 94 00 00 00 60 92 17 35 00 01 F4 0F 1B B8 73 4C 04 00 C0 23 FF FF FF FF FF FF FF FF 58 D0 59 5C
packet_payload_data (hex): 00 00 19 00 6F 08 00 00 5F 51 B2 26 00 00 00 00 52 6C 71 16 40 01 B2 AA 00 B4 00 1C 1B F4 0F 1B B8 73 4C 60 92 17 35 00 01 33 20 02 04
packet_payload_data (hex): 00 00 19 00 6F 08 00 00 86 51 B2 26 00 00 00 00 12 6C 71 16 40 01 CA AA 00 C4 00 4C 00 60 92 17 35 00 01 EE 12 B7 D7
packet_payload_data (hex): 00 00 19 00 6F 08 00 00 EE 53 B2 26 00 00 00 00 12 6C 71 16 40 01 B1 AA 00 B4 00 74 00 F4 0F 1B B8 73 4C 60 92 17 35 00 01 33 20 02 04
packet_payload_data (hex): 00 00 19 00 6F 08 00 00 15 54 B2 26 00 00 00 00 12 6C 71 16 40 01 CB AA 00 C4 00 4C 00 60 92 17 35 00 01 EE 12 B7 D7
packet_payload_data (hex): 00 00 19 00 6F 08 00 00 98 56 B2 26 00 00 00 00 52 6C 71 16 40 01 B2 AA 00 AB 00 74 00 F4 0F 1B B8 73 3C E4 44 DF 67 09 14 3A 0A 24 04
packet_payload_data (hex): 00 00 19 00 6F 08 00 00 C0 56 B2 26 00 00 00 00 12 6C 71 16 40 01 CB AA 00 C4 00 4C 00 60 92 17 35 00 01 EE 12 B7 D7
packet_payload_data (hex): 00 00 19 00 6F 08 00 00 E8 58 B2 26 00 00 00 00 12 18 71 16 40 01 B1 AA 00 B4 00 90 00 F4 0F 1B B8 73 4C 60 92 17 35 00 01 E3 CF 00 12
packet_payload_data (hex): 00 00 19 00 6F 08 00 00 1B 59 B2 26 00 00 00 00 12 18 71 16 40 01 CD AA 00 C4 00 60 00 60 92 17 35 00 01 F7 65 6E 79
packet_payload_data (hex): 00 00 19 00 6F 08 00 00 92 59 B2 26 00 00 00 00 12 18 71 16 40 01 CA AA 00 94 00 00 00 60 92 17 35 00 01 F4 0F 1B B8 73 4C 04 00 D0 23 FF FF FF FF FF FF FF FF B0 51 F7 7B
packet_payload_data (hex): 00 00 19 00 6F 08 00 00 A0 69 B2 26 00 00 00 00 12 6C 71 16 40 01 C6 AA 00 B4 00 C0 00 50 2E 5C DA 81 9D F4 0F 1B B8 73 4C B4 E2 C5 B7
packet_payload_data (hex): 00 00 19 00 6F 08 00 00 17 6A B2 26 00 00 00 00 12 6C 71 16 40 01 C5 AA 00 B4 00 C0 00 50 2E 5C DA 81 9D F4 0F 1B B8 73 4C B4 E2 C5 B7
首先,做not假设,仅仅因为您在 802.11 接口上捕获,帧数据就以 802.11 标头开始。它可能以“无线电元数据”标头开头,例如,其后跟随 802.11 标头。
ALL读取 pcap-ng 文件的程序必须:
LinkType 值的官方列表 http://www.tcpdump.org/linktypes.html指示这些值是什么以及应如何解释该值的数据包数据。永远永远永远永远不要假设数据包数据会是什么样子;始终检查 LinkType 值。
(这也适用于 pcap 文件;始终检查文件的链路层标头类型。)
现在,请注意00 00 19 00 6F 08 00 00可能是一个开始radiotap http://www.radiotap.org头,版本值为 0,填充字节为 0,小端长度为 25 字节,第一个存在位字为 0x0000086F。该存在位字表示存在的字段将是TSFT http://www.radiotap.org/defined-fields/TSFT(8字节),Flags http://www.radiotap.org/defined-fields/Flags(1字节),Rate http://www.radiotap.org/defined-fields/Rate(1字节),Channel http://www.radiotap.org/defined-fields/Channel(4字节),天线信号 http://www.radiotap.org/defined-fields/Antenna%20signal(1字节),天线噪声 http://www.radiotap.org/defined-fields/Antenna%20noise(1 个字节),以及Antenna http://www.radiotap.org/defined-fields/Antenna(1 字节)。版本、填充字节、长度和存在位字为 8 个字节,总共 8+8+1+1+4+1+1+1 = 25 个字节。
所以我绝对会NOT假设您正在查看 802.11 标头!您必须检查 LinkType;如果是 127 (LINKTYPE_IEEE802_11_RADIOTAP),则数据包以 radiotap 标头开头,后跟 802.11 标头。如果是 105 (LINKTYPE_IEEE802_11),则它们以 802.11 标头开头。
802.11 标头,无论是跟随在 radiotap(或其他无线电元数据)标头之后还是位于原始数据包数据的开头,都是原始 802.11 标头,因此它以帧控制字段开头,后面是持续时间,依此类推。