1. 打印详细的 tcp 会话/udp 报文数据,目前支持 mysql/pgsql/smtp/ftp/redis/mongodb 认证协议解析,http/dns 完整协议解析
- 2.IP数据包统计信息,用于监控网络异常流量
- pip install -r requirements.txt
- brew install libnids
- sudo apt-get install libnet1-dev libpcap-dev
- git clone https://github.com/MITRECND/pynids.git
- cd pynids
- sudo python setup.py build
- sudo python setup.py install
或者
- pip install dpkt
- git clone https://github.com/kbandla/dpkt.git
- python print_pcap.py --help
详细使用可以参看 Documents 二
- python print_pcap.py --pcapfile=data/pcap_pub/http_gzip.pcap --assetport=80
详细使用可以参看 Documents 十一 、 十二
- python print_tcp_session.py
只在 tcp flag 为 RST 或 FIN 时才会打印数据
- data_stream_direct: 2
一、TCP/IP 数据包基础知识
二、TCP/IP 数据包分析应用 - 端口扫描
三、TCP/IP 协议分析 - MySQL 认证协议
四、TCP/IP 协议分析 - PostgreSQL 认证协议
五、TCP/IP 协议分析 - MongoDB 认证协议
六、TCP/IP 协议分析 - Redis 认证协议
七、TCP/IP 协议分析 - FTP 认证协议
八、TCP/IP 协议分析 - SMTP 认证协议
九、TCP/IP 协议分析 - SSH 协议
十、TCP/IP 协议分析 - RDP 协议
十一、TCP/IP 数据包分析应用 - TCP 会话重组
十二、TCP/IP 协议分析 - DNS 协议 - UDP
- python print_tcp_session.py
1. UDP-DNS 协议详解
- pcap_file: data/pcap_pub/dns/netforensics_evidence05.pcap
- UDP-DNS 协议解析
- {
- "ts": 1268758265.098157,
- "src_ip": "192.168.23.2",
- "src_port": 53,
- "dst_ip": "192.168.23.129",
- "dst_port": 52499,
- "header": {
- "aa": 0,
- "qr": 1,
- "num_of_answers": 1,
- "tc": 0,
- "num_of_additional": 4,
- "rd": 1,
- "opcode": "QUERY",
- "ra": 1,
- "num_of_authority": 4,
- "rcode": "NOERROR",
- "id": 48291,
- "num_of_questions": 1
- },
- "questions": [
- {
- "qclass": "IN",
- "qtype": "A",
- "qname": "freeways.in."
- }
- ],
- "answers": [
- {
- "ttl": 5,
- "rname": "freeways.in.",
- "rtype": "A",
- "rclass": 1,
- "rdata": "212.252.32.20"
- }
- ],
- "authority": [
- {
- "ttl": 5,
- "rname": "freeways.in.",
- "rtype": "NS",
- "rclass": 2,
- "rdata": "ns4.everydns.net."
- }
- ],
- "additional": [
- {
- "ttl": 5,
- "rname": "ns4.everydns.net.",
- "rtype": "A",
- "rclass": 1,
- "rdata": "208.76.60.100"
- }
- ]
- }
2. TCP-HTTP 协议详解
- pcap_file: data / pcap_pub / cve / cve - 2016 - 4971.pcap
- {
- "ts_start": 1467904494.307728,
- "ts_end": 1467904494.392242,
- "src_ip": "192.168.186.128",
- "src_port": 41352,
- "dst_ip": "192.168.186.128",
- "dst_port": 80,
- "req_method": "GET",
- "req_uri": "/file",
- "req_version": "1.1",
- "req_headers": {
- "user-agent": "Wget/1.17 (linux-gnu)",
- "accept": "*/*",
- "accept-encoding": "identity",
- "host": "192.168.186.128",
- "connection": "Keep-Alive"
- },
- "req_body": "",
- "resp_version": "1.0",
- "resp_status": "301",
- "resp_reason": "Moved Permanently",
- "resp_headers": {
- "server": "SimpleHTTP/0.6 Python/2.7.12",
- "date": "Thu, 07 Jul 2016 15:14:54 GMT",
- "location": "ftp://anonymous@192.168.186.128:21/.wgetrc"
- },
- "resp_body": ""
- }
3. IP 数据包元信息
- 数据包方向时间戳协议类型源IP: 源端口 (IP归属地)(服务类型)目的IP: 目的端口 (IP归属地)(服务类型)数据包大小
- IN 2017 - 08 - 18 13 : 23 : 41 TCP 58.217.200.117 : 14000(江苏省南京市 - None - None - NONE)(scotty - ft) 10.0.0.2 : 58747(局域网 - None - None - NONE)(NONE) 240
- OUT 2017 - 08 - 18 13 : 23 : 41 TCP 10.0.0.2 : 58747(局域网 - None - None - NONE)(NONE) 58.217.200.117 : 14000(江苏省南京市 - None - None - NONE)(scotty - ft) 40
备注: 14000(scotty-ft) 为微信、QQ 发送语音文件的协议
- python print_pcap.py
- python print_pcap.py --pcapfile=data/pcap_pub/dns/dns.pcap
- [UDP][1112201545.38 2005 - 03 - 30 16 : 52 : 25] 217.13.4.24 : 53(00 : 12 : a9: 00 : 32 : 23)----->192.168.170.56 : 1711(00 : 60 : 08 : 45 : e4: 55) ttl = 58 DATA_BINARY = 76 63 85 83 00 01 00 00 00 00 00 00 05 47 52 49 4d 4d 0b 75 74 65 6c 73 79 73 74 65 6d 73 05 6c 6f 63 61 6c 00 00 01 00 01 LEN = 41
- python print_pcap.py --pcapfile=data/pcap_pub/cve/httpoxy.pcap
- [TCP] [1469135972.46 2016-07-21 21:19:32] 192.168.235.135:55034(00:0c:29:92:67:d7) ----->192.168.235.136:8080(00:0c:29:79:fd:94) SEQ=618963631 ACK=2424513936 FLAGS=['ACK', 'PSH'] WIN=229 DATA=GET /index.py HTTP/1.1
- Host: 192.168.235.136:8080
- User-Agent: curl/7.43.0
- Accept: */*
- Proxy: 192.168.235.135:11000
- [ICMP_Unreach][1500285748.08 2017 - 07 - 17 10 : 02 : 28] 10.0.0.5 : 500(98 : 01 : a7: 9e: dd: c1)----->10.0.0.2 : 63816(58 : f3: 9c: 51 : 90 : c7) 3 : 3[host: port unreachable] ttl = 43 DATA_BINARY = LEN = 0
原博客 被封号了
欢迎订阅 lofter 上的备份
新浪微博 weibo
豆瓣读书 分享最近看的书籍
baidu 网盘 分享一些网络安全资料(但基本很快就被删掉了)
来源: http://www.tuicool.com/articles/Mn6jueb