python解析pcap文件并定位IP地理位置
本文使用到GeoLite2和wireshark
一、使用wireshark抓包数据并保存为pcap文件
二、使用python解析pcap文件(解析原目的ip--可做其他字段解析)
1 #! /usr/bin/env python 2 #-*- coding:utf-8 -*- 3 ''' 4 Created on 2019年11月24日 5 6 @author: perilong 7 ''' 8 9 import dpkt 10 import socket 11 12 def printPcap(pcap): 13 for (ts,buf) in pcap: 14 try: 15 eth = dpkt.ethernet.Ethernet(buf) 16 ip = eth.data 17 src = socket.inet_ntoa(ip.src) 18 dst = socket.inet_ntoa(ip.dst) 19 print '[+] Src: '+ src + '---> Dst: ' + dst 20 except Exception as e: 21 print e 22 23 24 def main(): 25 f = open('ip-pcap.pcap') 26 pcap = dpkt.pcap.Reader(f) 27 printPcap(pcap) 28 29 if __name__=="__main__": 30 main()
三、解析pcap并定位ip地理位置(经度纬度---美国能定位出城市名称)
1 #! /usr/bin/env python 2 #-*- coding:utf-8 -*- 3 ''' 4 Created on 2019年11月24日 5 6 @author: perilong 7 ''' 8 9 import dpkt 10 import socket 11 from geoip2 import database 12 import optparse 13 14 def printPcap(pcap): 15 16 for (ts,buf) in pcap: 17 try: 18 eth = dpkt.ethernet.Ethernet(buf) 19 ip = eth.data 20 src = socket.inet_ntoa(ip.src) 21 dst = socket.inet_ntoa(ip.dst) 22 src_lo = getLocate(src) 23 dst_lo = getLocate(dst) 24 if (getLocate(src)=='Unregistered') and (getLocate(dst)=='Unregistered'): 25 pass 26 else: 27 src_lo = getLocate(src) 28 dst_lo = getLocate(dst) 29 print '[+] Src: '+src+' --> Dst: '+dst+'\n'+'[-] src_addr: '+src_lo+'--> dst-addr: '+dst_lo 30 data = str('[+] Src: '+src+' --> Dst: '+dst+'\n') 31 f = open('ip_flow.txt', 'a+') 32 # print data 33 f.write(data) 34 f.close() 35 except: 36 pass 37 38 39 def getLocate(taget): 40 try: 41 reader = database.Reader('/opt/GeoIP/Geo.mmdb') 42 if str(type(taget)) == "<type 'list'>": 43 for tgt in taget: 44 response = reader.city(tgt) 45 country = response.country.names['zh-CN'] 46 city = response.city.name 47 latitude = str(response.location.latitude) 48 longitude = str(response.location.longitude) 49 if city==None: 50 return country+"; "+'lat-long- '+latitude+':'+longitude 51 else: 52 return country+','+city+"; "+'lat-long- '+latitude+':'+longitude 53 else: 54 response = reader.city(taget) 55 country = response.country.names['zh-CN'] 56 city = response.city.name 57 latitude = str(response.location.latitude) 58 longitude = str(response.location.longitude) 59 if city==None: 60 return (country+"; "+'lat-long: '+latitude+'-'+longitude) 61 else: 62 return (country+','+city+"; "+'lat-long- '+latitude+':'+longitude) 63 except: 64 return 'Unregistered' 65 66 67 def main(): 68 # f = open('ip-pcap.pcap') 69 # pcap = dpkt.pcap.Reader(f) 70 # printPcap(pcap) 71 # 72 # target = ['128.101.101.101','173.255.226.98'] 73 # getLocate(target) 74 75 parser = optparse.OptionParser('Usage%prog -p <pcap file>') 76 parser.add_option('-p', dest='pcapFile',type='string', help='specify pcap filename') 77 (options, args) = parser.parse_args() 78 if options.pcapFile == None: 79 print parser.usage 80 exit(0) 81 pcapFile = options.pcapFile 82 f = open(pcapFile) 83 pcap = dpkt.pcap.Reader(f) 84 printPcap(pcap) 85 86 # file = open('1.txt', 'w') 87 # file.write('src_addr: 美国; lat-long: 37.751--97.822--> dst-addr: Unregistered') 88 # file.close() 89 90 91 92 if __name__=="__main__": 93 main() 94
参考:python绝技书籍
浙公网安备 33010602011771号