-
读取pcap包,打印详细的icmp/tcp/udp协议
-
读取pcap包或网络接口
1. 打印详细的tcp会话/udp报文数据,目前支持mysql/pgsql/smtp/ftp/redis/mongodb认证协议解析,http/dns完整协议解析
2. IP数据包统计信息,用于监控网络异常流量
pip install -r requirements.txt
-
- mac
brew install libnids
- linux
sudo apt-get install libnet1-dev libpcap-dev
git clone https://github.com/MITRECND/pynids.git
cd pynids
sudo python setup.py build
sudo python setup.py install
-
pip install dpkt
或者
git clone https://github.com/kbandla/dpkt.git
-
读取pcap包,打印详细的icmp/tcp/udp协议
python print_pcap.py --help
python print_pcap.py --pcapfile=data/pcap_pub/http_gzip.pcap --assetport=80
详细使用可以参看Documents 二
-
读取pcap包或网络接口,打印详细的tcp会话数据
第一步:指定配置 server.yaml
第二步:
python print_tcp_session.py
-
不支持ipv6格式的数据包
-
当server.yaml中配置为重组双向流量时
data_stream_direct: 2
只在tcp flag为RST或FIN时才会打印数据
-
不支持多进程
1. UDP-DNS协议详解
pcap_file: data/pcap_pub/dns/netforensics_evidence05.pcap
UDP-DNS 协议解析
{
"ts": 1268758265.098157,
"src_ip": "192.168.23.2",
"src_port": 53,
"dst_ip": "192.168.23.129",
"dst_port": 52499,
"header": {
"aa": 0,
"qr": 1,
"num_of_answers": 1,
"tc": 0,
"num_of_additional": 4,
"rd": 1,
"opcode": "QUERY",
"ra": 1,
"num_of_authority": 4,
"rcode": "NOERROR",
"id": 48291,
"num_of_questions": 1
},
"questions": [
{
"qclass": "IN",
"qtype": "A",
"qname": "freeways.in."
}
],
"answers": [
{
"ttl": 5,
"rname": "freeways.in.",
"rtype": "A",
"rclass": 1,
"rdata": "212.252.32.20"
}
],
"authority": [
{
"ttl": 5,
"rname": "freeways.in.",
"rtype": "NS",
"rclass": 2,
"rdata": "ns4.everydns.net."
}
],
"additional": [
{
"ttl": 5,
"rname": "ns4.everydns.net.",
"rtype": "A",
"rclass": 1,
"rdata": "208.76.60.100"
}
]
}
2. TCP-HTTP 协议详解
pcap_file: data/pcap_pub/cve/cve-2016-4971.pcap
{
"ts_start": 1467904494.307728,
"ts_end": 1467904494.392242,
"src_ip": "192.168.186.128",
"src_port": 41352,
"dst_ip": "192.168.186.128",
"dst_port": 80,
"req_method": "GET",
"req_uri": "/file",
"req_version": "1.1",
"req_headers": {
"user-agent": "Wget/1.17 (linux-gnu)",
"accept": "*/*",
"accept-encoding": "identity",
"host": "192.168.186.128",
"connection": "Keep-Alive"
},
"req_body": "",
"resp_version": "1.0",
"resp_status": "301",
"resp_reason": "Moved Permanently",
"resp_headers": {
"server": "SimpleHTTP/0.6 Python/2.7.12",
"date": "Thu, 07 Jul 2016 15:14:54 GMT",
"location": "ftp://anonymous@192.168.186.128:21/.wgetrc"
},
"resp_body": ""
}
3. IP 数据包元信息
数据包方向 时间戳 协议类型 源IP:源端口(IP归属地)(服务类型)目的IP:目的端口(IP归属地)(服务类型) 数据包大小
IN 2017-08-18 13:23:41 TCP 58.217.200.117:14000(江苏省南京市-None-None-NONE)(scotty-ft) 10.0.0.2:58747(局域网-None-None-NONE)(NONE) 240
OUT 2017-08-18 13:23:41 TCP 10.0.0.2:58747(局域网-None-None-NONE)(NONE) 58.217.200.117:14000(江苏省南京市-None-None-NONE)(scotty-ft) 40
备注: 14000(scotty-ft) 为微信、QQ发送语音文件的协议
-
UDP报文
python print_pcap.py --pcapfile=data/pcap_pub/dns/dns.pcap
[UDP] [1112201545.38 2005-03-30 16:52:25] 217.13.4.24:53(00:12:a9:00:32:23) ----->192.168.170.56:1711(00:60:08:45:e4:55) ttl=58 DATA_BINARY=76 63 85 83 00 01 00 00 00 00 00 00 05 47 52 49 4d 4d 0b 75 74 65 6c 73 79 73 74 65 6d 73 05 6c 6f 63 61 6c 00 00 01 00 01 LEN=41
-
TCP报文
python print_pcap.py --pcapfile=data/pcap_pub/cve/httpoxy.pcap
[TCP] [1469135972.46 2016-07-21 21:19:32] 192.168.235.135:55034(00:0c:29:92:67:d7) ----->192.168.235.136:8080(00:0c:29:79:fd:94) SEQ=618963631 ACK=2424513936 FLAGS=['ACK', 'PSH'] WIN=229 DATA=GET /index.py HTTP/1.1 Host: 192.168.235.136:8080 User-Agent: curl/7.43.0 Accept: */* Proxy: 192.168.235.135:11000
-
ICMP报文
[ICMP_Unreach] [1500285748.08 2017-07-17 10:02:28] 10.0.0.5:500(98:01:a7:9e:dd:c1) ----->10.0.0.2:63816(58:f3:9c:51:90:c7) 3:3[host:port unreachable] ttl=43 DATA_BINARY= LEN=0
原博客 被封号了
豆瓣读书 分享最近看的书籍
baidu网盘 分享的内容很快就会被删掉