Python 从 Wireshark 捕获文件 pcap 解析 DNS 的库
Python library to parse DNS from Wireshark capture file pcap
我从 Python 开始。
我有一个由 Wireshark 捕获的 .pcap 文件,其中包含 DNS 查询和响应。我需要打开这个文件并提取请求的主机名和返回的记录类型和 IP 地址。
我发现了几个能够读取 pcap 文件的库,但我不知道哪个最适合这个。可以推荐一下吗?
Scapy 不错。
from scapy.all import *
from scapy.layers.dns import DNS, DNSQR
types = {0: 'ANY', 255: 'ALL',1: 'A', 2: 'NS', 3: 'MD', 4: 'MD', 5: 'CNAME',
6: 'SOA', 7: 'MB',8: 'MG',9: 'MR',10: 'NULL',11: 'WKS',12: 'PTR',
13: 'HINFO',14: 'MINFO',15: 'MX',16: 'TXT',17: 'RP',18: 'AFSDB',
28: 'AAAA', 33: 'SRV',38: 'A6',39: 'DNAME'}
dns_packets = rdpcap('file.pcap')
for packet in dns_packets:
if packet.haslayer(DNS):
print(packet.show())
dst = packet[IP].dst
rec_type = packet[DNSQR].qtype
print(dst, types[rec_type])
输出示例:
###[ Ethernet ]###
dst = 00:16:e3:19:27:15
src = 00:04:76:96:7b:da
type = 0x800
###[ IP ]###
version = 4L
ihl = 5L
tos = 0x0
len = 70
id = 0
flags = DF
frag = 0L
ttl = 64
proto = udp
chksum = 0xb753
src = 192.168.1.2
dst = 192.168.1.1
\options \
###[ UDP ]###
sport = 2128
dport = domain
len = 50
chksum = 0x8397
###[ DNS ]###
id = 12575
qr = 0L
opcode = QUERY
aa = 0L
tc = 0L
rd = 1L
ra = 0L
z = 0L
ad = 0L
cd = 0L
rcode = ok
qdcount = 1
ancount = 0
nscount = 0
arcount = 0
\qd \
|###[ DNS Question Record ]###
| qname = '2.1.168.192.in-addr.arpa.'
| qtype = PTR
| qclass = IN
an = None
ns = None
ar = None
('192.168.1.1', 'PTR')
最后一行是外发IP地址和记录类型。资料一堆,正好select你需要的
我从 Python 开始。 我有一个由 Wireshark 捕获的 .pcap 文件,其中包含 DNS 查询和响应。我需要打开这个文件并提取请求的主机名和返回的记录类型和 IP 地址。 我发现了几个能够读取 pcap 文件的库,但我不知道哪个最适合这个。可以推荐一下吗?
Scapy 不错。
from scapy.all import *
from scapy.layers.dns import DNS, DNSQR
types = {0: 'ANY', 255: 'ALL',1: 'A', 2: 'NS', 3: 'MD', 4: 'MD', 5: 'CNAME',
6: 'SOA', 7: 'MB',8: 'MG',9: 'MR',10: 'NULL',11: 'WKS',12: 'PTR',
13: 'HINFO',14: 'MINFO',15: 'MX',16: 'TXT',17: 'RP',18: 'AFSDB',
28: 'AAAA', 33: 'SRV',38: 'A6',39: 'DNAME'}
dns_packets = rdpcap('file.pcap')
for packet in dns_packets:
if packet.haslayer(DNS):
print(packet.show())
dst = packet[IP].dst
rec_type = packet[DNSQR].qtype
print(dst, types[rec_type])
输出示例:
###[ Ethernet ]###
dst = 00:16:e3:19:27:15
src = 00:04:76:96:7b:da
type = 0x800
###[ IP ]###
version = 4L
ihl = 5L
tos = 0x0
len = 70
id = 0
flags = DF
frag = 0L
ttl = 64
proto = udp
chksum = 0xb753
src = 192.168.1.2
dst = 192.168.1.1
\options \
###[ UDP ]###
sport = 2128
dport = domain
len = 50
chksum = 0x8397
###[ DNS ]###
id = 12575
qr = 0L
opcode = QUERY
aa = 0L
tc = 0L
rd = 1L
ra = 0L
z = 0L
ad = 0L
cd = 0L
rcode = ok
qdcount = 1
ancount = 0
nscount = 0
arcount = 0
\qd \
|###[ DNS Question Record ]###
| qname = '2.1.168.192.in-addr.arpa.'
| qtype = PTR
| qclass = IN
an = None
ns = None
ar = None
('192.168.1.1', 'PTR')
最后一行是外发IP地址和记录类型。资料一堆,正好select你需要的