{"id":13821438,"url":"https://github.com/tanjiti/packet_analysis","last_synced_at":"2025-05-16T12:33:31.741Z","repository":{"id":80186142,"uuid":"100690024","full_name":"tanjiti/packet_analysis","owner":"tanjiti","description":"IP/TCP/UDP数据包分析及解析","archived":false,"fork":false,"pushed_at":"2017-08-22T06:49:36.000Z","size":23828,"stargazers_count":223,"open_issues_count":1,"forks_count":76,"subscribers_count":19,"default_branch":"master","last_synced_at":"2024-11-19T21:36:05.770Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tanjiti.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-08-18T08:20:26.000Z","updated_at":"2024-10-01T09:58:52.000Z","dependencies_parsed_at":null,"dependency_job_id":"413939d2-68fe-4687-9afc-4f5388216c53","html_url":"https://github.com/tanjiti/packet_analysis","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tanjiti%2Fpacket_analysis","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tanjiti%2Fpacket_analysis/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tanjiti%2Fpacket_analysis/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tanjiti%2Fpacket_analysis/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tanjiti","download_url":"https://codeload.github.com/tanjiti/packet_analysis/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254530696,"owners_count":22086665,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T08:01:21.936Z","updated_at":"2025-05-16T12:33:26.717Z","avatar_url":"https://github.com/tanjiti.png","language":"Python","readme":"# 功能\n\n* 读取pcap包，打印详细的icmp/tcp/udp协议\n\n* 读取pcap包或网络接口\n\n    1. 打印详细的tcp会话／udp报文数据，目前支持mysql/pgsql/smtp/ftp/redis/mongodb认证协议解析，http/dns完整协议解析\n\n    2. IP数据包统计信息，用于监控网络异常流量\n\n\n\n\n\n# 安装\n\n `pip install -r requirements.txt`\n\n\n* [pynids](https://github.com/MITRECND/pynids.git)\n\n   * mac\n\n   `brew install libnids`\n\n   * linux\n\n   `sudo apt-get install libnet1-dev libpcap-dev`\n\n   `git clone https://github.com/MITRECND/pynids.git`\n\n   `cd pynids`\n\n   `sudo python setup.py build`\n\n   `sudo python setup.py install`\n\n* [dpkt](http://dpkt.readthedocs.io/en/latest/index.html)\n\n   `pip install dpkt`\n\n   或者\n\n   `git clone https://github.com/kbandla/dpkt.git`\n\n\n# 使用\n* 读取pcap包，打印详细的icmp/tcp/udp协议\n\n    `python print_pcap.py --help`\n\n    `python print_pcap.py --pcapfile=data/pcap_pub/http_gzip.pcap  --assetport=80`\n\n    \u003cb\u003e详细使用可以参看Documents [二](http://tanjiti.lofter.com/post/1cc6c85b_10c4e0e2)\u003c/b\u003e\n\n\n* 读取pcap包或网络接口，打印详细的tcp会话数据\n\n   第一步:指定配置\n   [server.yaml](etc/server.yaml)\n\n\n   第二步:\n   `python print_tcp_session.py`\n\n   \u003cb\u003e详细使用可以参看Documents [十一](http://tanjiti.lofter.com/post/1cc6c85b_10c4e0ce) 、[十二](http://tanjiti.lofter.com/post/1cc6c85b_10c6c87f)\u003c/b\u003e\n\n\n\n# Bugs\n## libnids\n1. 不支持ipv6格式的数据包\n\n2. 当server.yaml中配置为重组双向流量时\n\n    `data_stream_direct: 2`\n\n    只在tcp flag为RST或FIN时才会打印数据\n\n3. 不支持多进程\n\n\n# Documents\n\n[一、TCP/IP数据包基础知识](http://tanjiti.lofter.com/post/1cc6c85b_10c4e0e4)\n\n[二、TCP/IP数据包分析应用-端口扫描](http://tanjiti.lofter.com/post/1cc6c85b_10c4e0e2)\n\n[三、TCP/IP协议分析-MySQL认证协议](http://tanjiti.lofter.com/post/1cc6c85b_10c4e0e1)\n\n[四、TCP/IP协议分析-PostgreSQL认证协议](http://tanjiti.lofter.com/post/1cc6c85b_10c4e0dd)\n\n   \n[五、TCP/IP协议分析-MongoDB认证协议](http://tanjiti.lofter.com/post/1cc6c85b_10c4e0dc)\n\n[六、TCP/IP协议分析-Redis认证协议](http://tanjiti.lofter.com/post/1cc6c85b_10c4e0d7)\n\n[七、TCP/IP协议分析-FTP认证协议](http://tanjiti.lofter.com/post/1cc6c85b_10c4e0d5)\n\n[八、TCP/IP协议分析-SMTP认证协议](http://tanjiti.lofter.com/post/1cc6c85b_10c4e0d2)\n\n[九、TCP/IP协议分析-SSH协议](http://tanjiti.lofter.com/post/1cc6c85b_10c4e0d0)\n\n[十、TCP/IP协议分析-RDP协议](http://tanjiti.lofter.com/post/1cc6c85b_10c4e0cf)\n\n[十一、TCP/IP数据包分析应用-TCP会话重组](http://tanjiti.lofter.com/post/1cc6c85b_10c4e0ce)\n\n[十二、TCP/IP协议分析-DNS协议-UDP](http://tanjiti.lofter.com/post/1cc6c85b_10c6c87f)\n\n\n\n\n\n# 示例\n\n\u003ccode\u003epython print_tcp_session.py\u003c/code\u003e\n=====================\n\n\u003cb\u003e 1. UDP-DNS协议详解 \u003c/b\u003e\n\n    pcap_file: data/pcap_pub/dns/netforensics_evidence05.pcap\n\n    UDP-DNS 协议解析\n\n        {\n      \"ts\": 1268758265.098157,\n      \"src_ip\": \"192.168.23.2\",\n      \"src_port\": 53,\n      \"dst_ip\": \"192.168.23.129\",\n      \"dst_port\": 52499,\n      \"header\": {\n        \"aa\": 0,\n        \"qr\": 1,\n        \"num_of_answers\": 1,\n        \"tc\": 0,\n        \"num_of_additional\": 4,\n        \"rd\": 1,\n        \"opcode\": \"QUERY\",\n        \"ra\": 1,\n        \"num_of_authority\": 4,\n        \"rcode\": \"NOERROR\",\n        \"id\": 48291,\n        \"num_of_questions\": 1\n      },\n      \"questions\": [\n        {\n          \"qclass\": \"IN\",\n          \"qtype\": \"A\",\n          \"qname\": \"freeways.in.\"\n        }\n      ],\n      \"answers\": [\n        {\n          \"ttl\": 5,\n          \"rname\": \"freeways.in.\",\n          \"rtype\": \"A\",\n          \"rclass\": 1,\n          \"rdata\": \"212.252.32.20\"\n        }\n      ],\n      \"authority\": [\n        {\n          \"ttl\": 5,\n          \"rname\": \"freeways.in.\",\n          \"rtype\": \"NS\",\n          \"rclass\": 2,\n          \"rdata\": \"ns4.everydns.net.\"\n        }\n      ],\n      \"additional\": [\n        {\n          \"ttl\": 5,\n          \"rname\": \"ns4.everydns.net.\",\n          \"rtype\": \"A\",\n          \"rclass\": 1,\n          \"rdata\": \"208.76.60.100\"\n        }\n      ]\n    }\n\n\n\u003cb\u003e 2. TCP-HTTP 协议详解 \u003c/b\u003e\n\n    pcap_file: data/pcap_pub/cve/cve-2016-4971.pcap\n\n    {\n      \"ts_start\": 1467904494.307728,\n      \"ts_end\": 1467904494.392242,\n      \"src_ip\": \"192.168.186.128\",\n      \"src_port\": 41352,\n      \"dst_ip\": \"192.168.186.128\",\n      \"dst_port\": 80,\n      \"req_method\": \"GET\",\n      \"req_uri\": \"/file\",\n      \"req_version\": \"1.1\",\n      \"req_headers\": {\n        \"user-agent\": \"Wget/1.17 (linux-gnu)\",\n        \"accept\": \"*/*\",\n        \"accept-encoding\": \"identity\",\n        \"host\": \"192.168.186.128\",\n        \"connection\": \"Keep-Alive\"\n      },\n      \"req_body\": \"\",\n      \"resp_version\": \"1.0\",\n      \"resp_status\": \"301\",\n      \"resp_reason\": \"Moved Permanently\",\n      \"resp_headers\": {\n        \"server\": \"SimpleHTTP/0.6 Python/2.7.12\",\n        \"date\": \"Thu, 07 Jul 2016 15:14:54 GMT\",\n        \"location\": \"ftp://anonymous@192.168.186.128:21/.wgetrc\"\n      },\n      \"resp_body\": \"\"\n    }\n\n\u003cb\u003e 3. IP 数据包元信息\u003c/b\u003e\n\n    数据包方向 时间戳 协议类型 源IP:源端口(IP归属地)(服务类型）目的IP:目的端口(IP归属地)(服务类型) 数据包大小\n\n    IN\t2017-08-18 13:23:41\tTCP\t58.217.200.117:14000(江苏省南京市-None-None-NONE)(scotty-ft)\t10.0.0.2:58747(局域网-None-None-NONE)(NONE)\t240\n\n    OUT\t2017-08-18 13:23:41\tTCP\t10.0.0.2:58747(局域网-None-None-NONE)(NONE)\t58.217.200.117:14000(江苏省南京市-None-None-NONE)(scotty-ft)\t40\n\n\n   备注: 14000(scotty-ft) 为微信、QQ发送语音文件的协议\n\n\n\u003ccode\u003epython print_pcap.py\u003c/code\u003e\n===================\n\n1. UDP报文\n\n   \u003ccode\u003epython print_pcap.py --pcapfile=data/pcap_pub/dns/dns.pcap\u003c/code\u003e\n\n        [UDP]\t[1112201545.38\t2005-03-30 16:52:25]\t217.13.4.24:53(00:12:a9:00:32:23) -----\u003e192.168.170.56:1711(00:60:08:45:e4:55)\tttl=58\tDATA_BINARY=76 63 85 83 00 01 00 00 00 00 00 00 05 47 52 49 4d 4d 0b 75 74 65 6c 73 79 73 74 65 6d 73 05 6c 6f 63 61 6c 00 00 01 00 01\tLEN=41\n\n2. TCP报文\n\n    \u003ccode\u003epython print_pcap.py --pcapfile=data/pcap_pub/cve/httpoxy.pcap\u003c/code\u003e\n\n        [TCP]   [1469135972.46  2016-07-21 21:19:32]    192.168.235.135:55034(00:0c:29:92:67:d7) -----\u003e192.168.235.136:8080(00:0c:29:79:fd:94)  SEQ=618963631   ACK=2424513936  FLAGS=['ACK', 'PSH']    WIN=229 DATA=GET /index.py HTTP/1.1\n        Host: 192.168.235.136:8080\n        User-Agent: curl/7.43.0\n        Accept: */*\n        Proxy: 192.168.235.135:11000\n\n3. ICMP报文\n\n        [ICMP_Unreach]\t[1500285748.08\t2017-07-17 10:02:28]\t10.0.0.5:500(98:01:a7:9e:dd:c1) -----\u003e10.0.0.2:63816(58:f3:9c:51:90:c7)\t3:3[host:port unreachable]\tttl=43\tDATA_BINARY=\tLEN=0\n\n\n\n联系\n===\n[原博客](http://danqingdani.blog.163.com/) 被封号了\n\n[欢迎订阅lofter上的备份](http://tanjiti.lofter.com/rss)\n\n[新浪微博weibo](http://weibo.com/tanjiti)\n\n[豆瓣读书](https://book.douban.com/people/tanjiti/) 分享最近看的书籍\n\n[baidu网盘](https://pan.baidu.com/share/home?uk=1377047511#category/type=0) 分享的内容很快就会被删掉\n\n\n\n","funding_links":[],"categories":["Python"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftanjiti%2Fpacket_analysis","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftanjiti%2Fpacket_analysis","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftanjiti%2Fpacket_analysis/lists"}