据我所知,pyshark 是 tshark 的 Python 包装器,它是 Wireshark 的命令行版本。由于 Wireshark 和 tshark 允许检测 TCP 重传,我想知道如何使用 pyshark 来检测。我没有找到任何好的文档,所以我不确定你是否不能这样做,或者我是否找不到正确的方法。谢谢!
问问题
2172 次
1 回答
6
下面的代码检测pyshark中的 TCP 重传
import pyshark
###################################################
# these filters can be applied under LiveCapture
# display_filter: A display (wireshark) filter to apply on the cap before reading it.
# display_filter='tcp.analysis.fast_retransmission'
# display_filter='tcp.analysis.retransmission'
###################################################
capture = pyshark.LiveCapture(interface='en1', display_filter='tcp.analysis.fast_retransmission')
capture.sniff(timeout=50)
for packet in capture.sniff_continuously(packet_count=5):
print ('Just arrived:', packet)
它应该在数据包中显示:
# display_filter='tcp.analysis.retransmission'
TCP Analysis Flags
Expert Info (Note/Sequence): This frame is a (suspected) retransmission
This frame is a (suspected) retransmission
# display_filter='tcp.analysis.fast_retransmission'
TCP Analysis Flags
This frame is a (suspected) fast retransmission
This frame is a (suspected) retransmission
Expert Info (Note/Sequence): This frame is a (suspected) fast retransmission
Expert Info (Note/Sequence): This frame is a (suspected) retransmission
如果您在 LiveCapture 中包含only_summaries =True,您会看到如下内容:
Just arrived: 223 71.890878 fe80::cabc:c8ff:feec:d46d fe80::1416:1ca1:307c:b0e6 TCP 86 [TCP Spurious Retransmission] 59005 \xe2\x86\x92 49373 [FIN, ACK] Seq=1855 Ack=2365 Win=4096 Len=0 TSval=930665353 TSecr=692710576
Just arrived: 371 121.293913 fe80::1416:1ca1:307c:b0e6 fe80::cabc:c8ff:feec:d46d TCP 98 [TCP Retransmission] 62078 \xe2\x86\x92 59012 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1440 WS=64 TSval=692717653 TSecr=930714614 SACK_PERM=1
您还可以通过在 LiveCapture 中应用 bpf_filter 过滤 TCP 重新传输来更具体地过滤这些数据包。
import pyshark
capture = pyshark.LiveCapture(interface='en1', bpf_filter='ip and tcp port 443', display_filter='tcp.analysis.retransmission')
capture.sniff(timeout=50)
for packet in capture.sniff_continuously(packet_count=5):
print ('Just arrived:', packet)
这是使用 pyshark 读取 pcap 的一种方法:
capture = pyshark.FileCapture('test.pcap', display_filter='tcp.analysis.retransmission')
counter = 0
for packet in capture:
counter +=1
print ('*' * 10, f'Retransmission packet {counter}:', '*' * 10)
# output
********** Retransmission packet 1: **********
********** Retransmission packet 2: **********
********** Retransmission packet 3: **********
********** Retransmission packet 4: **********
********** Retransmission packet 5: **********
于 2019-10-14T12:49:38.847 回答