我使用 tcpdump 保存了一些转储
tcpdump -n -i eth0 -tttt -Q in > "dump01.dump"
所以我得到这样的输出:
20:39:12.808672 IP 94.xx.xxx.202.49183 > 151.xx.xx.xx.61479: UDP, length 104
20:39:12.835025 IP 213.xx.xx.25.51197 > 151.xx.xx.xx.61479: Flags [P.], seq 4125053309:4125053343, ack 1004545214, win 194, length 34
20:39:12.936971 IP 222.xxx.xxx.182.59953 > 151.xx.xx.xx.61479: UDP, length 287
20:39:12.948822 IP 195.xx.xxx.30.62384 > 151.xx.xx.xx.61479: UDP, length 101
20:39:12.987527 IP 79.xxx.xxx.216.56394 > 151.xx.xx.xx.443: Flags [P.], seq 700421627:700422382, ack 377141587, win 257, length 755
20:39:12.988554 IP 79.xxx.xxx.216.55621 > 151.xx.xx.xx.443: Flags [P.], seq 3192357072:3192357827, ack 3940752659, win 260, length 755
20:39:12.989291 IP 79.xxx.xxx.216.56517 > 151.xx.xx.xx.443: Flags [P.], seq 3172129891:3172130644, ack 3568957121, win 257, length 753
20:39:12.990879 IP 79.xxx.xxx.216.56394 > 151.xx.xx.xx.443: Flags [.], seq 755:2207, ack 1, win 257, length 1452
20:39:12.991845 IP 79.xxx.xxx.216.56394 > 151.xx.xx.xx.443: Flags [P.], seq 2207:3465, ack 1, win 257, length 1258
20:39:12.992794 IP 79.xxx.xxx.216.56254 > 151.xx.xx.xx.443: Flags [P.], seq 1723903877:1723904632, ack 3204952387, win 260, length 755
当然我把部分IP替换成了xxx.
现在更有趣的部分 - 我被某人进行了 DDoSed,并且我在转储上捕获了整个攻击,但我想查看此事件的图表。不幸的是,由于我没有使用-w我tcpdump的输出不是二进制的,并且 Wireshark 拒绝导入文件 - 它尝试读取不存在的十六进制数据。
有没有办法强制 Wireshark 加载没有数据包详细信息的转储、转换我的文件或使用其他程序为我打印图表?
答案1
如果您只对数据包的时间戳感兴趣,那么您可以使用十六进制快照单个数据包并复制它,仅更改时间戳,text2pcap它通常与wireshark位于同一包中。
例如,我曾经tcpdump -XX捕获一些 artibrary 数据包并从 ascii 转储中选择一个短的 tcp 数据包:
16:51:27.374569 IP 192.168.0.21.nut > 192.168.0.20.53910: Flags [R.] ...
0x0000: b827 0099 9999 80ee 7399 9999 0800 4500 ................
0x0010: 0028 06e4 4000 4006 b272 c0a8 0015 c0a8 .(..@[email protected]......
0x0020: 0014 0da5 d296 0000 0000 ee15 7872 5014 ............xrP.
0x0030: 0000 e792 0000 ......
您可以通过一些 awk 对其进行过滤,以获得所需格式的转储text2pcap,即:
awk '$1~/0x/ { $0 = substr($0,1,50); for(i=2;i<=9;i++)s = s $i }
END { gsub(/../,"& ",s); print "0000 " s }'
将变量设置mypacket为结果:
mypacket='0000 b8 27 00 99 99 99 80 ee 73 99 99 99 08 00 45 00 00 28 06 e4 40 00 40 06 b2 72 c0 a8 00 15 c0 a8 00 14 0d a5 d2 96 00 00 00 00 ee 15 78 72 50 14 00 00 e7 92 00 00'
然后使用另一个 awk 从数据文件每行的第 1 列中获取时间,并将其添加到同一个数据包中,告诉转换程序以给定格式提取此时间戳,并将其转换为适合wireshark 的 pcap 格式。
awk <dump -v mypacket="$mypacket" '
/79\.xxx\.xxx\.216/ { print $1 " " mypacket }' |
text2pcap -t '%H:%M:%S.' - out.pcap
注意最后的“。”在-t选项中。需要保留时间戳中的秒数。
答案2
文本可以转换为 PCAP,只要输出中存在的有限信息是可能的tcpdump,例如
#!/usr/bin/env perl
use 5.14.0;
use warnings;
use Time::Piece;
# get this from CPAN
use File::PCAP::Writer ();
my $fpw = File::PCAP::Writer->new( { fname => 'out.pcap' } );
# read tcpdump output from files or standard input
shift @ARGV if @ARGV == 1 and $ARGV[0] eq '-';
while (readline) {
my ( $stamp, $usec ) = $_ =~ m/^(\d\d:\d\d:\d\d) [.] (\d+) \s IP \s /ax;
# blindly assume packets all from the same day that is today
my $now = localtime;
$stamp = $now->ymd . ' ' . $stamp;
my $epoch = Time::Piece->strptime( $stamp, "%Y-%m-%d %H:%M:%S" )->epoch;
# fake an empty packet. this gets timestamps into Wireshark,
# which may suffice to only graph packets per time
$fpw->packet( $epoch, $usec, 0, 0, '' );
}
尽管需要更多代码来正确处理滚动到第二天(或者,哎呀,到某个后续日期?)的时间戳,并根据输出中给出的提示正确伪造数据包tcpdump(例如,制作一个帧,制作IP(使用IP 地址),制作正确大小和端口的 TCP 或 UDP 数据包,ARP 和其他协议怎么样,等等等等等等)。
对于没有 PCAP 大惊小怪的时间戳的每秒数据包,可以首先使用 epoch-to-packets-seen-in-that-second 脚本:
#!/usr/bin/env perl
use 5.14.0;
use warnings;
use Time::Piece;
# start epoch
my $day = 1505199600;
my $counter = 0;
my $prev_secs = -1;
my $prev_ts;
shift @ARGV if @ARGV == 1 and $ARGV[0] eq '-';
while (readline) {
my ($hhmmss) = $_ =~ m/^(\d\d:\d\d:\d\d) [.] /ax;
my $secs = Time::Piece->strptime( $hhmmss, "%H:%M:%S" )->epoch;
# KLUGE assume next day
$day += 86400 if $secs < $prev_secs;
my $timestamp = $day + $secs;
if ( defined $prev_ts and $timestamp != $prev_ts ) {
say "$prev_ts $counter";
$counter = 0;
}
$counter++;
$prev_secs = $secs;
$prev_ts = $timestamp;
}
say "$prev_ts $counter";
然后将转换tcpdump后的输出输入 R 进行绘图(我伪造了第二天的时间戳,因为您的所有输出都来自同一秒):
$ head -1 dumptext
20:39:12.808672 IP 94.xx.xxx.202.49183 > 151.xx.xx.xx.61479: UDP, length 104
$ tail -1 dumptext
00:31:18.123456 IP 79.xxx.xxx.216.56254 > 151.xx.xx.xx.443: Flags [P.], seq 1723903877:1723904632, ack 3204952387, win 260, length 755
$ perl torrr dumptext > dataforr
$ cat dataforr
1505273952 10
1505287878 1
$ R
> x=read.table("dataforr")
> x
V1 V2
1 1505273952 10
2 1505287878 1
> names(x)=c('date','packets')
> x$date=strptime(x$date,"%s")
> x
date packets
1 2017-09-12 20:39:12 10
2 2017-09-13 00:31:18 1
> plot(x,type='l')
>