Python+Scapy打造网络流量分析监控工具

发布于 / Python / 9 条评论

主要功能:

应用识别

a13daa201b79ffcd7745e0bc8101f4a.png

DNS日志

微信截图_20210207151351.png

TCP日志

微信截图_20210207151612.png

TCP可以细粒度到每个包

微信截图_20210207151641.png

原理:

使用Scapy捕获网卡中的数据包,并解析数据包中的五元组信息,存入数据库。在解析TCP和UDP时,按照应用特征规则进行匹配,实现应用识别。

应用特征匹配目前可以按照四元组、请求host、数据包有效负载内容进行匹配。

目前功能较为单一,可以作为一个玩具玩玩,后期会继续完善。

使用方法+项目地址:https://github.com/kidultff/TrafficAnalyzer

转载原创文章请注明,转载自: 斐斐のBlog » Python+Scapy打造网络流量分析监控工具
  1. 渣渣灰

    已自行解决,感谢楼主

  2. 渣渣灰

    部署好环境之后跑起来报错,centos7.6,把交换机的流量镜像过去,还是没有任何记录。
    [root@localhost TrafficAnalyzer]# python3 main.py
    [util.crond] add intval 1
    [Load Features] features.txt load successful
    [util.crond] add intval 60
    [util.crond] add intval 60
    [util.crond] add intval 60
    [util.thread] start
    [util.thread] start
    [util.thread] start
    Exception in thread Thread-3:
    Traceback (most recent call last):
    File "/usr/lib64/python3.6/threading.py", line 916, in _bootstrap_inner
    self.run()
    File "/usr/lib64/python3.6/threading.py", line 864, in run
    self._target(*self._args, **self._kwargs)
    File "main.py", line 26, in _sniff
    sniff(iface=config.interface, prn=lambda pkt: pkt_queue.put((pkt, int(time.time()))), count=100)
    File "/data/TrafficAnalyzer/scapy/sendrecv.py", line 972, in sniff
    sniffer._run(*args, **kwargs)
    File "/data/TrafficAnalyzer/scapy/sendrecv.py", line 842, in _run
    *arg, **karg)] = iface
    File "/data/TrafficAnalyzer/scapy/arch/linux.py", line 477, in __init__
    set_promisc(self.ins, self.iface)
    File "/data/TrafficAnalyzer/scapy/arch/linux.py", line 165, in set_promisc
    mreq = struct.pack("IHH8s", get_if_index(iff), PACKET_MR_PROMISC, 0, b"")
    File "/data/TrafficAnalyzer/scapy/arch/linux.py", line 380, in get_if_index
    return int(struct.unpack("I", get_if(iff, SIOCGIFINDEX)[16:20])[0])
    File "/data/TrafficAnalyzer/scapy/arch/common.py", line 59, in get_if
    ifreq = ioctl(sck, cmd, struct.pack("16s16x", iff.encode("utf8")))
    OSError: [Errno 19] No such device

    Exception ignored in: <bound method SuperSocket.__del__ of >
    Traceback (most recent call last):
    File "/data/TrafficAnalyzer/scapy/supersocket.py", line 134, in __del__
    self.close()
    File "/data/TrafficAnalyzer/scapy/arch/linux.py", line 514, in close
    set_promisc(self.ins, self.iface, 0)
    File "/data/TrafficAnalyzer/scapy/arch/linux.py", line 165, in set_promisc
    mreq = struct.pack("IHH8s", get_if_index(iff), PACKET_MR_PROMISC, 0, b"")
    File "/data/TrafficAnalyzer/scapy/arch/linux.py", line 380, in get_if_index
    return int(struct.unpack("I", get_if(iff, SIOCGIFINDEX)[16:20])[0])
    File "/data/TrafficAnalyzer/scapy/arch/common.py", line 59, in get_if
    ifreq = ioctl(sck, cmd, struct.pack("16s16x", iff.encode("utf8")))
    OSError: [Errno 19] No such device
    queue size: 0 , TCP sess: 0, UDP sess: 0, APP sess: 0
    queue size: 0 , TCP sess: 0, UDP sess: 0, APP sess: 0
    queue size: 0 , TCP sess: 0, UDP sess: 0, APP sess: 0

    1. 可爱飘
      @渣渣灰 我的也报这个错
    2. 可爱飘
      @渣渣灰 可以加一下微信么,我想咨询一下你的问题
    3. zrnh111
      @渣渣灰 部署后也是这个报错,请问老哥是怎么解决的呀
      1. zrnh111
        @zrnh111 解决了,config里网卡名称的原因,通过interface = ifaces.dev_from_index()选择网卡
  3. 遥遥会有期

    请问你是怎么统计流量的呢??我用scapy的函数里面的一个show函数展示Ethernet层并没有帧的流量。

  4. 遥遥会有期

    你好,方便加个qq吗???想问问你做这个细节,我也想做一个,打扰了哈

    1. ws
      @遥遥会有期 你好,你是在做这个小程序码