主要功能:
应用识别
DNS日志
TCP日志
TCP可以细粒度到每个包
原理:
使用Scapy捕获网卡中的数据包,并解析数据包中的五元组信息,存入数据库。在解析TCP和UDP时,按照应用特征规则进行匹配,实现应用识别。
应用特征匹配目前可以按照四元组、请求host、数据包有效负载内容进行匹配。
目前功能较为单一,可以作为一个玩具玩玩,后期会继续完善。
主要功能:
应用识别
DNS日志
TCP日志
TCP可以细粒度到每个包
原理:
使用Scapy捕获网卡中的数据包,并解析数据包中的五元组信息,存入数据库。在解析TCP和UDP时,按照应用特征规则进行匹配,实现应用识别。
应用特征匹配目前可以按照四元组、请求host、数据包有效负载内容进行匹配。
目前功能较为单一,可以作为一个玩具玩玩,后期会继续完善。
已自行解决,感谢楼主
部署好环境之后跑起来报错,centos7.6,把交换机的流量镜像过去,还是没有任何记录。
[root@localhost TrafficAnalyzer]# python3 main.py
[util.crond] add intval 1
[Load Features] features.txt load successful
[util.crond] add intval 60
[util.crond] add intval 60
[util.crond] add intval 60
[util.thread] start
[util.thread] start
[util.thread] start
Exception in thread Thread-3:
Traceback (most recent call last):
File "/usr/lib64/python3.6/threading.py", line 916, in _bootstrap_inner
self.run()
File "/usr/lib64/python3.6/threading.py", line 864, in run
self._target(*self._args, **self._kwargs)
File "main.py", line 26, in _sniff
sniff(iface=config.interface, prn=lambda pkt: pkt_queue.put((pkt, int(time.time()))), count=100)
File "/data/TrafficAnalyzer/scapy/sendrecv.py", line 972, in sniff
sniffer._run(*args, **kwargs)
File "/data/TrafficAnalyzer/scapy/sendrecv.py", line 842, in _run
*arg, **karg)] = iface
File "/data/TrafficAnalyzer/scapy/arch/linux.py", line 477, in __init__
set_promisc(self.ins, self.iface)
File "/data/TrafficAnalyzer/scapy/arch/linux.py", line 165, in set_promisc
mreq = struct.pack("IHH8s", get_if_index(iff), PACKET_MR_PROMISC, 0, b"")
File "/data/TrafficAnalyzer/scapy/arch/linux.py", line 380, in get_if_index
return int(struct.unpack("I", get_if(iff, SIOCGIFINDEX)[16:20])[0])
File "/data/TrafficAnalyzer/scapy/arch/common.py", line 59, in get_if
ifreq = ioctl(sck, cmd, struct.pack("16s16x", iff.encode("utf8")))
OSError: [Errno 19] No such device
Exception ignored in: <bound method SuperSocket.__del__ of >
Traceback (most recent call last):
File "/data/TrafficAnalyzer/scapy/supersocket.py", line 134, in __del__
self.close()
File "/data/TrafficAnalyzer/scapy/arch/linux.py", line 514, in close
set_promisc(self.ins, self.iface, 0)
File "/data/TrafficAnalyzer/scapy/arch/linux.py", line 165, in set_promisc
mreq = struct.pack("IHH8s", get_if_index(iff), PACKET_MR_PROMISC, 0, b"")
File "/data/TrafficAnalyzer/scapy/arch/linux.py", line 380, in get_if_index
return int(struct.unpack("I", get_if(iff, SIOCGIFINDEX)[16:20])[0])
File "/data/TrafficAnalyzer/scapy/arch/common.py", line 59, in get_if
ifreq = ioctl(sck, cmd, struct.pack("16s16x", iff.encode("utf8")))
OSError: [Errno 19] No such device
queue size: 0 , TCP sess: 0, UDP sess: 0, APP sess: 0
queue size: 0 , TCP sess: 0, UDP sess: 0, APP sess: 0
queue size: 0 , TCP sess: 0, UDP sess: 0, APP sess: 0
请问你是怎么统计流量的呢??我用scapy的函数里面的一个show函数展示Ethernet层并没有帧的流量。
你好,方便加个qq吗???想问问你做这个细节,我也想做一个,打扰了哈