pcap
# -*- coding:utf-8 -*-
# yum install libpcap-devel python-devel
# pip install pypcap hexdump -i http://pypi.douban.com/simple/ --trusted-host pypi.douban.com
import pcap, hexdump, zlib
import re, threading, requests
INFO = """## SRC %s:%s
## DST %s:%s
## TYPE %d
## QUERY:
%s
"""
class Pkt:
def __init__(self, pkt, dloff):
"""
:param pkt:
:param dloff: IP层数据开始位置,成员函数的offset以此为准
"""
self.pkt = pkt
self.dloff = dloff
self.src = self.__addr__()
self.dst = self.__addr__(src=False)
self.ipv, self.ip_header_length = self.__l3_base_info__()
self.l4type, self.l4_header_length = self.__l4__()
def __l4__(self):
"""
4层协议类型 1:ICMP 6:TCP 7:UDP
TCP Header 长度位置 = dloff + ip_header_length + 12 的高四位
:return: ICMP/TCP/UDP
"""
d = {1: "ICMP", 6: "TCP", 7: "UDP"}
l, null = self.__split_bin__(bin(ord(self.pkt[self.dloff + self.ip_header_length + 12])))
# print "tcp length", ord(self.pkt[self.dloff + self.ip_header_length + 12])
# print "tcp length", bin(ord(self.pkt[self.dloff + self.ip_header_length + 12]))
# print "tcp length", l * 4, null, self.ip_header_length
return d[ord(self.pkt[self.dloff + 9])], l * 4
def __port__(self, src=True):
offset, s = 0 if src else 2, ""
for h in [hex(ord(self.pkt[self.dloff + self.ip_header_length + offset])), hex(ord(self.pkt[self.dloff + self.ip_header_length + 1 + offset]))]:
s = s + h[2:]
return int(s, 16)
def __split_bin__(self, s):
"""
:param s: 8位bit,例如'0b1000101'
:return: 高位(0-15),低位(0-15)
"""
pass
if not s.startswith("0b"):
raise TypeError
if len(s[2:]) < 8:
s = (8-len(s[2:])) * "0" + s[2:]
else:
s = s[2:]
return int(s[0:4], 2), int(s[4:], 2)
def __addr__(self, src=True):
"""
src addr offset 12
dst addr offset 16
:param src: True 源,False 目的
:return: ip
"""
if src:
return '.'.join(str(ord(self.pkt[i])) for i in range(self.dloff + 12, self.dloff + 16))
else:
return '.'.join(str(ord(self.pkt[i])) for i in range(self.dloff + 16, self.dloff + 20))
def __l3_base_info__(self):
"""
ip协议信息(协议版本和头长度) offset 0
:return: 协议版本号(4,6),头部长度
"""
s = bin(ord(self.pkt[self.dloff]))
v, l = self.__split_bin__(s)
return v, l * 4
def __mysql_protocol__(self):
"""
mysql protocol offset: ip_header_length + l4_header_length - 1
5层内容,包含:
Packet Length 3字节
Packet Number 1字节
Command Type 1字节 https://dev.mysql.com/doc/internals/en/command-phase.html
3 -> query
22 -> Prepare DML 预编译语句
23 -> Execute DML 预编译的Value
25 -> Close
5字节后是实际内容
:return:
"""
offset = self.dloff + self.ip_header_length + self.l4_header_length
# length = self.pkt[offset: offset+3]
if not self.pkt[offset: offset+3]:
return None, None
command = ord(self.pkt[offset+4])
# print type(self.pkt[self.dloff + self.ip_header_length + self.l4_header_length:])
# print dir(self.pkt[self.dloff + self.ip_header_length + self.l4_header_length:])
return command, self.pkt[offset+5:]
# print zlib.decompress(self.pkt[self.dloff + self.ip_header_length + self.l4_header_length:])
# print zlib.decompress(self.pkt[self.dloff + self.ip_header_length + self.l4_header_length+6:])
# return hexdump.hexdump(self.pkt[self.dloff + self.ip_header_length + self.l4_header_length:])
def format(self):
src_port, dst_port = self.__port__(), self.__port__(False)
command, query = self.__mysql_protocol__()
if not command:
return None
global INFO
# return self.dloff, self.src, self.dst, "IPv%s" % str(self.ipv), self.__l4__()
return INFO % (self.src, src_port, self.dst, dst_port, command, query)
if __name__ == "__main__":
# catch_pack("eth0", 1)
sniffer = pcap.pcap(name="en0", immediate=True, timeout_ms=10)
sniffer.setfilter("dst port 3306") # 只抓取TCP包
# addr = lambda pkt, offset: '.'.join(str(ord(pkt[i])) for i in range(offset, offset + 4))
for ts, pkt in sniffer:
# print ts, sniffer.dloff
# print '%d\tSRC %-16s\tDST %-16s' % (ts, addr(pkt, sniffer.dloff + 12), addr(pkt, sniffer.dloff + 16))
msg = Pkt(pkt, sniffer.dloff).format()
if msg:
print msg
查询请求
payload_length -> Packet length: 3字节
sequence_id -> Packet Number:1字节
payload -> Command:1字节
Packet Data:4字节后的所有内容
包的基础结构
https://dev.mysql.com/doc/internals/en/mysql-packet.html
Packet length: 3字节
Packet Number:1字节
Packet Data:4字节后的所有内容
解压缩 https://dev.mysql.com/doc/internals/en/uncompressed-payload.html
不压缩的情况:
set length of payload before compression to 0
the compressed payload contains the uncompressed payload instead.