对指定的PCAP包分析后,按照IP和PORT进行拆分PCAP
2014-11-11 12:02
369 查看
#cs ____________________________________
Au3 版本: 3.3.6.1
脚本作者: wozijisunfly
Email: wozijisun@sina.com
QQ/TM:
脚本版本: v1.0
脚本功能: 实现读取PCAP包后,分析包信息,根据包信息中的的IP:PORT筛选,拆分数据,并保存为PCAP包。
#ce _______________脚本开始_________________
#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>
#include <ComboConstants.au3>
#include <Winpcap.au3>
Opt('MustDeclareVars', 1)
Opt("GUICloseOnESC", 0)
Global $pcapfile,$dst_ip[1000000],$num=0,$all_ip_port,$pcap
Global $gui,$file_input,$msg,$btn_analysis,$comb,$btn_save,$scene_name,$dst_label
_create_gui()
Func _create_gui()
Local $winpcap=_PcapSetup()
If ($winpcap = -1) Then
MsgBox(0,"提示信息","无法获取或调用" & @SystemDir & "\wpcap.dll文件错误。")
Return
EndIf
Opt("GUICoordMode", 2)
Opt("GUIResizeMode", 1)
Opt("GUIOnEventMode", 1)
$gui = GUICreate("拆分PCAP文件",500,300,Default,Default)
GUISetOnEvent($GUI_EVENT_CLOSE, "_special_events")
GUISetOnEvent($GUI_EVENT_MINIMIZE, "_special_events")
GUISetOnEvent($GUI_EVENT_RESTORE, "_special_events")
$btn_analysis = GUICtrlCreateButton("选择PCAP文件",170,30,150,25)
GUICtrlSetFont(-1,12)
GUICtrlSetOnEvent($btn_analysis,"_analysis_pcap")
GUICtrlCreateLabel("建立场景名称:",-280,30,130,25)
GUICtrlSetFont(-1,12)
$scene_name = GUICtrlCreateInput("",0,-1,300,25)
GUICtrlSetFont($scene_name,12)
GUICtrlSetState($scene_name,$GUI_DISABLE)
GUICtrlCreateLabel("选择源IP:PORT信息:",-450,30,150,25)
GUICtrlSetFont(-1,12)
$comb = GUICtrlCreateCombo("",0,-1,300,45,$CBS_DROPDOWNLIST)
GUICtrlSetOnEvent($GUI_EVENT_PRIMARYDOWN,"_check_src_dst")
GUICtrlSetFont($comb,12)
GUICtrlSetState($comb,$GUI_DISABLE)
$dst_label = GUICtrlCreateLabel("",-350,5,300,30)
GUICtrlSetFont(-1,12)
GUICtrlSetColor(-1,0xd71345)
$btn_save = GUICtrlCreateButton("保存PCAP文件",-270,15,200,25)
GUICtrlSetFont($btn_save,12)
GUICtrlSetState($btn_save,$GUI_DISABLE)
GUICtrlSetOnEvent($btn_save,"_save_pcap")
GUISetState()
While 1
Sleep(10)
WEnd
EndFunc
;~ 作者:wozijisunfly
;~ 创建时间:2014-10-24
;~ 功能:获取并分析PCAP包信息
;~ 参数:PCAP包中的数据
;~ 返回值:协议、IP(src/dst)、PORT(src/dst)、SEQUENCE、数据显示
;~ 修改人:
;~ 修改内容:
;~ 修改时间:
Func MyDissector ($data)
Local $macdst=StringMid ($data,3,2)&":"&StringMid ($data,5,2)&":"&StringMid ($data,7,2)&":"&StringMid ($data,9,2)&":"&StringMid ($data,11,2)&":"&StringMid ($data,13,2)
Local $macsrc=StringMid ($data,15,2)&":"&StringMid ($data,17,2)&":"&StringMid ($data,19,2)&":"&StringMid ($data,21,2)&":"&StringMid ($data,23,2)&":"&StringMid ($data,25,2)
Local $ethertype=BinaryMid ( $data, 13 ,2 )
If $ethertype="0x0806" Then return "ARP " & $macsrc & "->" & $macdst
If $ethertype="0x0800" Then
Local $src=Number(BinaryMid ($data, 27 ,1)) & "." & Number(BinaryMid ($data, 28 ,1)) & "." & Number(BinaryMid ($data, 29 ,1)) & "." & Number(BinaryMid ($data, 30 ,1))
Local $dst=Number(BinaryMid ($data, 31 ,1)) & "." & Number(BinaryMid ($data, 32 ,1)) & "." & Number(BinaryMid ($data, 33 ,1)) & "." & Number(BinaryMid ($data, 34 ,1))
Switch BinaryMid ($data, 24 ,1)
Case "0x01"
return "ICMP " & $src & "->" & $dst
Case "0x02"
return "IGMP " & $src & "->" & $dst
Case "0x06"
Local $srcport=Number(BinaryMid ($data, 35 ,1))*256+Number(BinaryMid ($data, 36 ,1))
Local $dstport=Number(BinaryMid ($data, 37 ,1))*256+Number(BinaryMid ($data, 38 ,1))
Local $sequence=Number(BinaryMid ($data, 39 ,1))*16777216 + Number(BinaryMid ($data, 40 ,1))*65536 + Number(BinaryMid ($data, 41 ,1))*256 + Number(BinaryMid ($data, 42 ,1))
Local $flags=BinaryMid ($data, 48 ,1)
Local $f=""
If BitAND($flags,0x01) Then $f="Fin "
If BitAND($flags,0x02) Then $f&="Syn "
If BitAND($flags,0x04) Then $f&="Rst "
If BitAND($flags,0x08) Then $f&="Psh "
If BitAND($flags,0x10) Then $f&="Ack "
If BitAND($flags,0x20) Then $f&="Urg "
If BitAND($flags,0x40) Then $f&="Ecn "
If BitAND($flags,0x80) Then $f&="Cwr "
$f=StringTrimRight(StringReplace($f," ",","),1)
return "TCP(" & $f & ")->" & $src & ":" & $srcport & "->" & $dst & ":" & $dstport
;& "->" & $sequence & "->" & BinaryToString(BinaryMid ($data,67),4)
Case "0x11"
Local $srcport=Number(BinaryMid ($data, 35 ,1))*256+Number(BinaryMid ($data, 36 ,1))
Local $dstport=Number(BinaryMid ($data, 37 ,1))*256+Number(BinaryMid ($data, 38 ,1))
return "UDP "&$src&":"&$srcport&" -> "&$dst&":"&$dstport
Case Else
return "IP "&BinaryMid ($data, 24 ,1)&" "&$src&" -> "&$dst
EndSwitch
return BinaryMid ( $data, 13 ,2 )&" "&$src&" -> "&$dst
EndIf
If $ethertype="0x8137" OR $ethertype="0x8138" OR $ethertype="0x0022" OR $ethertype="0x0025" OR $ethertype="0x002A" OR $ethertype="0x00E0" OR $ethertype="0x00FF" Then
return "IPX "&$macsrc&" -> "&$macdst
EndIf
return "["&$ethertype&"] "&$macsrc&" -> "&$macdst
EndFunc
;~ 作者:wozijisunfly
;~ 创建时间:2014-10-22
;~ 功能:点击gui窗体时反馈的信息
;~ 参数:
;~ 返回值:无
;~ 修改人:
;~ 修改内容:
;~ 修改时间:
Func _special_events()
Select
Case @GUI_CtrlId = $GUI_EVENT_CLOSE
If IsPtr($pcapfile) Then _PcapStopCaptureFile($pcapfile)
If IsPtr($pcap) Then _PcapStopCapture($pcap)
_PcapFree()
Exit
Case @GUI_CtrlId = $GUI_EVENT_MINIMIZE
Case @GUI_CtrlId = $GUI_EVENT_RESTORE
EndSelect
EndFunc ;==>SpecialEvents
;~ 作者:wozijisunfly
;~ 创建时间:2014-11-10
;~ 功能:解析PCAP文件,并返回IP:PORT信息
;~ 参数:
;~ 返回值:无
;~ 修改人:
;~ 修改内容:
;~ 修改时间:
Func _analysis_pcap()
$file_input = FileOpenDialog("PCAP路径",".","Pcap (*.pcap)",1)
If @error And $file_input == "" Then
MsgBox(0,"提示信息","没有选择PCAP文件!请选择。")
Return
Else
$pcap=_PcapStartCapture("file://" & $file_input , "" , 1)
If ($pcap=-1) Then
MsgBox(0,"提示信息","PCAP文件出错" & @CRLF & _PcapGetLastError())
Return
EndIf
If IsPtr($pcap) Then ; If $pcap is a Ptr, then the capture is running
Local $time0=TimerInit()
Local $i = 0
If FileExists(@ScriptDir & "\pcap.txt") Then
FileDelete(@ScriptDir & "\pcap.txt")
EndIf
While (TimerDiff($time0)<500)
Local $packet=_PcapGetPacket($pcap)
If IsInt($packet) Then ExitLoop
$i+=1
If StringInStr(MyDissector($packet[3]),"TCP",1) Then
FileWriteLine(@ScriptDir & "\pcap.txt", $i & "->" & MyDissector($packet[3]))
EndIf
Wend
If FileExists(@ScriptDir & "\pcap.txt") Then
Dim $src_ip[10000000],$comb_data = ""
$num = 0
Local $file = FileOpen(@ScriptDir & "\pcap.txt", 0)
If $file = -1 Then
MsgBox(0,"提示信息","不能打开 " & @ScriptDir & "\pcap.txt文件,请检查。")
Return
EndIf
While 1
Local $mark = 0,$i
Local $line = FileReadLine($file)
If @error = -1 Then ExitLoop
Local $arr = StringSplit($line,"->",1)
If IsArray($arr) Then
For $i = 0 To $num
If $src_ip[$i] == $arr[3] Then
$mark = 0
ExitLoop
Else
$mark = 1
ContinueLoop
EndIf
Next
If $mark == 1 Then
$num = $num + 1
$src_ip[$num] = $arr[3]
$dst_ip[$num] = $arr[3] & "->" & $arr[4] ;& "->" & $arr[5]
EndIf
EndIf
Wend
FileClose($file)
If FileExists(@ScriptDir & "\pcap.txt") Then
FileDelete(@ScriptDir & "\pcap.txt")
EndIf
For $i = 1 To $num
$comb_data = $comb_data & "|" & $src_ip[$i]
Next
GUICtrlSetState($btn_save,$GUI_ENABLE)
GUICtrlSetState($scene_name,$GUI_ENABLE)
GUICtrlSetState($comb,$GUI_ENABLE)
GUICtrlSetData($dst_label,"")
GUICtrlSetData($comb,"")
GUICtrlSetData($comb,$comb_data)
Else
MsgBox(0,"提示信息",@ScriptDir & "\pcap.txt文件不存在,请检查。")
Return
EndIf
Else
MsgBox(0,"提示信息","PCAP文件不能转换一个表达式到指针变量。")
Return
EndIf
EndIf
EndFunc
;~ 作者:wozijisunfly
;~ 创建时间:2014-11-10
;~ 功能:选择下拉列表中的数值,回显出对应的值
;~ 参数:
;~ 返回值:无
;~ 修改人:
;~ 修改内容:
;~ 修改时间:
Func _check_src_dst()
Local $i
$all_ip_port = ""
For $i = 0 To $num
If StringInStr($dst_ip[$i],GUICtrlRead(@GUI_CtrlId)) == 1 Then
Local $gui_arr = StringSplit($dst_ip[$i],"->",1)
If IsArray($gui_arr) Then
$all_ip_port = $dst_ip[$i]
GUICtrlSetData($dst_label,"")
GUICtrlSetData($dst_label,"目的IP:PORT->" & $gui_arr[2])
GUICtrlSetFont($dst_label,12)
Else
MsgBox(0,"提示信息",$dst_ip[$i] & "解析有误,无法进行PCAP包拆分。")
Return
EndIf
ExitLoop
Else
ContinueLoop
EndIf
Next
EndFunc
;~ 作者:wozijisunfly
;~ 创建时间:2014-11-10
;~ 功能:按照下拉列表的选择,保存PCAP文件
;~ 参数:
;~ 返回值:无
;~ 修改人:
;~ 修改内容:
;~ 修改时间:
Func _save_pcap()
If StringLen($all_ip_port) == 0 Then
MsgBox(0,"提示信息","请选择一个IP:PORT。")
Return
EndIf
Local $ip_port = StringSplit($all_ip_port,"->",1)
Local $first_ip,$first_port,$second_ip,$second_port
If IsArray($ip_port) Then
Local $first = StringSplit($ip_port[1],":")
Local $second = StringSplit($ip_port[2],":")
If IsArray($first) Then
$first_ip = $first[1]
$first_port = $first[2]
Else
MsgBox(0,"提示信息",$ip_port[1] & "解析有误,无法进行PCAP包拆分。")
Return
EndIf
If IsArray($second) Then
$second_ip = $second[1]
$second_port = $second[2]
Else
MsgBox(0,"提示信息",$ip_port[2] & "解析有误,无法进行PCAP包拆分。")
Return
EndIf
Else
MsgBox(0,"提示信息",$all_ip_port & "解析有误,无法进行PCAP包拆分")
Return
EndIf
Local $filter = "(ip src " & $first_ip & " && tcp port " & $first_port
$filter &= " && ip dst " & $second_ip & " && tcp port " & $second_port & ") || ("
$filter &= "ip src " & $second_ip & " && tcp port " & $second_port
$filter &= " && ip dst " & $first_ip & " && tcp port " & $first_port & ")"
$pcap = _PcapStartCapture("file://" & $file_input ,$filter,1)
Local $file = @ScriptDir & "\" & GUICtrlRead($scene_name) & "-" & $first_ip & "_" & $first_port & "-" & $second_ip & "_" & $second_port
If ($file<>"") Then
If StringLower(StringRight($file,5))<>".pcap" Then $file&=".pcap"
If FileExists($file) Then
MsgBox(0,"提示信息","已经存在了该场景的文件,若要保存请修改文件名称。")
Return
EndIf
$pcapfile=_PcapSaveToFile($pcap,$file)
If ($pcapfile=0) Then
MsgBox(0,"提示信息","保存的PCAP文件出错" & _PcapGetLastError())
Return
EndIf
EndIf
If IsPtr($pcap) Then
Local $time0=TimerInit()
While (TimerDiff($time0)<500)
Local $packet=_PcapGetPacket($pcap)
If IsInt($packet) Then ExitLoop
If IsPtr($pcapfile) Then _PcapWriteLastPacket($pcapfile)
Wend
Else
MsgBox(0,"提示信息","选中的不是一个PCAP包。")
Return
EndIf
If IsPtr($pcapfile) Then _PcapStopCaptureFile($pcapfile)
if IsPtr($pcap) Then _PcapStopCapture($pcap)
MsgBox(0,"提示信息","PCAP包分析完成。",3)
Return
EndFunc
;应用定时器实现一个,动态显示的效果。主要是面对大PCAP文件来实现的小功能;
#cs ____________________________________
Au3 版本: 3.3.6.1
脚本作者: wozijisunfly
Email: wozijisunfly@sina.com
QQ/TM:
脚本版本: v1.0
脚本功能: 实现读取PCAP包后,分析包信息,根据包信息中的的IP:PORT筛选,拆分数据,并保存为PCAP包。
#ce _______________脚本开始_________________
#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>
#include <ComboConstants.au3>
#include <Timers.au3>
#include <Winpcap.au3>
Opt('MustDeclareVars', 1)
Opt("GUICloseOnESC", 0)
Global $pcapfile,$dst_ip[1000000],$num=0,$all_ip_port,$pcap
Global $gui,$file_input,$msg,$btn_analysis,$comb,$btn_save,$scene_name,$dst_label
Global $wait,$1,$num_click=1
_create_gui()
Func _create_gui()
Local $winpcap=_PcapSetup()
If ($winpcap = -1) Then
MsgBox(0,"提示信息","无法获取或调用" & @SystemDir & "\wpcap.dll文件错误。")
Return
EndIf
Opt("GUICoordMode", 2)
Opt("GUIResizeMode", 1)
Opt("GUIOnEventMode", 1)
$gui = GUICreate("拆分PCAP文件",500,300,Default,Default)
GUISetOnEvent($GUI_EVENT_CLOSE, "_special_events")
GUISetOnEvent($GUI_EVENT_MINIMIZE, "_special_events")
GUISetOnEvent($GUI_EVENT_RESTORE, "_special_events")
$btn_analysis = GUICtrlCreateButton("选择PCAP文件",170,30,150,25)
GUICtrlSetFont(-1,12)
GUICtrlSetOnEvent($btn_analysis,"_analysis_pcap")
GUICtrlCreateLabel("建立场景名称:",-280,30,130,25)
GUICtrlSetFont(-1,12)
$scene_name = GUICtrlCreateInput("",0,-1,300,25)
GUICtrlSetFont($scene_name,12)
GUICtrlSetState($scene_name,$GUI_DISABLE)
GUICtrlCreateLabel("选择源IP:PORT信息:",-450,30,150,25)
GUICtrlSetFont(-1,12)
$comb = GUICtrlCreateCombo("",0,-1,300,45,$CBS_DROPDOWNLIST + $WS_VSCROLL)
GUICtrlSetOnEvent($GUI_EVENT_PRIMARYDOWN,"_check_src_dst")
GUICtrlSetFont($comb,12)
GUICtrlSetState($comb,$GUI_DISABLE)
$dst_label = GUICtrlCreateLabel("",-350,5,300,30)
GUICtrlSetFont(-1,12)
GUICtrlSetColor(-1,0xd71345)
$btn_save = GUICtrlCreateButton("保存PCAP文件",-270,15,200,25)
GUICtrlSetFont($btn_save,12)
GUICtrlSetState($btn_save,$GUI_DISABLE)
GUICtrlSetOnEvent($btn_save,"_save_pcap")
$wait = GUICtrlCreateLabel("正在拆分PCAP包,请耐心等待",-230,10,215,25)
GUICtrlSetFont(-1,12)
GUICtrlSetColor(-1,0xd71345)
GUICtrlSetState(-1,$GUI_HIDE)
$1 = GUICtrlCreateLabel("",0,-1,60,25)
GUICtrlSetFont(-1,15)
GUICtrlSetState(-1,$GUI_HIDE)
GUISetState()
While 1
Sleep(10)
WEnd
EndFunc
;~ 作者:wozijisunfly
;~ 创建时间:2014-10-24
;~ 功能:获取并分析PCAP包信息
;~ 参数:PCAP包中的数据
;~ 返回值:协议、IP(src/dst)、PORT(src/dst)、SEQUENCE、数据显示
;~ 修改人:
;~ 修改内容:
;~ 修改时间:
Func MyDissector ($data)
Local $macdst=StringMid ($data,3,2)&":"&StringMid ($data,5,2)&":"&StringMid ($data,7,2)&":"&StringMid ($data,9,2)&":"&StringMid ($data,11,2)&":"&StringMid ($data,13,2)
Local $macsrc=StringMid ($data,15,2)&":"&StringMid ($data,17,2)&":"&StringMid ($data,19,2)&":"&StringMid ($data,21,2)&":"&StringMid ($data,23,2)&":"&StringMid ($data,25,2)
Local $ethertype=BinaryMid ( $data, 13 ,2 )
If $ethertype="0x0806" Then return "ARP " & $macsrc & "->" & $macdst
If $ethertype="0x0800" Then
Local $src=Number(BinaryMid ($data, 27 ,1)) & "." & Number(BinaryMid ($data, 28 ,1)) & "." & Number(BinaryMid ($data, 29 ,1)) & "." & Number(BinaryMid ($data, 30 ,1))
Local $dst=Number(BinaryMid ($data, 31 ,1)) & "." & Number(BinaryMid ($data, 32 ,1)) & "." & Number(BinaryMid ($data, 33 ,1)) & "." & Number(BinaryMid ($data, 34 ,1))
Switch BinaryMid ($data, 24 ,1)
Case "0x01"
return "ICMP " & $src & "->" & $dst
Case "0x02"
return "IGMP " & $src & "->" & $dst
Case "0x06"
Local $srcport=Number(BinaryMid ($data, 35 ,1))*256+Number(BinaryMid ($data, 36 ,1))
Local $dstport=Number(BinaryMid ($data, 37 ,1))*256+Number(BinaryMid ($data, 38 ,1))
Local $sequence=Number(BinaryMid ($data, 39 ,1))*16777216 + Number(BinaryMid ($data, 40 ,1))*65536 + Number(BinaryMid ($data, 41 ,1))*256 + Number(BinaryMid ($data, 42 ,1))
Local $flags=BinaryMid ($data, 48 ,1)
Local $f=""
If BitAND($flags,0x01) Then $f="Fin "
If BitAND($flags,0x02) Then $f&="Syn "
If BitAND($flags,0x04) Then $f&="Rst "
If BitAND($flags,0x08) Then $f&="Psh "
If BitAND($flags,0x10) Then $f&="Ack "
If BitAND($flags,0x20) Then $f&="Urg "
If BitAND($flags,0x40) Then $f&="Ecn "
If BitAND($flags,0x80) Then $f&="Cwr "
$f=StringTrimRight(StringReplace($f," ",","),1)
return "TCP(" & $f & ")->" & $src & ":" & $srcport & "->" & $dst & ":" & $dstport
;& "->" & $sequence & "->" & BinaryToString(BinaryMid ($data,67),4)
Case "0x11"
Local $srcport=Number(BinaryMid ($data, 35 ,1))*256+Number(BinaryMid ($data, 36 ,1))
Local $dstport=Number(BinaryMid ($data, 37 ,1))*256+Number(BinaryMid ($data, 38 ,1))
return "UDP "&$src&":"&$srcport&" -> "&$dst&":"&$dstport
Case Else
return "IP "&BinaryMid ($data, 24 ,1)&" "&$src&" -> "&$dst
EndSwitch
return BinaryMid ( $data, 13 ,2 )&" "&$src&" -> "&$dst
EndIf
If $ethertype="0x8137" OR $ethertype="0x8138" OR $ethertype="0x0022" OR $ethertype="0x0025" OR $ethertype="0x002A" OR $ethertype="0x00E0" OR $ethertype="0x00FF" Then
return "IPX "&$macsrc&" -> "&$macdst
EndIf
return "["&$ethertype&"] "&$macsrc&" -> "&$macdst
EndFunc
;~ 作者:wozijisunfly
;~ 创建时间:2014-10-22
;~ 功能:点击gui窗体时反馈的信息
;~ 参数:
;~ 返回值:无
;~ 修改人:
;~ 修改内容:
;~ 修改时间:
Func _special_events()
Select
Case @GUI_CtrlId = $GUI_EVENT_CLOSE
If IsPtr($pcapfile) Then _PcapStopCaptureFile($pcapfile)
If IsPtr($pcap) Then _PcapStopCapture($pcap)
_PcapFree()
_Timer_KillAllTimers($gui)
Exit
Case @GUI_CtrlId = $GUI_EVENT_MINIMIZE
Case @GUI_CtrlId = $GUI_EVENT_RESTORE
EndSelect
EndFunc ;==>SpecialEvents
;~ 作者:wozijisunfly
;~ 创建时间:2014-11-10
;~ 功能:解析PCAP文件,并返回IP:PORT信息
;~ 参数:
;~ 返回值:无
;~ 修改人:
;~ 修改内容:
;~ 修改时间:
Func _analysis_pcap()
$file_input = FileOpenDialog("PCAP路径",".","Pcap (*.pcap)| Pcap (*.cap)",1)
If @error And $file_input == "" Then
MsgBox(0,"提示信息","没有选择PCAP文件!请选择。")
Return
Else
GUICtrlSetState($scene_name,$GUI_DISABLE)
GUICtrlSetState($btn_save,$GUI_DISABLE)
GUICtrlSetState($comb,$GUI_DISABLE)
GUICtrlSetState($btn_analysis,$GUI_DISABLE)
$pcap=_PcapStartCapture("file://" & $file_input , "" , 1)
If ($pcap=-1) Then
MsgBox(0,"提示信息","PCAP文件出错" & @CRLF & _PcapGetLastError())
Return
EndIf
If IsPtr($pcap) Then ; If $pcap is a Ptr, then the capture is running
Local $time0=TimerInit()
Local $i
Dim $src_ip[10000000],$comb_data = ""
Local $timeset = _Timer_SetTimer($gui, 1000, "__point2")
$num = 0
While (TimerDiff($time0)<5000000)
Local $packet=_PcapGetPacket($pcap)
If IsInt($packet) Then ExitLoop
Local $mark = 0
Local $ips = MyDissector($packet[3])
If StringInStr($ips,"TCP",1) Then
Local $arr = StringSplit($ips,"->",1)
If IsArray($arr) Then
For $i = 0 To $num
If $src_ip[$i] == $arr[2] Then
$mark = 0
ExitLoop
Else
$mark = 1
ContinueLoop
EndIf
Next
If $mark == 1 Then
$num = $num + 1
$src_ip[$num] = $arr[2]
$dst_ip[$num] = $arr[2] & "->" & $arr[3]
EndIf
EndIf
EndIf
Wend
For $i = 1 To $num
$comb_data = $comb_data & "|" & $src_ip[$i]
Next
GUICtrlSetState($btn_save,$GUI_ENABLE)
GUICtrlSetState($scene_name,$GUI_ENABLE)
GUICtrlSetState($comb,$GUI_ENABLE)
GUICtrlSetState($btn_analysis,$GUI_ENABLE)
GUICtrlSetData($dst_label,"")
GUICtrlSetData($comb,"")
GUICtrlSetData($comb,$comb_data)
_Timer_KillAllTimers($gui)
$num_click=1
Else
MsgBox(0,"提示信息","PCAP文件不能转换一个表达式到指针变量。")
_Timer_KillAllTimers($gui)
$num_click=1
GUICtrlSetData($dst_label,"")
Return
EndIf
EndIf
EndFunc
;~ 作者:wozijisunfly
;~ 创建时间:2014-11-10
;~ 功能:选择下拉列表中的数值,回显出对应的值
;~ 参数:
;~ 返回值:无
;~ 修改人:
;~ 修改内容:
;~ 修改时间:
Func _check_src_dst()
Local $i
$all_ip_port = ""
For $i = 0 To $num
If StringInStr($dst_ip[$i],GUICtrlRead(@GUI_CtrlId)) == 1 Then
Local $gui_arr = StringSplit($dst_ip[$i],"->",1)
If IsArray($gui_arr) Then
$all_ip_port = $dst_ip[$i]
GUICtrlSetData($dst_label,"")
GUICtrlSetData($dst_label,"目的IP:PORT->" & $gui_arr[2])
GUICtrlSetFont($dst_label,12)
Else
MsgBox(0,"提示信息",$dst_ip[$i] & "解析有误,无法进行PCAP包拆分。")
Return
EndIf
ExitLoop
Else
ContinueLoop
EndIf
Next
EndFunc
;~ 作者:wozijisunfly
;~ 创建时间:2014-11-10
;~ 功能:按照下拉列表的选择,保存PCAP文件
;~ 参数:
;~ 返回值:无
;~ 修改人:
;~ 修改内容:
;~ 修改时间:
Func _save_pcap()
GUICtrlSetState($scene_name,$GUI_DISABLE)
GUICtrlSetState($btn_save,$GUI_DISABLE)
GUICtrlSetState($comb,$GUI_DISABLE)
GUICtrlSetState($btn_analysis,$GUI_DISABLE)
Local $timeset = _Timer_SetTimer($gui, 1000, "__point1")
If StringLen($all_ip_port) == 0 Then
MsgBox(0,"提示信息","请选择一个IP:PORT。")
_Timer_KillAllTimers($gui)
GUICtrlSetState($btn_save,$GUI_ENABLE)
GUICtrlSetState($scene_name,$GUI_ENABLE)
GUICtrlSetState($comb,$GUI_ENABLE)
GUICtrlSetState($btn_analysis,$GUI_ENABLE)
GUICtrlSetState($wait,$GUI_HIDE)
GUICtrlSetState($1,$GUI_HIDE)
Return
EndIf
Local $ip_port = StringSplit($all_ip_port,"->",1)
Local $first_ip,$first_port,$second_ip,$second_port
If IsArray($ip_port) Then
Local $first = StringSplit($ip_port[1],":")
Local $second = StringSplit($ip_port[2],":")
If IsArray($first) Then
$first_ip = $first[1]
$first_port = $first[2]
Else
MsgBox(0,"提示信息",$ip_port[1] & "解析有误,无法进行PCAP包拆分。")
_Timer_KillAllTimers($gui)
GUICtrlSetState($btn_save,$GUI_ENABLE)
GUICtrlSetState($scene_name,$GUI_ENABLE)
GUICtrlSetState($comb,$GUI_ENABLE)
GUICtrlSetState($btn_analysis,$GUI_ENABLE)
GUICtrlSetState($wait,$GUI_HIDE)
GUICtrlSetState($1,$GUI_HIDE)
Return
EndIf
If IsArray($second) Then
$second_ip = $second[1]
$second_port = $second[2]
Else
MsgBox(0,"提示信息",$ip_port[2] & "解析有误,无法进行PCAP包拆分。")
_Timer_KillAllTimers($gui)
GUICtrlSetState($btn_save,$GUI_ENABLE)
GUICtrlSetState($scene_name,$GUI_ENABLE)
GUICtrlSetState($comb,$GUI_ENABLE)
GUICtrlSetState($btn_analysis,$GUI_ENABLE)
GUICtrlSetState($wait,$GUI_HIDE)
GUICtrlSetState($1,$GUI_HIDE)
Return
EndIf
Else
MsgBox(0,"提示信息",$all_ip_port & "解析有误,无法进行PCAP包拆分")
_Timer_KillAllTimers($gui)
GUICtrlSetState($btn_save,$GUI_ENABLE)
GUICtrlSetState($scene_name,$GUI_ENABLE)
GUICtrlSetState($comb,$GUI_ENABLE)
GUICtrlSetState($btn_analysis,$GUI_ENABLE)
GUICtrlSetState($wait,$GUI_HIDE)
GUICtrlSetState($1,$GUI_HIDE)
Return
EndIf
Local $filter = "(ip src " & $first_ip & " && tcp port " & $first_port
$filter &= " && ip dst " & $second_ip & " && tcp port " & $second_port & ") || ("
$filter &= "ip src " & $second_ip & " && tcp port " & $second_port
$filter &= " && ip dst " & $first_ip & " && tcp port " & $first_port & ")"
$pcap = _PcapStartCapture("file://" & $file_input ,$filter,1)
Local $file = @ScriptDir & "\" & GUICtrlRead($scene_name) & "-" & $first_ip & "_" & $first_port & "-" & $second_ip & "_" & $second_port
If ($file<>"") Then
If StringLower(StringRight($file,5))<>".pcap" Then $file&=".pcap"
If FileExists($file) Then
MsgBox(0,"提示信息","已经存在了该场景的文件,若要保存请修改文件名称。")
_Timer_KillAllTimers($gui)
GUICtrlSetState($btn_save,$GUI_ENABLE)
GUICtrlSetState($scene_name,$GUI_ENABLE)
GUICtrlSetState($comb,$GUI_ENABLE)
GUICtrlSetState($btn_analysis,$GUI_ENABLE)
GUICtrlSetState($wait,$GUI_HIDE)
GUICtrlSetState($1,$GUI_HIDE)
Return
EndIf
$pcapfile=_PcapSaveToFile($pcap,$file)
If ($pcapfile=0) Then
MsgBox(0,"提示信息","保存的PCAP文件出错" & _PcapGetLastError())
_Timer_KillAllTimers($gui)
GUICtrlSetState($btn_save,$GUI_ENABLE)
GUICtrlSetState($scene_name,$GUI_ENABLE)
GUICtrlSetState($comb,$GUI_ENABLE)
GUICtrlSetState($btn_analysis,$GUI_ENABLE)
GUICtrlSetState($wait,$GUI_HIDE)
GUICtrlSetState($1,$GUI_HIDE)
Return
EndIf
EndIf
If IsPtr($pcap) Then
Local $time0=TimerInit()
While (TimerDiff($time0)<5000000)
Local $packet=_PcapGetPacket($pcap)
If IsInt($packet) Then ExitLoop
If IsPtr($pcapfile) Then _PcapWriteLastPacket($pcapfile)
Wend
Else
MsgBox(0,"提示信息","选中的不是一个PCAP包。")
_Timer_KillAllTimers($gui)
GUICtrlSetState($btn_save,$GUI_ENABLE)
GUICtrlSetState($scene_name,$GUI_ENABLE)
GUICtrlSetState($comb,$GUI_ENABLE)
GUICtrlSetState($btn_analysis,$GUI_ENABLE)
GUICtrlSetState($wait,$GUI_HIDE)
GUICtrlSetState($1,$GUI_HIDE)
Return
EndIf
If IsPtr($pcapfile) Then _PcapStopCaptureFile($pcapfile)
if IsPtr($pcap) Then _PcapStopCapture($pcap)
GUICtrlSetState($btn_save,$GUI_ENABLE)
GUICtrlSetState($scene_name,$GUI_ENABLE)
GUICtrlSetState($comb,$GUI_ENABLE)
GUICtrlSetState($btn_analysis,$GUI_ENABLE)
_Timer_KillAllTimers($gui)
GUICtrlSetState($wait,$GUI_HIDE)
GUICtrlSetState($1,$GUI_HIDE)
$num_click=1
MsgBox(0,"提示信息","PCAP包分析完成。",3)
Return
EndFunc
Func __point1($hWnd, $Msg, $iIDTimer, $dwTime)
#forceref $hWnd, $Msg, $iIDTimer, $dwTime
GUICtrlSetState($wait,$GUI_SHOW)
GUICtrlSetState($1,$GUI_SHOW)
Local $i,$point=""
For $i = 1 To $num_click
$point = $point & "."
If $num_click == 7 Then
$num_click = 1
$point = "."
ExitLoop
Else
ContinueLoop
EndIf
Next
$num_click = $num_click + 1
GUICtrlSetData($1,"")
GUICtrlSetData($1,$point)
GUICtrlSetFont($1,15)
EndFunc
Func __point2($hWnd, $Msg, $iIDTimer, $dwTime)
#forceref $hWnd, $Msg, $iIDTimer, $dwTime
Local $i,$point=""
For $i = 1 To $num_click
$point = $point & "."
If $num_click == 7 Then
$num_click = 1
$point = "."
ExitLoop
Else
ContinueLoop
EndIf
Next
$num_click = $num_click + 1
GUICtrlSetData($dst_label,"")
GUICtrlSetData($dst_label,"正在解析PCAP包 " & $point)
GUICtrlSetFont($dst_label,12)
EndFunc
Au3 版本: 3.3.6.1
脚本作者: wozijisunfly
Email: wozijisun@sina.com
QQ/TM:
脚本版本: v1.0
脚本功能: 实现读取PCAP包后,分析包信息,根据包信息中的的IP:PORT筛选,拆分数据,并保存为PCAP包。
#ce _______________脚本开始_________________
#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>
#include <ComboConstants.au3>
#include <Winpcap.au3>
Opt('MustDeclareVars', 1)
Opt("GUICloseOnESC", 0)
Global $pcapfile,$dst_ip[1000000],$num=0,$all_ip_port,$pcap
Global $gui,$file_input,$msg,$btn_analysis,$comb,$btn_save,$scene_name,$dst_label
_create_gui()
Func _create_gui()
Local $winpcap=_PcapSetup()
If ($winpcap = -1) Then
MsgBox(0,"提示信息","无法获取或调用" & @SystemDir & "\wpcap.dll文件错误。")
Return
EndIf
Opt("GUICoordMode", 2)
Opt("GUIResizeMode", 1)
Opt("GUIOnEventMode", 1)
$gui = GUICreate("拆分PCAP文件",500,300,Default,Default)
GUISetOnEvent($GUI_EVENT_CLOSE, "_special_events")
GUISetOnEvent($GUI_EVENT_MINIMIZE, "_special_events")
GUISetOnEvent($GUI_EVENT_RESTORE, "_special_events")
$btn_analysis = GUICtrlCreateButton("选择PCAP文件",170,30,150,25)
GUICtrlSetFont(-1,12)
GUICtrlSetOnEvent($btn_analysis,"_analysis_pcap")
GUICtrlCreateLabel("建立场景名称:",-280,30,130,25)
GUICtrlSetFont(-1,12)
$scene_name = GUICtrlCreateInput("",0,-1,300,25)
GUICtrlSetFont($scene_name,12)
GUICtrlSetState($scene_name,$GUI_DISABLE)
GUICtrlCreateLabel("选择源IP:PORT信息:",-450,30,150,25)
GUICtrlSetFont(-1,12)
$comb = GUICtrlCreateCombo("",0,-1,300,45,$CBS_DROPDOWNLIST)
GUICtrlSetOnEvent($GUI_EVENT_PRIMARYDOWN,"_check_src_dst")
GUICtrlSetFont($comb,12)
GUICtrlSetState($comb,$GUI_DISABLE)
$dst_label = GUICtrlCreateLabel("",-350,5,300,30)
GUICtrlSetFont(-1,12)
GUICtrlSetColor(-1,0xd71345)
$btn_save = GUICtrlCreateButton("保存PCAP文件",-270,15,200,25)
GUICtrlSetFont($btn_save,12)
GUICtrlSetState($btn_save,$GUI_DISABLE)
GUICtrlSetOnEvent($btn_save,"_save_pcap")
GUISetState()
While 1
Sleep(10)
WEnd
EndFunc
;~ 作者:wozijisunfly
;~ 创建时间:2014-10-24
;~ 功能:获取并分析PCAP包信息
;~ 参数:PCAP包中的数据
;~ 返回值:协议、IP(src/dst)、PORT(src/dst)、SEQUENCE、数据显示
;~ 修改人:
;~ 修改内容:
;~ 修改时间:
Func MyDissector ($data)
Local $macdst=StringMid ($data,3,2)&":"&StringMid ($data,5,2)&":"&StringMid ($data,7,2)&":"&StringMid ($data,9,2)&":"&StringMid ($data,11,2)&":"&StringMid ($data,13,2)
Local $macsrc=StringMid ($data,15,2)&":"&StringMid ($data,17,2)&":"&StringMid ($data,19,2)&":"&StringMid ($data,21,2)&":"&StringMid ($data,23,2)&":"&StringMid ($data,25,2)
Local $ethertype=BinaryMid ( $data, 13 ,2 )
If $ethertype="0x0806" Then return "ARP " & $macsrc & "->" & $macdst
If $ethertype="0x0800" Then
Local $src=Number(BinaryMid ($data, 27 ,1)) & "." & Number(BinaryMid ($data, 28 ,1)) & "." & Number(BinaryMid ($data, 29 ,1)) & "." & Number(BinaryMid ($data, 30 ,1))
Local $dst=Number(BinaryMid ($data, 31 ,1)) & "." & Number(BinaryMid ($data, 32 ,1)) & "." & Number(BinaryMid ($data, 33 ,1)) & "." & Number(BinaryMid ($data, 34 ,1))
Switch BinaryMid ($data, 24 ,1)
Case "0x01"
return "ICMP " & $src & "->" & $dst
Case "0x02"
return "IGMP " & $src & "->" & $dst
Case "0x06"
Local $srcport=Number(BinaryMid ($data, 35 ,1))*256+Number(BinaryMid ($data, 36 ,1))
Local $dstport=Number(BinaryMid ($data, 37 ,1))*256+Number(BinaryMid ($data, 38 ,1))
Local $sequence=Number(BinaryMid ($data, 39 ,1))*16777216 + Number(BinaryMid ($data, 40 ,1))*65536 + Number(BinaryMid ($data, 41 ,1))*256 + Number(BinaryMid ($data, 42 ,1))
Local $flags=BinaryMid ($data, 48 ,1)
Local $f=""
If BitAND($flags,0x01) Then $f="Fin "
If BitAND($flags,0x02) Then $f&="Syn "
If BitAND($flags,0x04) Then $f&="Rst "
If BitAND($flags,0x08) Then $f&="Psh "
If BitAND($flags,0x10) Then $f&="Ack "
If BitAND($flags,0x20) Then $f&="Urg "
If BitAND($flags,0x40) Then $f&="Ecn "
If BitAND($flags,0x80) Then $f&="Cwr "
$f=StringTrimRight(StringReplace($f," ",","),1)
return "TCP(" & $f & ")->" & $src & ":" & $srcport & "->" & $dst & ":" & $dstport
;& "->" & $sequence & "->" & BinaryToString(BinaryMid ($data,67),4)
Case "0x11"
Local $srcport=Number(BinaryMid ($data, 35 ,1))*256+Number(BinaryMid ($data, 36 ,1))
Local $dstport=Number(BinaryMid ($data, 37 ,1))*256+Number(BinaryMid ($data, 38 ,1))
return "UDP "&$src&":"&$srcport&" -> "&$dst&":"&$dstport
Case Else
return "IP "&BinaryMid ($data, 24 ,1)&" "&$src&" -> "&$dst
EndSwitch
return BinaryMid ( $data, 13 ,2 )&" "&$src&" -> "&$dst
EndIf
If $ethertype="0x8137" OR $ethertype="0x8138" OR $ethertype="0x0022" OR $ethertype="0x0025" OR $ethertype="0x002A" OR $ethertype="0x00E0" OR $ethertype="0x00FF" Then
return "IPX "&$macsrc&" -> "&$macdst
EndIf
return "["&$ethertype&"] "&$macsrc&" -> "&$macdst
EndFunc
;~ 作者:wozijisunfly
;~ 创建时间:2014-10-22
;~ 功能:点击gui窗体时反馈的信息
;~ 参数:
;~ 返回值:无
;~ 修改人:
;~ 修改内容:
;~ 修改时间:
Func _special_events()
Select
Case @GUI_CtrlId = $GUI_EVENT_CLOSE
If IsPtr($pcapfile) Then _PcapStopCaptureFile($pcapfile)
If IsPtr($pcap) Then _PcapStopCapture($pcap)
_PcapFree()
Exit
Case @GUI_CtrlId = $GUI_EVENT_MINIMIZE
Case @GUI_CtrlId = $GUI_EVENT_RESTORE
EndSelect
EndFunc ;==>SpecialEvents
;~ 作者:wozijisunfly
;~ 创建时间:2014-11-10
;~ 功能:解析PCAP文件,并返回IP:PORT信息
;~ 参数:
;~ 返回值:无
;~ 修改人:
;~ 修改内容:
;~ 修改时间:
Func _analysis_pcap()
$file_input = FileOpenDialog("PCAP路径",".","Pcap (*.pcap)",1)
If @error And $file_input == "" Then
MsgBox(0,"提示信息","没有选择PCAP文件!请选择。")
Return
Else
$pcap=_PcapStartCapture("file://" & $file_input , "" , 1)
If ($pcap=-1) Then
MsgBox(0,"提示信息","PCAP文件出错" & @CRLF & _PcapGetLastError())
Return
EndIf
If IsPtr($pcap) Then ; If $pcap is a Ptr, then the capture is running
Local $time0=TimerInit()
Local $i = 0
If FileExists(@ScriptDir & "\pcap.txt") Then
FileDelete(@ScriptDir & "\pcap.txt")
EndIf
While (TimerDiff($time0)<500)
Local $packet=_PcapGetPacket($pcap)
If IsInt($packet) Then ExitLoop
$i+=1
If StringInStr(MyDissector($packet[3]),"TCP",1) Then
FileWriteLine(@ScriptDir & "\pcap.txt", $i & "->" & MyDissector($packet[3]))
EndIf
Wend
If FileExists(@ScriptDir & "\pcap.txt") Then
Dim $src_ip[10000000],$comb_data = ""
$num = 0
Local $file = FileOpen(@ScriptDir & "\pcap.txt", 0)
If $file = -1 Then
MsgBox(0,"提示信息","不能打开 " & @ScriptDir & "\pcap.txt文件,请检查。")
Return
EndIf
While 1
Local $mark = 0,$i
Local $line = FileReadLine($file)
If @error = -1 Then ExitLoop
Local $arr = StringSplit($line,"->",1)
If IsArray($arr) Then
For $i = 0 To $num
If $src_ip[$i] == $arr[3] Then
$mark = 0
ExitLoop
Else
$mark = 1
ContinueLoop
EndIf
Next
If $mark == 1 Then
$num = $num + 1
$src_ip[$num] = $arr[3]
$dst_ip[$num] = $arr[3] & "->" & $arr[4] ;& "->" & $arr[5]
EndIf
EndIf
Wend
FileClose($file)
If FileExists(@ScriptDir & "\pcap.txt") Then
FileDelete(@ScriptDir & "\pcap.txt")
EndIf
For $i = 1 To $num
$comb_data = $comb_data & "|" & $src_ip[$i]
Next
GUICtrlSetState($btn_save,$GUI_ENABLE)
GUICtrlSetState($scene_name,$GUI_ENABLE)
GUICtrlSetState($comb,$GUI_ENABLE)
GUICtrlSetData($dst_label,"")
GUICtrlSetData($comb,"")
GUICtrlSetData($comb,$comb_data)
Else
MsgBox(0,"提示信息",@ScriptDir & "\pcap.txt文件不存在,请检查。")
Return
EndIf
Else
MsgBox(0,"提示信息","PCAP文件不能转换一个表达式到指针变量。")
Return
EndIf
EndIf
EndFunc
;~ 作者:wozijisunfly
;~ 创建时间:2014-11-10
;~ 功能:选择下拉列表中的数值,回显出对应的值
;~ 参数:
;~ 返回值:无
;~ 修改人:
;~ 修改内容:
;~ 修改时间:
Func _check_src_dst()
Local $i
$all_ip_port = ""
For $i = 0 To $num
If StringInStr($dst_ip[$i],GUICtrlRead(@GUI_CtrlId)) == 1 Then
Local $gui_arr = StringSplit($dst_ip[$i],"->",1)
If IsArray($gui_arr) Then
$all_ip_port = $dst_ip[$i]
GUICtrlSetData($dst_label,"")
GUICtrlSetData($dst_label,"目的IP:PORT->" & $gui_arr[2])
GUICtrlSetFont($dst_label,12)
Else
MsgBox(0,"提示信息",$dst_ip[$i] & "解析有误,无法进行PCAP包拆分。")
Return
EndIf
ExitLoop
Else
ContinueLoop
EndIf
Next
EndFunc
;~ 作者:wozijisunfly
;~ 创建时间:2014-11-10
;~ 功能:按照下拉列表的选择,保存PCAP文件
;~ 参数:
;~ 返回值:无
;~ 修改人:
;~ 修改内容:
;~ 修改时间:
Func _save_pcap()
If StringLen($all_ip_port) == 0 Then
MsgBox(0,"提示信息","请选择一个IP:PORT。")
Return
EndIf
Local $ip_port = StringSplit($all_ip_port,"->",1)
Local $first_ip,$first_port,$second_ip,$second_port
If IsArray($ip_port) Then
Local $first = StringSplit($ip_port[1],":")
Local $second = StringSplit($ip_port[2],":")
If IsArray($first) Then
$first_ip = $first[1]
$first_port = $first[2]
Else
MsgBox(0,"提示信息",$ip_port[1] & "解析有误,无法进行PCAP包拆分。")
Return
EndIf
If IsArray($second) Then
$second_ip = $second[1]
$second_port = $second[2]
Else
MsgBox(0,"提示信息",$ip_port[2] & "解析有误,无法进行PCAP包拆分。")
Return
EndIf
Else
MsgBox(0,"提示信息",$all_ip_port & "解析有误,无法进行PCAP包拆分")
Return
EndIf
Local $filter = "(ip src " & $first_ip & " && tcp port " & $first_port
$filter &= " && ip dst " & $second_ip & " && tcp port " & $second_port & ") || ("
$filter &= "ip src " & $second_ip & " && tcp port " & $second_port
$filter &= " && ip dst " & $first_ip & " && tcp port " & $first_port & ")"
$pcap = _PcapStartCapture("file://" & $file_input ,$filter,1)
Local $file = @ScriptDir & "\" & GUICtrlRead($scene_name) & "-" & $first_ip & "_" & $first_port & "-" & $second_ip & "_" & $second_port
If ($file<>"") Then
If StringLower(StringRight($file,5))<>".pcap" Then $file&=".pcap"
If FileExists($file) Then
MsgBox(0,"提示信息","已经存在了该场景的文件,若要保存请修改文件名称。")
Return
EndIf
$pcapfile=_PcapSaveToFile($pcap,$file)
If ($pcapfile=0) Then
MsgBox(0,"提示信息","保存的PCAP文件出错" & _PcapGetLastError())
Return
EndIf
EndIf
If IsPtr($pcap) Then
Local $time0=TimerInit()
While (TimerDiff($time0)<500)
Local $packet=_PcapGetPacket($pcap)
If IsInt($packet) Then ExitLoop
If IsPtr($pcapfile) Then _PcapWriteLastPacket($pcapfile)
Wend
Else
MsgBox(0,"提示信息","选中的不是一个PCAP包。")
Return
EndIf
If IsPtr($pcapfile) Then _PcapStopCaptureFile($pcapfile)
if IsPtr($pcap) Then _PcapStopCapture($pcap)
MsgBox(0,"提示信息","PCAP包分析完成。",3)
Return
EndFunc
;应用定时器实现一个,动态显示的效果。主要是面对大PCAP文件来实现的小功能;
#cs ____________________________________
Au3 版本: 3.3.6.1
脚本作者: wozijisunfly
Email: wozijisunfly@sina.com
QQ/TM:
脚本版本: v1.0
脚本功能: 实现读取PCAP包后,分析包信息,根据包信息中的的IP:PORT筛选,拆分数据,并保存为PCAP包。
#ce _______________脚本开始_________________
#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>
#include <ComboConstants.au3>
#include <Timers.au3>
#include <Winpcap.au3>
Opt('MustDeclareVars', 1)
Opt("GUICloseOnESC", 0)
Global $pcapfile,$dst_ip[1000000],$num=0,$all_ip_port,$pcap
Global $gui,$file_input,$msg,$btn_analysis,$comb,$btn_save,$scene_name,$dst_label
Global $wait,$1,$num_click=1
_create_gui()
Func _create_gui()
Local $winpcap=_PcapSetup()
If ($winpcap = -1) Then
MsgBox(0,"提示信息","无法获取或调用" & @SystemDir & "\wpcap.dll文件错误。")
Return
EndIf
Opt("GUICoordMode", 2)
Opt("GUIResizeMode", 1)
Opt("GUIOnEventMode", 1)
$gui = GUICreate("拆分PCAP文件",500,300,Default,Default)
GUISetOnEvent($GUI_EVENT_CLOSE, "_special_events")
GUISetOnEvent($GUI_EVENT_MINIMIZE, "_special_events")
GUISetOnEvent($GUI_EVENT_RESTORE, "_special_events")
$btn_analysis = GUICtrlCreateButton("选择PCAP文件",170,30,150,25)
GUICtrlSetFont(-1,12)
GUICtrlSetOnEvent($btn_analysis,"_analysis_pcap")
GUICtrlCreateLabel("建立场景名称:",-280,30,130,25)
GUICtrlSetFont(-1,12)
$scene_name = GUICtrlCreateInput("",0,-1,300,25)
GUICtrlSetFont($scene_name,12)
GUICtrlSetState($scene_name,$GUI_DISABLE)
GUICtrlCreateLabel("选择源IP:PORT信息:",-450,30,150,25)
GUICtrlSetFont(-1,12)
$comb = GUICtrlCreateCombo("",0,-1,300,45,$CBS_DROPDOWNLIST + $WS_VSCROLL)
GUICtrlSetOnEvent($GUI_EVENT_PRIMARYDOWN,"_check_src_dst")
GUICtrlSetFont($comb,12)
GUICtrlSetState($comb,$GUI_DISABLE)
$dst_label = GUICtrlCreateLabel("",-350,5,300,30)
GUICtrlSetFont(-1,12)
GUICtrlSetColor(-1,0xd71345)
$btn_save = GUICtrlCreateButton("保存PCAP文件",-270,15,200,25)
GUICtrlSetFont($btn_save,12)
GUICtrlSetState($btn_save,$GUI_DISABLE)
GUICtrlSetOnEvent($btn_save,"_save_pcap")
$wait = GUICtrlCreateLabel("正在拆分PCAP包,请耐心等待",-230,10,215,25)
GUICtrlSetFont(-1,12)
GUICtrlSetColor(-1,0xd71345)
GUICtrlSetState(-1,$GUI_HIDE)
$1 = GUICtrlCreateLabel("",0,-1,60,25)
GUICtrlSetFont(-1,15)
GUICtrlSetState(-1,$GUI_HIDE)
GUISetState()
While 1
Sleep(10)
WEnd
EndFunc
;~ 作者:wozijisunfly
;~ 创建时间:2014-10-24
;~ 功能:获取并分析PCAP包信息
;~ 参数:PCAP包中的数据
;~ 返回值:协议、IP(src/dst)、PORT(src/dst)、SEQUENCE、数据显示
;~ 修改人:
;~ 修改内容:
;~ 修改时间:
Func MyDissector ($data)
Local $macdst=StringMid ($data,3,2)&":"&StringMid ($data,5,2)&":"&StringMid ($data,7,2)&":"&StringMid ($data,9,2)&":"&StringMid ($data,11,2)&":"&StringMid ($data,13,2)
Local $macsrc=StringMid ($data,15,2)&":"&StringMid ($data,17,2)&":"&StringMid ($data,19,2)&":"&StringMid ($data,21,2)&":"&StringMid ($data,23,2)&":"&StringMid ($data,25,2)
Local $ethertype=BinaryMid ( $data, 13 ,2 )
If $ethertype="0x0806" Then return "ARP " & $macsrc & "->" & $macdst
If $ethertype="0x0800" Then
Local $src=Number(BinaryMid ($data, 27 ,1)) & "." & Number(BinaryMid ($data, 28 ,1)) & "." & Number(BinaryMid ($data, 29 ,1)) & "." & Number(BinaryMid ($data, 30 ,1))
Local $dst=Number(BinaryMid ($data, 31 ,1)) & "." & Number(BinaryMid ($data, 32 ,1)) & "." & Number(BinaryMid ($data, 33 ,1)) & "." & Number(BinaryMid ($data, 34 ,1))
Switch BinaryMid ($data, 24 ,1)
Case "0x01"
return "ICMP " & $src & "->" & $dst
Case "0x02"
return "IGMP " & $src & "->" & $dst
Case "0x06"
Local $srcport=Number(BinaryMid ($data, 35 ,1))*256+Number(BinaryMid ($data, 36 ,1))
Local $dstport=Number(BinaryMid ($data, 37 ,1))*256+Number(BinaryMid ($data, 38 ,1))
Local $sequence=Number(BinaryMid ($data, 39 ,1))*16777216 + Number(BinaryMid ($data, 40 ,1))*65536 + Number(BinaryMid ($data, 41 ,1))*256 + Number(BinaryMid ($data, 42 ,1))
Local $flags=BinaryMid ($data, 48 ,1)
Local $f=""
If BitAND($flags,0x01) Then $f="Fin "
If BitAND($flags,0x02) Then $f&="Syn "
If BitAND($flags,0x04) Then $f&="Rst "
If BitAND($flags,0x08) Then $f&="Psh "
If BitAND($flags,0x10) Then $f&="Ack "
If BitAND($flags,0x20) Then $f&="Urg "
If BitAND($flags,0x40) Then $f&="Ecn "
If BitAND($flags,0x80) Then $f&="Cwr "
$f=StringTrimRight(StringReplace($f," ",","),1)
return "TCP(" & $f & ")->" & $src & ":" & $srcport & "->" & $dst & ":" & $dstport
;& "->" & $sequence & "->" & BinaryToString(BinaryMid ($data,67),4)
Case "0x11"
Local $srcport=Number(BinaryMid ($data, 35 ,1))*256+Number(BinaryMid ($data, 36 ,1))
Local $dstport=Number(BinaryMid ($data, 37 ,1))*256+Number(BinaryMid ($data, 38 ,1))
return "UDP "&$src&":"&$srcport&" -> "&$dst&":"&$dstport
Case Else
return "IP "&BinaryMid ($data, 24 ,1)&" "&$src&" -> "&$dst
EndSwitch
return BinaryMid ( $data, 13 ,2 )&" "&$src&" -> "&$dst
EndIf
If $ethertype="0x8137" OR $ethertype="0x8138" OR $ethertype="0x0022" OR $ethertype="0x0025" OR $ethertype="0x002A" OR $ethertype="0x00E0" OR $ethertype="0x00FF" Then
return "IPX "&$macsrc&" -> "&$macdst
EndIf
return "["&$ethertype&"] "&$macsrc&" -> "&$macdst
EndFunc
;~ 作者:wozijisunfly
;~ 创建时间:2014-10-22
;~ 功能:点击gui窗体时反馈的信息
;~ 参数:
;~ 返回值:无
;~ 修改人:
;~ 修改内容:
;~ 修改时间:
Func _special_events()
Select
Case @GUI_CtrlId = $GUI_EVENT_CLOSE
If IsPtr($pcapfile) Then _PcapStopCaptureFile($pcapfile)
If IsPtr($pcap) Then _PcapStopCapture($pcap)
_PcapFree()
_Timer_KillAllTimers($gui)
Exit
Case @GUI_CtrlId = $GUI_EVENT_MINIMIZE
Case @GUI_CtrlId = $GUI_EVENT_RESTORE
EndSelect
EndFunc ;==>SpecialEvents
;~ 作者:wozijisunfly
;~ 创建时间:2014-11-10
;~ 功能:解析PCAP文件,并返回IP:PORT信息
;~ 参数:
;~ 返回值:无
;~ 修改人:
;~ 修改内容:
;~ 修改时间:
Func _analysis_pcap()
$file_input = FileOpenDialog("PCAP路径",".","Pcap (*.pcap)| Pcap (*.cap)",1)
If @error And $file_input == "" Then
MsgBox(0,"提示信息","没有选择PCAP文件!请选择。")
Return
Else
GUICtrlSetState($scene_name,$GUI_DISABLE)
GUICtrlSetState($btn_save,$GUI_DISABLE)
GUICtrlSetState($comb,$GUI_DISABLE)
GUICtrlSetState($btn_analysis,$GUI_DISABLE)
$pcap=_PcapStartCapture("file://" & $file_input , "" , 1)
If ($pcap=-1) Then
MsgBox(0,"提示信息","PCAP文件出错" & @CRLF & _PcapGetLastError())
Return
EndIf
If IsPtr($pcap) Then ; If $pcap is a Ptr, then the capture is running
Local $time0=TimerInit()
Local $i
Dim $src_ip[10000000],$comb_data = ""
Local $timeset = _Timer_SetTimer($gui, 1000, "__point2")
$num = 0
While (TimerDiff($time0)<5000000)
Local $packet=_PcapGetPacket($pcap)
If IsInt($packet) Then ExitLoop
Local $mark = 0
Local $ips = MyDissector($packet[3])
If StringInStr($ips,"TCP",1) Then
Local $arr = StringSplit($ips,"->",1)
If IsArray($arr) Then
For $i = 0 To $num
If $src_ip[$i] == $arr[2] Then
$mark = 0
ExitLoop
Else
$mark = 1
ContinueLoop
EndIf
Next
If $mark == 1 Then
$num = $num + 1
$src_ip[$num] = $arr[2]
$dst_ip[$num] = $arr[2] & "->" & $arr[3]
EndIf
EndIf
EndIf
Wend
For $i = 1 To $num
$comb_data = $comb_data & "|" & $src_ip[$i]
Next
GUICtrlSetState($btn_save,$GUI_ENABLE)
GUICtrlSetState($scene_name,$GUI_ENABLE)
GUICtrlSetState($comb,$GUI_ENABLE)
GUICtrlSetState($btn_analysis,$GUI_ENABLE)
GUICtrlSetData($dst_label,"")
GUICtrlSetData($comb,"")
GUICtrlSetData($comb,$comb_data)
_Timer_KillAllTimers($gui)
$num_click=1
Else
MsgBox(0,"提示信息","PCAP文件不能转换一个表达式到指针变量。")
_Timer_KillAllTimers($gui)
$num_click=1
GUICtrlSetData($dst_label,"")
Return
EndIf
EndIf
EndFunc
;~ 作者:wozijisunfly
;~ 创建时间:2014-11-10
;~ 功能:选择下拉列表中的数值,回显出对应的值
;~ 参数:
;~ 返回值:无
;~ 修改人:
;~ 修改内容:
;~ 修改时间:
Func _check_src_dst()
Local $i
$all_ip_port = ""
For $i = 0 To $num
If StringInStr($dst_ip[$i],GUICtrlRead(@GUI_CtrlId)) == 1 Then
Local $gui_arr = StringSplit($dst_ip[$i],"->",1)
If IsArray($gui_arr) Then
$all_ip_port = $dst_ip[$i]
GUICtrlSetData($dst_label,"")
GUICtrlSetData($dst_label,"目的IP:PORT->" & $gui_arr[2])
GUICtrlSetFont($dst_label,12)
Else
MsgBox(0,"提示信息",$dst_ip[$i] & "解析有误,无法进行PCAP包拆分。")
Return
EndIf
ExitLoop
Else
ContinueLoop
EndIf
Next
EndFunc
;~ 作者:wozijisunfly
;~ 创建时间:2014-11-10
;~ 功能:按照下拉列表的选择,保存PCAP文件
;~ 参数:
;~ 返回值:无
;~ 修改人:
;~ 修改内容:
;~ 修改时间:
Func _save_pcap()
GUICtrlSetState($scene_name,$GUI_DISABLE)
GUICtrlSetState($btn_save,$GUI_DISABLE)
GUICtrlSetState($comb,$GUI_DISABLE)
GUICtrlSetState($btn_analysis,$GUI_DISABLE)
Local $timeset = _Timer_SetTimer($gui, 1000, "__point1")
If StringLen($all_ip_port) == 0 Then
MsgBox(0,"提示信息","请选择一个IP:PORT。")
_Timer_KillAllTimers($gui)
GUICtrlSetState($btn_save,$GUI_ENABLE)
GUICtrlSetState($scene_name,$GUI_ENABLE)
GUICtrlSetState($comb,$GUI_ENABLE)
GUICtrlSetState($btn_analysis,$GUI_ENABLE)
GUICtrlSetState($wait,$GUI_HIDE)
GUICtrlSetState($1,$GUI_HIDE)
Return
EndIf
Local $ip_port = StringSplit($all_ip_port,"->",1)
Local $first_ip,$first_port,$second_ip,$second_port
If IsArray($ip_port) Then
Local $first = StringSplit($ip_port[1],":")
Local $second = StringSplit($ip_port[2],":")
If IsArray($first) Then
$first_ip = $first[1]
$first_port = $first[2]
Else
MsgBox(0,"提示信息",$ip_port[1] & "解析有误,无法进行PCAP包拆分。")
_Timer_KillAllTimers($gui)
GUICtrlSetState($btn_save,$GUI_ENABLE)
GUICtrlSetState($scene_name,$GUI_ENABLE)
GUICtrlSetState($comb,$GUI_ENABLE)
GUICtrlSetState($btn_analysis,$GUI_ENABLE)
GUICtrlSetState($wait,$GUI_HIDE)
GUICtrlSetState($1,$GUI_HIDE)
Return
EndIf
If IsArray($second) Then
$second_ip = $second[1]
$second_port = $second[2]
Else
MsgBox(0,"提示信息",$ip_port[2] & "解析有误,无法进行PCAP包拆分。")
_Timer_KillAllTimers($gui)
GUICtrlSetState($btn_save,$GUI_ENABLE)
GUICtrlSetState($scene_name,$GUI_ENABLE)
GUICtrlSetState($comb,$GUI_ENABLE)
GUICtrlSetState($btn_analysis,$GUI_ENABLE)
GUICtrlSetState($wait,$GUI_HIDE)
GUICtrlSetState($1,$GUI_HIDE)
Return
EndIf
Else
MsgBox(0,"提示信息",$all_ip_port & "解析有误,无法进行PCAP包拆分")
_Timer_KillAllTimers($gui)
GUICtrlSetState($btn_save,$GUI_ENABLE)
GUICtrlSetState($scene_name,$GUI_ENABLE)
GUICtrlSetState($comb,$GUI_ENABLE)
GUICtrlSetState($btn_analysis,$GUI_ENABLE)
GUICtrlSetState($wait,$GUI_HIDE)
GUICtrlSetState($1,$GUI_HIDE)
Return
EndIf
Local $filter = "(ip src " & $first_ip & " && tcp port " & $first_port
$filter &= " && ip dst " & $second_ip & " && tcp port " & $second_port & ") || ("
$filter &= "ip src " & $second_ip & " && tcp port " & $second_port
$filter &= " && ip dst " & $first_ip & " && tcp port " & $first_port & ")"
$pcap = _PcapStartCapture("file://" & $file_input ,$filter,1)
Local $file = @ScriptDir & "\" & GUICtrlRead($scene_name) & "-" & $first_ip & "_" & $first_port & "-" & $second_ip & "_" & $second_port
If ($file<>"") Then
If StringLower(StringRight($file,5))<>".pcap" Then $file&=".pcap"
If FileExists($file) Then
MsgBox(0,"提示信息","已经存在了该场景的文件,若要保存请修改文件名称。")
_Timer_KillAllTimers($gui)
GUICtrlSetState($btn_save,$GUI_ENABLE)
GUICtrlSetState($scene_name,$GUI_ENABLE)
GUICtrlSetState($comb,$GUI_ENABLE)
GUICtrlSetState($btn_analysis,$GUI_ENABLE)
GUICtrlSetState($wait,$GUI_HIDE)
GUICtrlSetState($1,$GUI_HIDE)
Return
EndIf
$pcapfile=_PcapSaveToFile($pcap,$file)
If ($pcapfile=0) Then
MsgBox(0,"提示信息","保存的PCAP文件出错" & _PcapGetLastError())
_Timer_KillAllTimers($gui)
GUICtrlSetState($btn_save,$GUI_ENABLE)
GUICtrlSetState($scene_name,$GUI_ENABLE)
GUICtrlSetState($comb,$GUI_ENABLE)
GUICtrlSetState($btn_analysis,$GUI_ENABLE)
GUICtrlSetState($wait,$GUI_HIDE)
GUICtrlSetState($1,$GUI_HIDE)
Return
EndIf
EndIf
If IsPtr($pcap) Then
Local $time0=TimerInit()
While (TimerDiff($time0)<5000000)
Local $packet=_PcapGetPacket($pcap)
If IsInt($packet) Then ExitLoop
If IsPtr($pcapfile) Then _PcapWriteLastPacket($pcapfile)
Wend
Else
MsgBox(0,"提示信息","选中的不是一个PCAP包。")
_Timer_KillAllTimers($gui)
GUICtrlSetState($btn_save,$GUI_ENABLE)
GUICtrlSetState($scene_name,$GUI_ENABLE)
GUICtrlSetState($comb,$GUI_ENABLE)
GUICtrlSetState($btn_analysis,$GUI_ENABLE)
GUICtrlSetState($wait,$GUI_HIDE)
GUICtrlSetState($1,$GUI_HIDE)
Return
EndIf
If IsPtr($pcapfile) Then _PcapStopCaptureFile($pcapfile)
if IsPtr($pcap) Then _PcapStopCapture($pcap)
GUICtrlSetState($btn_save,$GUI_ENABLE)
GUICtrlSetState($scene_name,$GUI_ENABLE)
GUICtrlSetState($comb,$GUI_ENABLE)
GUICtrlSetState($btn_analysis,$GUI_ENABLE)
_Timer_KillAllTimers($gui)
GUICtrlSetState($wait,$GUI_HIDE)
GUICtrlSetState($1,$GUI_HIDE)
$num_click=1
MsgBox(0,"提示信息","PCAP包分析完成。",3)
Return
EndFunc
Func __point1($hWnd, $Msg, $iIDTimer, $dwTime)
#forceref $hWnd, $Msg, $iIDTimer, $dwTime
GUICtrlSetState($wait,$GUI_SHOW)
GUICtrlSetState($1,$GUI_SHOW)
Local $i,$point=""
For $i = 1 To $num_click
$point = $point & "."
If $num_click == 7 Then
$num_click = 1
$point = "."
ExitLoop
Else
ContinueLoop
EndIf
Next
$num_click = $num_click + 1
GUICtrlSetData($1,"")
GUICtrlSetData($1,$point)
GUICtrlSetFont($1,15)
EndFunc
Func __point2($hWnd, $Msg, $iIDTimer, $dwTime)
#forceref $hWnd, $Msg, $iIDTimer, $dwTime
Local $i,$point=""
For $i = 1 To $num_click
$point = $point & "."
If $num_click == 7 Then
$num_click = 1
$point = "."
ExitLoop
Else
ContinueLoop
EndIf
Next
$num_click = $num_click + 1
GUICtrlSetData($dst_label,"")
GUICtrlSetData($dst_label,"正在解析PCAP包 " & $point)
GUICtrlSetFont($dst_label,12)
EndFunc
相关文章推荐
- 拖拽文件按照指定大小进行拆分
- DB2字符串按照指定符号进行拆分成多个字段的实现方式
- 使用GEOIP进行用户IP的分析
- 使用GEOIP进行用户IP的分析
- SqlServer按照指定顺序对字段进行排序
- 为ZooKeeper增加一个小功能:指定IP进行受限客户端过滤
- 为ZooKeeper增加一个小功能:指定IP进行受限客户端过滤
- 一个可以使得上传的图片大小按照指定的宽度,高度自动按比例进行缩放的函数(C#)
- Redis/Redis-sentinel环境建立和验证---接着昨天的验证流程,再按照binding物理IP的方式进行
- powershell对指定IP进行端口扫描
- powershell对指定IP进行端口扫描
- SqlServer按照指定顺序对字段进行排序
- 每一件工作都应该细心,按照思考的流程进行分析
- where in的sql语句按照指定ID进行排序的解决方法
- 使用GEOIP进行用户IP的分析
- 【php】对给定二维数组按照指定的键值进行排序
- 使用GEOIP进行用户IP的分析
- 一次完整的抓包分析 Reserved TCP/IP Port List
- 将字符串按照指定的长度进行分割(一个中文视为两个字符)
- C#下按照指定字符进行字符串分割