批量获取网络数据包文件中的IP和DNS，并对IP进行地址归属地查询

脚本制作原因：需从大量的网络数据包文件中获取数据并进行分析脚本效果：可将网络数据包中的IP和DNS及IP的归属地信息写入文件中完整代码如下：# ！/usr/bin/env python# -*- coding: utf-8 -*-from scapy.all import *import requestsfrom lxml import etreeimport osimport reimport

L白眸

752人浏览 · 2021-09-08 16:21:15

L白眸 · 2021-09-08 16:21:15 发布

脚本制作原因：

需从大量的网络数据包文件中获取数据并进行分析

脚本效果：

可将网络数据包中的IP和DNS及IP的归属地信息写入文件中

完整代码如下：

# ！/usr/bin/env python
# -*- coding: utf-8 -*-

from scapy.all import *
import requests
from lxml import etree
import os
import re
import threading


# 获取IP的归属地
def get_ip_city(ip):
    pass
    url = 'https://www.ip.cn/ip/{}.html'.format(ip)
    headers = {
        'user-agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36'
    }
    response = requests.get(url, headers=headers).text
    # print(response)
    html = etree.HTML(response)
    city = html.xpath('//div[@id="tab0_address"]/text()')
    # print(ip, city[0])
    try:
        result = ip + ' ' + city[0]
        # print(result)
    except:
        result = ip

    return result


# 获取抓包文件的目的地址和DNS
def get_dst_addr(file):
    pcaps = rdpcap(file)
    # print(len(pcaps))
    # print(pcaps[0]['IP'].src)
    dst_addr_list = []
    dns_list = []
    for i in range(0, len(pcaps)):
        # print(pcaps[i]['IP'].src)
        dst_addr = pcaps[i]['IP'].dst
        if dst_addr not in dst_addr_list:
            dst_addr_list.append(dst_addr)
        try:
            dns = pcaps[i]['DNS']['DNS Question Record'].qname.decode('utf-8').strip('.')
            if dns not in dns_list:
                dns_list.append(dns)

        except:
            pass

    # return dst_addr_list
    return [dst_addr_list, dns_list]


# 将数据写入文本
def save_file(file, message):
    fn = file + '.txt'
    with open(fn, 'wb') as f:
        f.write(message.encode('utf-8'))
        print('{}保存成功'.format(fn))


# 主程序，调用save_file、get_dst_addr、get_ip_city三个函数
def main(f, root):
    pattern_txt = re.compile(r'\.txt$')
    pattern_foreign = re.compile(r'中国|内网')
    if not pattern_txt.search(f):
        message = '访问地址：\n'
        file = os.path.join(root, f)

        ip_dns_list = get_dst_addr(file)

        foreign_iplist = ''
        for ip in ip_dns_list[0]:
            info = get_ip_city(ip) + '\n'

            if not pattern_foreign.search(info):
                foreign_iplist += info
            message = message + info

        if len(ip_dns_list[1]) == 0:
            pass
            dns_info = ''
        else:
            dns_info = '\n'.join(ip_dns_list[1])
        if foreign_iplist != '':
            print('------------{}出现境外IP---'.format(file))
        message += '\n所使用协议：tcp\n\n分析结果：\n\n访问境外IP：\n{}\n\n访问域名：\n{}'.format(foreign_iplist, dns_info)
        save_file(file, message)


if __name__ == '__main__':
    threads = []
    # 存放网络数据包的文件目录
    sdir = 'E:\\工作资料\\行为分析\\2021.9.7\\2'
    for root, dirs, files in os.walk(sdir):

        message = '访问地址：\n'
        for f in files:
            th = threading.Thread(target=main, args=(f, root))
            th.start()
            threads.append(th)
            time.sleep(2)

        for th in threads:
            th.join()