参考链接
安装库
sudo pip install scapy-ssl_tls
提取ssl/tls中的server_name字段
#from scapy.all import *
from scapy_ssl_tls.ssl_tls import *
pcaps = rdpcap("159.226.20.6_7609_113.207.81.81_443.pcap")
packet = pcaps[2]
#print packet[TLSExtension].show()
print packet[TLSExtension].server_names[0]
print type(packet[TLSExtension].server_names[0])
print str(packet[TLSExtension].server_names[0])
print type(str(packet[TLSExtension].server_names[0]))
结果
new3@new3:~/https/lx$ python pcap.py
kyfw.12306.cn
<class 'scapy_ssl_tls.ssl_tls.TLSServerName'>
kyfw.12306.cn
<type 'str'>
判断一个packet是不是client hello包
rom scapy_ssl_tls.ssl_tls import *
pcaps = rdpcap("159.226.20.6_7609_113.207.81.81_443.pcap")
packet = pcaps[2]
print 'IP layer:',packet.haslayer('IP')
print 'UDP layer:',packet.haslayer('UDP')
print 'TCP layer:',packet.haslayer('TCP')
print 'TLS layer:',packet.haslayer('TLS')
print 'Client Hello layer:',packet.haslayer('TLSClientHello')
print 'TLS Extension:',packet.haslayer('TLSExtension')
if packet.haslayer('TLSClientHello'):
print packet[TLSExtension].server_names[0]
print type(packet[TLSExtension].server_names[0])
print str(packet[TLSExtension].server_names[0])
print type(str(packet[TLSExtension].server_names[0]))
# print packet[TLSClientHello].show()
IP layer: 1
UDP layer: 0
TCP layer: 1
TLS layer: 0
Client Hello layer: 1
TLS Extension: 1
kyfw.12306.cn
<class 'scapy_ssl_tls.ssl_tls.TLSServerName'>
kyfw.12306.cn
<type 'str'>
pcap2.py:
packet[TLSExtServerNameIndication]可以提取包的server_name字段,类型是<class 'scapy_ssl_tls.ssl_tls.TLSServerName'>的,将其转化成str类型后,使用os.rename()函数重新命名的时候会报错,原因是后面有一个\0,将其去掉,再使用os.rename()函数,发现重命名的文件前面都多了一个乱码(?),查看编码的类型是ascii,尝试转码也不对,print server_name[0],打印为空,一直到[3]才出现我们想要的server_name的第一个字符,其他的tls client hello包也是这样,所以就从第三位开始提取,就没问题了。
import os
import shutil
import time
import chardet
from scapy_ssl_tls.ssl_tls import *
def mkdir(path):
folder = os.path.exists(path)
if not folder:
os.makedirs(path)
pcaps = rdpcap("159.226.1.186_29646_221.122.179.15_443.pcap")
packet = pcaps[2]
path = '/home/new3/https/https'
print 'TLS layer:',packet.haslayer('TLS')
print 'Client Hello layer:',packet.haslayer('TLSClientHello')
if packet.haslayer('TLSClientHello'):
server_name = str(packet[TLSExtServerNameIndication].server_names[0])
server_name = server_name[3:]
server_name = server_name.strip('\0')
#os.rename('159.226.1.186_29646_221.122.179.15_443.pcap',server_name)
dir = os.path.join(path,server_name)
print dir
mkdir(dir)
