3
我想通過解析TXT字段數據來擴展下面的代碼。我只是添加了對TXT字段的檢查並開始解析數據。然而,rdata字段是小尾數格式。我打算用正則表達式去掉Base64編碼字符串的垃圾,我認爲這樣做會更好。用Python解析DNS rdata
#!/usr/bin/env python
import dpkt, socket, sys
if len(sys.argv) < 2 or len(sys.argv) > 2:
print "Usage:\n", sys.argv[0], "filename.pcap"
sys.exit()
f = open(sys.argv[1])
pcap = dpkt.pcap.Reader(f)
for ts, buf in pcap:
# make sure we are dealing with IP traffic
# ref: http://www.iana.org/assignments/ethernet-numbers
try: eth = dpkt.ethernet.Ethernet(buf)
except: continue
if eth.type != 2048: continue
# make sure we are dealing with UDP
# ref: http://www.iana.org/assignments/protocol-numbers/
try: ip = eth.data
except: continue
if ip.p != 17: continue
# filter on UDP assigned ports for DNS
# ref: http://www.iana.org/assignments/port-numbers
try: udp = ip.data
except: continue
if udp.sport != 53 and udp.dport != 53: continue
# make the dns object out of the udp data and check for it being a RR (answer)
# and for opcode QUERY (I know, counter-intuitive)
try: dns = dpkt.dns.DNS(udp.data)
except: continue
if dns.qr != dpkt.dns.DNS_R: continue
if dns.opcode != dpkt.dns.DNS_QUERY: continue
if dns.rcode != dpkt.dns.DNS_RCODE_NOERR: continue
if len(dns.an) < 1: continue
# now we're going to process and spit out responses based on record type
# ref: http://en.wikipedia.org/wiki/List_of_DNS_record_types
for answer in dns.an:
if answer.type == 5:
print "CNAME request", answer.name, "\tresponse", answer.cname
elif answer.type == 1:
print "A request", answer.name, "\tresponse", socket.inet_ntoa(answer.rdata)
elif answer.type == 12:
print "PTR request", answer.name, "\tresponse", answer.ptrname
我加入
elif answer.type == 16:
print "TXT request", repr(answer.name), "\tresponse", repr(answer.rdata)
輸出
Cr\xe0ax\xdac`\xe0`p\xe5`0\xf9\x9b\xe3\xc0\xe0\xc0\xf6\xf5\xd7\x81\x15\xc9\[email protected]\xcc\xc4 \xb6\xfd\x98\xa7\x8dA\xd9\xf9\nI\xf7\x06\x01\xc6\xf9\x06\xb7\x19\x18\x18\x199\xb8\x18\x98_81\xc8\xfc\xb2\x05\x00\xef|\x115
謝謝佩德羅,它完成了這項工作! – amertkara
@acidrous:很高興知道。隨時接受它! ;) –