3个版本
| 0.3.2 | 2019年7月9日 |
|---|---|
| 0.3.1 | 2019年7月8日 |
| 0.3.0 | 2019年7月8日 |
#1998 在 解析实现
38KB
714 行
Snoopy
用rust-lang构建的高度可配置的多线程数据包嗅探器和解析器。
特性
- 捕获数据包并将它们编码到Pcap文件中,或打印到控制台。
- 在捕获数据包时,可以指定各种配置参数。
- 解析Pcap文件并将它们打印到控制台,或从每个数据包中提取更多详细信息并将它们存储到JSON文件中。
- 多线程解析数据包。
- 在解析和捕获时过滤数据包。
- 目前支持以下协议
- 以太网
- IPv4
- IPv6
- ARP
- TCP
- UDP
- DNS
- TLS
生成的JSON文件如下所示
[{
"Ok": {
"len": 11,
"timestamp": "1234567890.123456",
"headers": [{
"Tls": {
...
}
},
{
"Tcp": {
...
}
}, {
"Ipv4": {
...
}
}, {
"Ether": {
...
}
}
],
"remaining": [...]
}
},
...
]
安装
请确保您的系统已安装 libpcap-dev(Ubuntu)或相应的软件包。在文件夹内部命令行中运行以下命令
cargo install snoopy
快速开始
捕获数据包并将它们打印到控制台
➜ sudo snoopy capture run
--------------------
Sniffing wlp3s0
--------------------
Source IP | Source Port | Dest IP | Dest Port | Protocol | Length | Timestamp |
------------------------------------------------------------------------------------------------------------------------------------
52.216.185.195 | 443 | 10.20.197.103 | 38522 | Tcp | 10078 | 1562310108.589373
10.20.197.103 | 38522 | 52.216.185.195 | 443 | Tcp | 54 | 1562310108.589468
52.216.185.195 | 443 | 10.20.197.103 | 38522 | Tcp | 10078 | 1562310108.890490
10.20.197.103 | 38522 | 52.216.185.195 | 443 | Tcp | 54 | 1562310108.890547
52.216.185.195 | 443 | 10.20.197.103 | 38522 | Tcp | 1486 | 1562310109.197739
10.20.197.103 | 38522 | 52.216.185.195 | 443 | Tcp | 54 | 1562310109.197795
52.216.185.195 | 443 | 10.20.197.103 | 38522 | Tcp | 1486 | 1562310109.197841
10.20.197.103 | 38522 | 52.216.185.195 | 443 | Tcp | 66 | 1562310109.197865
52.216.185.195 | 443 | 10.20.197.103 | 38522 | Tcp | 2918 | 1562310109.197887
10.20.197.103 | 38522 | 52.216.185.195 | 443 | Tcp | 74 | 1562310109.197906
52.216.185.195 | 443 | 10.20.197.103 | 38522 | Tcp | 1486 | 1562310109.197965
10.20.197.103 | 38522 | 52.216.185.195 | 443 | Tcp | 74 | 1562310109.197984
35.154.102.71 | 443 | 10.20.197.103 | 56572 | Tls | 160 | 1562310109.262324
10.20.197.103 | 56572 | 35.154.102.71 | 443 | Tcp | 66 | 1562310109.262383
捕获数据包并将它们保存到Pcap文件中
➜ sudo snoopy capture run --timeout 10000 --savefile captured.pcap
注意:捕获数据包需要root用户权限来捕获网络数据包。
解析Pcap文件并打印到控制台
➜ snoopy parse ./Sample/captured.pcap
解析Pcap文件并打印到控制台(带过滤器)
➜ snoopy parse ./Sample/captured.pcap --filter "tcp port 443"
上述命令将打印所有源/目标端口为443的TCP数据包。
解析Pcap文件并将它们保存到JSON文件中
➜ snoopy parse ./Sample/captured.pcap --savefile ./parsed.json
文档
以下列出了所有命令和子命令
USAGE:
snoopy [SUBCOMMAND]
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
SUBCOMMANDS:
capture Capture packets from interfaces.
help Prints this message or the help of the given subcommand(s)
parse Parse pcap files.
USAGE:
snoopy capture [SUBCOMMAND]
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
SUBCOMMANDS:
help Prints this message or the help of the given subcommand(s)
list List all interfaces.
run Start capturing packets.
USAGE:
snoopy capture run [FLAGS] [OPTIONS]
FLAGS:
-h, --help Prints help information
-p, --promisc Set promiscuous mode on or off. By default, this is off.
-r, --rfmon Set rfmon mode on or off. The default is maintained by pcap.
-V, --version Prints version information
OPTIONS:
-b, --buffer_size <buffer_size> Set the buffer size for incoming packet data. The default is 1000000. This should
always be larger than the snaplen.
--handle <device_handle> Specify the device interface
-f, --filter <filter> Set filter to the capture using the given BPF program string.
--precision <precision> Set the time stamp precision returned in captures (Micro/Nano).
--savefile <savefile> Save the captured packets to file.
-s, --snaplen <snaplen> Set the snaplen size (the maximum length of a packet captured into the buffer).
Useful if you only want certain headers, but not the entire packet.The default is
65535.
-t, --timeout <timeout> Set the read timeout for the Capture. By default, this is 0, so it will block
indefinitely.
--tstamp_type <tstamp_type> Set the time stamp type to be used by a capture device (Host / HostLowPrec /
HostHighPrec / Adapter / AdapterUnsynced).
USAGE:
snoopy parse [OPTIONS] <file_name>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-f, --filter <filter> Set filter to the capture using the given BPF program string.
-s, --savefile <savefile> Parse the packets into JSON and save them to memory.
ARGS:
<file_name>
注意:过滤器可以根据指定的语法定义,请参阅此处。
Docker
在文件夹内部命令行中运行以下命令
docker build -t snoopy .
docker container run -it snoopy
构建
在文件夹内部命令行中运行以下命令
cargo build
待办事项
- 基准测试
- 支持其他协议
许可
本项目采用MIT许可。
依赖项
~5.5MB
~84K SLoC