pyshark安装使用,ubuntu:20.04
1.容器创建
命令 docker run -d --name pyshark -v D:\src:/root/share ubuntu:2004 /bin/bash -c "while true;do sleep 1000;done" 用于创建并启动一个新的 Docker 容器。
docker run -d --name pyshark -v D:\src:/root/share ubuntu:2004 /bin/bash -c "while true;do sleep 1000;done"
5bd3f36da18ef4cf158ef021ed411a53cb5b5ea65e306c6c03025e26b1f5553c2.进入容器
命令 docker exec -it pyshark /bin/bash 用于进入一个正在运行的 Docker 容器,并启动一个交互式的 Bash shell 会话
docker exec -it pyshark /bin/bash3.更新安装
apt update
作用:更新软件包列表。
解释:apt update 命令会从配置的软件源(通常是 /etc/apt/sources.list 和 /etc/apt/sources.list.d/ 目录下的文件)获取最新的软件包信息,并更新本地的软件包索引。这是安装新软件包或升级现有软件包之前的一个必要步骤。
apt install -y python3-pip
作用:安装 python3-pip 包。
解释:
apt install 命令用于安装指定的软件包。
-y 标志表示自动确认所有提示(即自动回答“是”),这样可以避免在自动化脚本中出现交互式提示。
python3-pip 是 Python 3 的 pip 包管理器。pip 是一个用于安装和管理 Python 包的工具。
pip install pyshark
作用:使用 pip 安装 pyshark 库。
解释:
pip 是 Python 的包管理器,用于安装和管理 Python 包。
install 命令用于安装指定的包。
pyshark 是一个 Python 库,用于解析网络数据包,它依赖于 libpcap 和 tshark(Wireshark 的命令行工具)。
apt update
apt install -y python3-pip
pip install pyshark4.安装tshark,时区选择亚洲上海(6和70),后面yes,即非root可以运行。
apt update
apt install -y tshark
到此安装完成
解析pcap文件(下载链接)【免费】mqtt等协议的pcap文件资源-CSDN文库
python代码
import pyshark# 读取PCAP文件
pcap_file = 'exported_tr01.pcap' # 替换为你的PCAP文件路径
cap = pyshark.FileCapture(pcap_file)# 遍历数据包并提取FTP数据包
mqtt_packets = []
for packet in cap:if 'MQTT' in packet:mqtt_packets.append(packet)# 输出FTP数据包
for mqtt_packet in mqtt_packets:print(mqtt_packet)结果:
命令:tshark -r exported_tr01.pcap -Y "mqtt"
root@5bd3f36da18e:~/share/tshark_py# tshark -r exported_tr01.pcap -Y "mqtt"
Running as user "root" and group "root". This could be dangerous.4 0.096000 10.21.56.15 ? 8.137.154.246 MQTT 91 Connect Command6 0.149000 8.137.154.246 ? 10.21.56.15 MQTT 58 Connect Ack9 0.396000 8.137.154.246 ? 10.21.56.15 MQTT 58 [TCP Spurious Retransmission] , Connect Ack13 0.434000 10.21.56.15 ? 8.137.154.246 MQTT 105 Connect Command15 0.519000 8.137.154.246 ? 10.21.56.15 MQTT 58 Connect Ack17 0.787000 10.21.56.15 ? 8.137.154.246 MQTT 91 Subscribe Request (id=26163) [hello101] [hello102] [hello103]18 0.835000 8.137.154.246 ? 10.21.56.15 MQTT 61 Subscribe Ack (id=26163)19 0.835000 8.137.154.246 ? 10.21.56.15 MQTT 68 Publish Message [hello101]21 1.264000 10.21.56.15 ? 8.137.154.246 MQTT 69 Subscribe Request (id=44324) [hello103]22 1.321000 8.137.154.246 ? 10.21.56.15 MQTT 59 Subscribe Ack (id=44324)24 1.552000 10.21.56.15 ? 8.137.154.246 MQTT 69 Subscribe Request (id=44325) [hello103]25 1.615000 8.137.154.246 ? 10.21.56.15 MQTT 59 Subscribe Ack (id=44325)27 1.908000 10.21.56.15 ? 8.137.154.246 MQTT 82 Subscribe Request (id=26164) [cx001] [cx111] [cx221]28 1.968000 8.137.154.246 ? 10.21.56.15 MQTT 61 Subscribe Ack (id=26164)30 2.201000 10.21.56.15 ? 8.137.154.246 MQTT 125 Subscribe Request (id=26165) [123456789abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXY\0Z]31 2.251000 8.137.154.246 ? 10.21.56.15 MQTT 59 Subscribe Ack (id=26165)33 2.479000 10.21.56.15 ? 8.137.154.246 MQTT 65 Unsubscribe Request (id=26166)34 2.532000 8.137.154.246 ? 10.21.56.15 MQTT 58 Unsubscribe Ack (id=26166)36 2.779000 10.21.56.15 ? 8.137.154.246 MQTT 79 Unsubscribe Request (id=26167)37 2.816000 8.137.154.246 ? 10.21.56.15 MQTT 58 Unsubscribe Ack (id=26167)39 3.050000 10.21.56.15 ? 8.137.154.246 MQTT 124 Unsubscribe Request (id=26168)40 3.128000 8.137.154.246 ? 10.21.56.15 MQTT 58 Unsubscribe Ack (id=26168)42 3.379000 10.21.56.15 ? 8.137.154.246 MQTT 318 Subscribe Request (id=26169)[Packet size limited during capture]43 3.436000 8.137.154.246 ? 10.21.56.15 MQTT 59 Subscribe Ack (id=26169)45 3.715000 10.21.56.15 ? 8.137.154.246 MQTT 70 Subscribe Request (id=26170) [hello103c]46 3.768000 8.137.154.246 ? 10.21.56.15 MQTT 59 Subscribe Ack (id=26170)48 3.984000 10.21.56.15 ? 8.137.154.246 MQTT 321 Subscribe Request (id=26171)[Packet size limited during capture]49 4.053000 8.137.154.246 ? 10.21.56.15 MQTT 59 Subscribe Ack (id=26171)51 4.332000 10.21.56.15 ? 8.137.154.246 MQTT 68 Unsubscribe Request (id=44326)52 4.385000 8.137.154.246 ? 10.21.56.15 MQTT 58 Unsubscribe Ack (id=44326)53 4.517000 10.21.56.15 ? 8.137.154.246 MQTT 67 Publish Message [hello103c]54 4.570000 8.137.154.246 ? 10.21.56.15 MQTT 67 Publish Message [hello103c]57 4.686000 8.137.154.246 ? 10.21.56.15 MQTT 58 [TCP Spurious Retransmission] , Unsubscribe Ack (id=44326)59 4.940000 10.21.56.15 ? 8.137.154.246 MQTT 246 Publish Message (id=26173) [hello103c][Packet size limited during capture]60 4.987000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Ack (id=26173)61 4.987000 8.137.154.246 ? 10.21.56.15 MQTT 244 Publish Message [hello103c][Packet size limited during capture]63 5.341000 10.21.56.15 ? 8.137.154.246 MQTT 1037 Publish Message (id=26174) [hello103c][Packet size limited during capture] 64 5.435000 8.137.154.246 ? 10.21.56.15 MQTT 1039 Publish Ack (id=26174), Publish Message [hello103c][Packet size limited during capture]66 5.742000 10.21.56.15 ? 8.137.154.246 MQTT 1454 Publish Message (id=26175) [hello103c][Malformed Packet: length of contained item exceeds length of containing item]67 5.742000 10.21.56.15 ? 8.137.154.246 MQTT 663 Publish Message[Unreassembled Packet], Connect Ack69 5.809000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Ack (id=26175)70 5.810000 8.137.154.246 ? 10.21.56.15 MQTT 1454 Publish Message [hello103c][Malformed Packet: length of contained item exceeds length of containing item]71 5.810000 8.137.154.246 ? 10.21.56.15 MQTT 661 Publish Received (id=13865), Publish Release (id=18046)74 6.042000 10.21.56.15 ? 8.137.154.246 MQTT 70 Publish Message [hello101]75 6.089000 8.137.154.246 ? 10.21.56.15 MQTT 70 Publish Message [hello101]77 6.437000 10.21.56.15 ? 8.137.154.246 MQTT 66 Publish Message [hello101]78 6.475000 8.137.154.246 ? 10.21.56.15 MQTT 66 Publish Message [hello101]80 6.722000 10.21.56.15 ? 8.137.154.246 MQTT 113 Publish Message [hello103]81 6.776000 8.137.154.246 ? 10.21.56.15 MQTT 113 Publish Message [hello103]83 7.061000 10.21.56.15 ? 8.137.154.246 MQTT 115 Publish Message (id=26179) [hello103]84 7.139000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Ack (id=26179)85 7.139000 8.137.154.246 ? 10.21.56.15 MQTT 115 Publish Message (id=1) [hello103]87 7.208000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Ack (id=1)89 7.346000 10.21.56.15 ? 8.137.154.246 MQTT 176 Publish Message [hello101][Packet size limited during capture]91 7.393000 8.137.154.246 ? 10.21.56.15 MQTT 176 Publish Message [hello101][Packet size limited during capture]93 7.624000 10.21.56.15 ? 8.137.154.246 MQTT 178 Publish Message (id=26181) [hello101][Packet size limited during capture]94 7.693000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Ack (id=26181)95 7.693000 8.137.154.246 ? 10.21.56.15 MQTT 176 Publish Message [hello101][Packet size limited during capture]97 7.894000 10.21.56.15 ? 8.137.154.246 MQTT 74 Publish Message (id=26182) [hello101]98 7.947000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Received (id=26182)99 7.947000 8.137.154.246 ? 10.21.56.15 MQTT 72 Publish Message [hello101]101 8.025000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Release (id=26182)102 8.079000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Complete (id=26182)104 8.179000 10.21.56.15 ? 8.137.154.246 MQTT 178 Publish Message (id=26183) [hello101][Packet size limited during capture]105 8.248000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Received (id=26183)106 8.248000 8.137.154.246 ? 10.21.56.15 MQTT 176 Publish Message [hello101][Packet size limited during capture]108 8.316000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Release (id=26183)109 8.363000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Complete (id=26183)111 8.464000 10.21.56.15 ? 8.137.154.246 MQTT 176 Publish Message [hello102][Packet size limited during capture]112 8.511000 8.137.154.246 ? 10.21.56.15 MQTT 176 Publish Message [hello102][Packet size limited during capture]114 8.742000 10.21.56.15 ? 8.137.154.246 MQTT 178 Publish Message (id=26185) [hello102][Packet size limited during capture]115 8.811000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Ack (id=26185)116 8.811000 8.137.154.246 ? 10.21.56.15 MQTT 178 Publish Message (id=2) [hello102][Packet size limited during capture]118 8.896000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Ack (id=2)120 9.065000 10.21.56.15 ? 8.137.154.246 MQTT 73 Publish Message (id=26186) [hello102]122 9.128000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Received (id=26186)123 9.128000 8.137.154.246 ? 10.21.56.15 MQTT 73 Publish Message (id=3) [hello102]125 9.202000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Release (id=26186)126 9.212000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Ack (id=3)127 9.243000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Complete (id=26186)130 9.572000 10.21.56.15 ? 8.137.154.246 MQTT 178 Publish Message (id=26187) [hello102][Packet size limited during capture]132 9.625000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Received (id=26187)133 9.625000 8.137.154.246 ? 10.21.56.15 MQTT 178 Publish Message (id=4) [hello102][Packet size limited during capture]135 9.710000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Release (id=26187)136 9.725000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Ack (id=4)138 9.768000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Complete (id=26187)139 9.850000 10.21.56.15 ? 8.137.154.246 MQTT 176 Publish Message [hello103][Packet size limited during capture]140 9.925000 8.137.154.246 ? 10.21.56.15 MQTT 176 Publish Message [hello103][Packet size limited during capture]141 10.126000 10.21.56.15 ? 8.137.154.246 MQTT 178 Publish Message (id=26189) [hello103][Packet size limited during capture]142 10.195000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Ack (id=26189)143 10.195000 8.137.154.246 ? 10.21.56.15 MQTT 178 Publish Message (id=5) [hello103][Packet size limited during capture]145 10.273000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Ack (id=5)147 10.411000 10.21.56.15 ? 8.137.154.246 MQTT 178 Publish Message (id=26190) [hello103][Packet size limited during capture]149 10.474000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Received (id=26190)150 10.474000 8.137.154.246 ? 10.21.56.15 MQTT 178 Publish Message (id=6) [hello103][Packet size limited during capture]152 10.558000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Release (id=26190)153 10.574000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Received (id=6)154 10.627000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Complete (id=26190)155 10.643000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Release (id=6)157 10.728000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Complete (id=6)158 10.743000 10.21.56.15 ? 8.137.154.246 MQTT 179 Publish Message (id=26191) [hello101][Packet size limited during capture]160 10.797000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Received (id=26191)161 10.797000 8.137.154.246 ? 10.21.56.15 MQTT 177 Publish Message [hello101][Packet size limited during capture]163 10.875000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Release (id=26191)164 10.928000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Complete (id=26191)165 11.028000 10.21.56.15 ? 8.137.154.246 MQTT 1093 Publish Message (id=26192) [hello103][Packet size limited during capture]166 11.097000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Ack (id=26192)167 11.097000 8.137.154.246 ? 10.21.56.15 MQTT 1093 Publish Message (id=7) [hello103][Packet size limited during capture]169 11.175000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Ack (id=7)171 11.414000 10.21.56.15 ? 8.137.154.246 MQTT 1093 Publish Message (id=26193) [hello103][Packet size limited during capture]173 11.476000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Ack (id=26193)174 11.476000 8.137.154.246 ? 10.21.56.15 MQTT 1093 Publish Message (id=8) [hello103][Packet size limited during capture]176 11.561000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Ack (id=8)178 11.746000 10.21.56.15 ? 8.137.154.246 MQTT 70 Publish Message (id=26194) [hello103]180 11.799000 8.137.154.246 ? 10.21.56.15 MQTT 74 Publish Ack (id=26194), Publish Message (id=9) [hello103]181 11.877000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Ack (id=9)183 12.378000 10.21.56.15 ? 8.137.154.246 MQTT 1093 Publish Message (id=26195) [hello103][Packet size limited during capture]185 12.447000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Ack (id=26195)186 12.447000 8.137.154.246 ? 10.21.56.15 MQTT 1093 Publish Message (id=10) [hello103][Packet size limited during capture]188 12.532000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Ack (id=10)189 12.648000 10.21.56.15 ? 8.137.154.246 MQTT 78 Publish Message (id=26196) [hello1retain1]192 12.694000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Ack (id=26196)194 12.933000 10.21.56.15 ? 8.137.154.246 MQTT 74 Subscribe Request (id=26197) [hello1retain1]195 12.995000 8.137.154.246 ? 10.21.56.15 MQTT 81 Subscribe Ack (id=26197), Publish Message [hello1retain1]197 13.218000 10.21.56.15 ? 8.137.154.246 MQTT 78 Publish Message (id=26198) [hello1retain0]198 13.249000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Ack (id=26198)200 13.496000 10.21.56.15 ? 8.137.154.246 MQTT 74 Subscribe Request (id=26199) [hello1retain0]201 13.534000 8.137.154.246 ? 10.21.56.15 MQTT 59 Subscribe Ack (id=26199)205 23.706000 10.21.56.15 ? 8.137.154.246 MQTT 67 Publish Message [hello103c]206 23.759000 8.137.154.246 ? 10.21.56.15 MQTT 67 Publish Message [hello103c]207 23.975000 10.21.56.15 ? 8.137.154.246 MQTT 71 Publish Message [hello103]208 24.029000 8.137.154.246 ? 10.21.56.15 MQTT 71 Publish Message [hello103]210 24.323000 10.21.56.15 ? 8.137.154.246 MQTT 70 Publish Message [hello103]211 24.392000 8.137.154.246 ? 10.21.56.15 MQTT 70 Publish Message [hello103]213 24.608000 10.21.56.15 ? 8.137.154.246 MQTT 72 Publish Message [hello103]214 24.646000 8.137.154.246 ? 10.21.56.15 MQTT 72 Publish Message [hello103]216 24.877000 10.21.56.15 ? 8.137.154.246 MQTT 323 Publish Message [hello103][Packet size limited during capture]217 24.962000 8.137.154.246 ? 10.21.56.15 MQTT 323 Publish Message [hello103][Packet size limited during capture]219 25.278000 10.21.56.15 ? 8.137.154.246 MQTT 70 Publish Message [hello103]220 25.325000 8.137.154.246 ? 10.21.56.15 MQTT 70 Publish Message [hello103]226 47.349000 10.21.56.15 ? 8.137.154.246 MQTT 56 Disconnect Req227 47.403000 10.21.56.15 ? 8.137.154.246 MQTT 56 Disconnect ReqMQTT(Message Queuing Telemetry Transport)协议的数据包通常包含多个层次。在你提供的数据包分析中,我们可以看到该数据包包含了多个层次,每个层次负责不同的功能。下面是对各个层次的详细解释:
1. 以太网层 (ETH)
Destination: 00:00:00:00:00:00
Source: 00:00:00:00:00:00
Type: IPv4 (0x0800)
以太网层负责物理地址的传输,确保数据包能够在局域网内正确传输。这里的源和目的MAC地址都是全零,这通常表示无效或未设置的地址。
2. IP层 (IP)
Version: 4
Header Length: 20 bytes (5)
Differentiated Services Field: 0x04 (DSCP: LE, ECN: Not-ECT)
Total Length: 53
Identification: 0x0f00 (3840)
Flags: 0x4000, Don't fragment
Fragment offset: 0
Time to live: 49
Protocol: TCP (6)
Header checksum: 0x551c [validation disabled]
Source: 8.137.154.246
Destination: 10.21.56.15
IP层负责在网络层传输数据包,确保数据包能够从源地址到达目的地址。这里可以看到源IP地址是 8.137.154.246,目的IP地址是 10.21.56.15。
3. TCP层 (TCP)
Source Port: 1883
Destination Port: 64033
Sequence number: 7939 (relative sequence number)
Acknowledgment number: 8748 (relative ack number)
Header Length: 20 bytes (5)
Flags: 0x018 (PSH, ACK)
Window size value: 378
Checksum: 0x4d14 [unverified]
Urgent pointer: 0
TCP层负责提供可靠的端到端通信。这里可以看到源端口是 1883,这是MQTT协议的默认端口。目的端口是 64033。TCP标志位 PSH 和 ACK 表示这是一个带有推送标志的确认数据包。
4. MQTT层 (MQTT)
Header Flags: 0x30, Message Type: Publish Message, QoS Level: At most once delivery (Fire and Forget)
Msg Len: 11
Topic Length: 9
Topic: hello103c
Message: <MISSING>
MQTT层负责实际的MQTT消息传输。这里可以看到这是一个发布消息(Publish Message),QoS级别为0,表示“最多一次”交付(Fire and Forget)。主题(Topic)是 hello103c,但消息内容缺失。
总结
以太网层:处理物理地址和局域网内的传输。
IP层:处理网络层的传输,确保数据包从源地址到达目的地址。
TCP层:提供可靠的端到端通信。
MQTT层:处理MQTT协议的消息传输,包括发布、订阅等操作。