批量获取网络数据包文件中的IP和DNS 并对IP进行地址归属地查询

脚本制作原因：

需从大量的网络数据包文件中获取数据并进行分析

脚本效果：

可将网络数据包中的IP和DNS及IP的归属地信息写入文件中

完整代码如下：

# ！/usr/bin/env python# -*- coding: utf-8 -*-from scapy.all import *import requestsfrom lxml import etreeimport osimport reimport threading# 获取IP的归属地def get_ip_city(ip):passurl = '/ip/{}.html'.format(ip)headers = {'user-agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36'}response = requests.get(url, headers=headers).text# print(response)html = etree.HTML(response)city = html.xpath('//div[@id="tab0_address"]/text()')# print(ip, city[0])try:result = ip + ' ' + city[0]# print(result)except:result = ipreturn result# 获取抓包文件的目的地址和DNSdef get_dst_addr(file):pcaps = rdpcap(file)# print(len(pcaps))# print(pcaps[0]['IP'].src)dst_addr_list = []dns_list = []for i in range(0, len(pcaps)):# print(pcaps[i]['IP'].src)dst_addr = pcaps[i]['IP'].dstif dst_addr not in dst_addr_list:dst_addr_list.append(dst_addr)try:dns = pcaps[i]['DNS']['DNS Question Record'].qname.decode('utf-8').strip('.')if dns not in dns_list:dns_list.append(dns)except:pass# return dst_addr_listreturn [dst_addr_list, dns_list]# 将数据写入文本def save_file(file, message):fn = file + '.txt'with open(fn, 'wb') as f:f.write(message.encode('utf-8'))print('{}保存成功'.format(fn))# 主程序，调用save_file、get_dst_addr、get_ip_city三个函数def main(f, root):pattern_txt = pile(r'\.txt$')pattern_foreign = pile(r'中国|内网')if not pattern_txt.search(f):message = '访问地址：\n'file = os.path.join(root, f)ip_dns_list = get_dst_addr(file)foreign_iplist = ''for ip in ip_dns_list[0]:info = get_ip_city(ip) + '\n'if not pattern_foreign.search(info):foreign_iplist += infomessage = message + infoif len(ip_dns_list[1]) == 0:passdns_info = ''else:dns_info = '\n'.join(ip_dns_list[1])if foreign_iplist != '':print('------------{}出现境外IP---'.format(file))message += '\n所使用协议：tcp\n\n分析结果：\n\n访问境外IP：\n{}\n\n访问域名：\n{}'.format(foreign_iplist, dns_info)save_file(file, message)if __name__ == '__main__':threads = []# 存放网络数据包的文件目录sdir = 'E:\\工作资料\\行为分析\\.9.7\\2'for root, dirs, files in os.walk(sdir):message = '访问地址：\n'for f in files:th = threading.Thread(target=main, args=(f, root))th.start()threads.append(th)time.sleep(2)for th in threads:th.join()