1.容器创建
命令 docker run -d --name pyshark -v D:\src:/root/share ubuntu:2004 /bin/bash -c "while true;do sleep 1000;done"
用于创建并启动一个新的 Docker 容器。
docker run -d --name pyshark -v D:\src:/root/share ubuntu:2004 /bin/bash -c "while true;do sleep 1000;done"
5bd3f36da18ef4cf158ef021ed411a53cb5b5ea65e306c6c03025e26b1f5553c
2.进入容器
命令 docker exec -it pyshark /bin/bash
用于进入一个正在运行的 Docker 容器,并启动一个交互式的 Bash shell 会话
docker exec -it pyshark /bin/bash
3.更新安装
apt update
作用:更新软件包列表。
解释:apt update 命令会从配置的软件源(通常是 /etc/apt/sources.list 和 /etc/apt/sources.list.d/ 目录下的文件)获取最新的软件包信息,并更新本地的软件包索引。这是安装新软件包或升级现有软件包之前的一个必要步骤。
apt install -y python3-pip
作用:安装 python3-pip 包。
解释:
apt install 命令用于安装指定的软件包。
-y 标志表示自动确认所有提示(即自动回答“是”),这样可以避免在自动化脚本中出现交互式提示。
python3-pip 是 Python 3 的 pip 包管理器。pip 是一个用于安装和管理 Python 包的工具。
pip install pyshark
作用:使用 pip 安装 pyshark 库。
解释:
pip 是 Python 的包管理器,用于安装和管理 Python 包。
install 命令用于安装指定的包。
pyshark 是一个 Python 库,用于解析网络数据包,它依赖于 libpcap 和 tshark(Wireshark 的命令行工具)。
apt update
apt install -y python3-pip
pip install pyshark
4.安装tshark,时区选择亚洲上海(6和70),后面yes,即非root可以运行。
apt update
apt install -y tshark
到此安装完成
解析pcap文件(下载链接)【免费】mqtt等协议的pcap文件资源-CSDN文库
python代码
import pyshark
# 读取PCAP文件
pcap_file = 'exported_tr01.pcap' # 替换为你的PCAP文件路径
cap = pyshark.FileCapture(pcap_file)
# 遍历数据包并提取FTP数据包
mqtt_packets = []
for packet in cap:
if 'MQTT' in packet:
mqtt_packets.append(packet)
# 输出FTP数据包
for mqtt_packet in mqtt_packets:
print(mqtt_packet)
结果:
命令:tshark -r exported_tr01.pcap -Y "mqtt"
root@5bd3f36da18e:~/share/tshark_py# tshark -r exported_tr01.pcap -Y "mqtt"
Running as user "root" and group "root". This could be dangerous.
4 0.096000 10.21.56.15 ? 8.137.154.246 MQTT 91 Connect Command
6 0.149000 8.137.154.246 ? 10.21.56.15 MQTT 58 Connect Ack
9 0.396000 8.137.154.246 ? 10.21.56.15 MQTT 58 [TCP Spurious Retransmission] , Connect Ack
13 0.434000 10.21.56.15 ? 8.137.154.246 MQTT 105 Connect Command
15 0.519000 8.137.154.246 ? 10.21.56.15 MQTT 58 Connect Ack
17 0.787000 10.21.56.15 ? 8.137.154.246 MQTT 91 Subscribe Request (id=26163) [hello101] [hello102] [hello103]
18 0.835000 8.137.154.246 ? 10.21.56.15 MQTT 61 Subscribe Ack (id=26163)
19 0.835000 8.137.154.246 ? 10.21.56.15 MQTT 68 Publish Message [hello101]
21 1.264000 10.21.56.15 ? 8.137.154.246 MQTT 69 Subscribe Request (id=44324) [hello103]
22 1.321000 8.137.154.246 ? 10.21.56.15 MQTT 59 Subscribe Ack (id=44324)
24 1.552000 10.21.56.15 ? 8.137.154.246 MQTT 69 Subscribe Request (id=44325) [hello103]
25 1.615000 8.137.154.246 ? 10.21.56.15 MQTT 59 Subscribe Ack (id=44325)
27 1.908000 10.21.56.15 ? 8.137.154.246 MQTT 82 Subscribe Request (id=26164) [cx001] [cx111] [cx221]
28 1.968000 8.137.154.246 ? 10.21.56.15 MQTT 61 Subscribe Ack (id=26164)
30 2.201000 10.21.56.15 ? 8.137.154.246 MQTT 125 Subscribe Request (id=26165) [123456789abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXY\0Z]
31 2.251000 8.137.154.246 ? 10.21.56.15 MQTT 59 Subscribe Ack (id=26165)
33 2.479000 10.21.56.15 ? 8.137.154.246 MQTT 65 Unsubscribe Request (id=26166)
34 2.532000 8.137.154.246 ? 10.21.56.15 MQTT 58 Unsubscribe Ack (id=26166)
36 2.779000 10.21.56.15 ? 8.137.154.246 MQTT 79 Unsubscribe Request (id=26167)
37 2.816000 8.137.154.246 ? 10.21.56.15 MQTT 58 Unsubscribe Ack (id=26167)
39 3.050000 10.21.56.15 ? 8.137.154.246 MQTT 124 Unsubscribe Request (id=26168)
40 3.128000 8.137.154.246 ? 10.21.56.15 MQTT 58 Unsubscribe Ack (id=26168)
42 3.379000 10.21.56.15 ? 8.137.154.246 MQTT 318 Subscribe Request (id=26169)[Packet size limited during capture]
43 3.436000 8.137.154.246 ? 10.21.56.15 MQTT 59 Subscribe Ack (id=26169)
45 3.715000 10.21.56.15 ? 8.137.154.246 MQTT 70 Subscribe Request (id=26170) [hello103c]
46 3.768000 8.137.154.246 ? 10.21.56.15 MQTT 59 Subscribe Ack (id=26170)
48 3.984000 10.21.56.15 ? 8.137.154.246 MQTT 321 Subscribe Request (id=26171)[Packet size limited during capture]
49 4.053000 8.137.154.246 ? 10.21.56.15 MQTT 59 Subscribe Ack (id=26171)
51 4.332000 10.21.56.15 ? 8.137.154.246 MQTT 68 Unsubscribe Request (id=44326)
52 4.385000 8.137.154.246 ? 10.21.56.15 MQTT 58 Unsubscribe Ack (id=44326)
53 4.517000 10.21.56.15 ? 8.137.154.246 MQTT 67 Publish Message [hello103c]
54 4.570000 8.137.154.246 ? 10.21.56.15 MQTT 67 Publish Message [hello103c]
57 4.686000 8.137.154.246 ? 10.21.56.15 MQTT 58 [TCP Spurious Retransmission] , Unsubscribe Ack (id=44326)
59 4.940000 10.21.56.15 ? 8.137.154.246 MQTT 246 Publish Message (id=26173) [hello103c][Packet size limited during capture]
60 4.987000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Ack (id=26173)
61 4.987000 8.137.154.246 ? 10.21.56.15 MQTT 244 Publish Message [hello103c][Packet size limited during capture]
63 5.341000 10.21.56.15 ? 8.137.154.246 MQTT 1037 Publish Message (id=26174) [hello103c][Packet size limited during capture]
64 5.435000 8.137.154.246 ? 10.21.56.15 MQTT 1039 Publish Ack (id=26174), Publish Message [hello103c][Packet size limited during capture]
66 5.742000 10.21.56.15 ? 8.137.154.246 MQTT 1454 Publish Message (id=26175) [hello103c][Malformed Packet: length of contained item exceeds length of containing item]
67 5.742000 10.21.56.15 ? 8.137.154.246 MQTT 663 Publish Message[Unreassembled Packet], Connect Ack
69 5.809000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Ack (id=26175)
70 5.810000 8.137.154.246 ? 10.21.56.15 MQTT 1454 Publish Message [hello103c][Malformed Packet: length of contained item exceeds length of containing item]
71 5.810000 8.137.154.246 ? 10.21.56.15 MQTT 661 Publish Received (id=13865), Publish Release (id=18046)
74 6.042000 10.21.56.15 ? 8.137.154.246 MQTT 70 Publish Message [hello101]
75 6.089000 8.137.154.246 ? 10.21.56.15 MQTT 70 Publish Message [hello101]
77 6.437000 10.21.56.15 ? 8.137.154.246 MQTT 66 Publish Message [hello101]
78 6.475000 8.137.154.246 ? 10.21.56.15 MQTT 66 Publish Message [hello101]
80 6.722000 10.21.56.15 ? 8.137.154.246 MQTT 113 Publish Message [hello103]
81 6.776000 8.137.154.246 ? 10.21.56.15 MQTT 113 Publish Message [hello103]
83 7.061000 10.21.56.15 ? 8.137.154.246 MQTT 115 Publish Message (id=26179) [hello103]
84 7.139000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Ack (id=26179)
85 7.139000 8.137.154.246 ? 10.21.56.15 MQTT 115 Publish Message (id=1) [hello103]
87 7.208000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Ack (id=1)
89 7.346000 10.21.56.15 ? 8.137.154.246 MQTT 176 Publish Message [hello101][Packet size limited during capture]
91 7.393000 8.137.154.246 ? 10.21.56.15 MQTT 176 Publish Message [hello101][Packet size limited during capture]
93 7.624000 10.21.56.15 ? 8.137.154.246 MQTT 178 Publish Message (id=26181) [hello101][Packet size limited during capture]
94 7.693000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Ack (id=26181)
95 7.693000 8.137.154.246 ? 10.21.56.15 MQTT 176 Publish Message [hello101][Packet size limited during capture]
97 7.894000 10.21.56.15 ? 8.137.154.246 MQTT 74 Publish Message (id=26182) [hello101]
98 7.947000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Received (id=26182)
99 7.947000 8.137.154.246 ? 10.21.56.15 MQTT 72 Publish Message [hello101]
101 8.025000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Release (id=26182)
102 8.079000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Complete (id=26182)
104 8.179000 10.21.56.15 ? 8.137.154.246 MQTT 178 Publish Message (id=26183) [hello101][Packet size limited during capture]
105 8.248000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Received (id=26183)
106 8.248000 8.137.154.246 ? 10.21.56.15 MQTT 176 Publish Message [hello101][Packet size limited during capture]
108 8.316000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Release (id=26183)
109 8.363000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Complete (id=26183)
111 8.464000 10.21.56.15 ? 8.137.154.246 MQTT 176 Publish Message [hello102][Packet size limited during capture]
112 8.511000 8.137.154.246 ? 10.21.56.15 MQTT 176 Publish Message [hello102][Packet size limited during capture]
114 8.742000 10.21.56.15 ? 8.137.154.246 MQTT 178 Publish Message (id=26185) [hello102][Packet size limited during capture]
115 8.811000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Ack (id=26185)
116 8.811000 8.137.154.246 ? 10.21.56.15 MQTT 178 Publish Message (id=2) [hello102][Packet size limited during capture]
118 8.896000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Ack (id=2)
120 9.065000 10.21.56.15 ? 8.137.154.246 MQTT 73 Publish Message (id=26186) [hello102]
122 9.128000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Received (id=26186)
123 9.128000 8.137.154.246 ? 10.21.56.15 MQTT 73 Publish Message (id=3) [hello102]
125 9.202000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Release (id=26186)
126 9.212000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Ack (id=3)
127 9.243000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Complete (id=26186)
130 9.572000 10.21.56.15 ? 8.137.154.246 MQTT 178 Publish Message (id=26187) [hello102][Packet size limited during capture]
132 9.625000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Received (id=26187)
133 9.625000 8.137.154.246 ? 10.21.56.15 MQTT 178 Publish Message (id=4) [hello102][Packet size limited during capture]
135 9.710000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Release (id=26187)
136 9.725000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Ack (id=4)
138 9.768000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Complete (id=26187)
139 9.850000 10.21.56.15 ? 8.137.154.246 MQTT 176 Publish Message [hello103][Packet size limited during capture]
140 9.925000 8.137.154.246 ? 10.21.56.15 MQTT 176 Publish Message [hello103][Packet size limited during capture]
141 10.126000 10.21.56.15 ? 8.137.154.246 MQTT 178 Publish Message (id=26189) [hello103][Packet size limited during capture]
142 10.195000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Ack (id=26189)
143 10.195000 8.137.154.246 ? 10.21.56.15 MQTT 178 Publish Message (id=5) [hello103][Packet size limited during capture]
145 10.273000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Ack (id=5)
147 10.411000 10.21.56.15 ? 8.137.154.246 MQTT 178 Publish Message (id=26190) [hello103][Packet size limited during capture]
149 10.474000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Received (id=26190)
150 10.474000 8.137.154.246 ? 10.21.56.15 MQTT 178 Publish Message (id=6) [hello103][Packet size limited during capture]
152 10.558000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Release (id=26190)
153 10.574000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Received (id=6)
154 10.627000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Complete (id=26190)
155 10.643000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Release (id=6)
157 10.728000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Complete (id=6)
158 10.743000 10.21.56.15 ? 8.137.154.246 MQTT 179 Publish Message (id=26191) [hello101][Packet size limited during capture]
160 10.797000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Received (id=26191)
161 10.797000 8.137.154.246 ? 10.21.56.15 MQTT 177 Publish Message [hello101][Packet size limited during capture]
163 10.875000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Release (id=26191)
164 10.928000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Complete (id=26191)
165 11.028000 10.21.56.15 ? 8.137.154.246 MQTT 1093 Publish Message (id=26192) [hello103][Packet size limited during capture]
166 11.097000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Ack (id=26192)
167 11.097000 8.137.154.246 ? 10.21.56.15 MQTT 1093 Publish Message (id=7) [hello103][Packet size limited during capture]
169 11.175000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Ack (id=7)
171 11.414000 10.21.56.15 ? 8.137.154.246 MQTT 1093 Publish Message (id=26193) [hello103][Packet size limited during capture]
173 11.476000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Ack (id=26193)
174 11.476000 8.137.154.246 ? 10.21.56.15 MQTT 1093 Publish Message (id=8) [hello103][Packet size limited during capture]
176 11.561000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Ack (id=8)
178 11.746000 10.21.56.15 ? 8.137.154.246 MQTT 70 Publish Message (id=26194) [hello103]
180 11.799000 8.137.154.246 ? 10.21.56.15 MQTT 74 Publish Ack (id=26194), Publish Message (id=9) [hello103]
181 11.877000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Ack (id=9)
183 12.378000 10.21.56.15 ? 8.137.154.246 MQTT 1093 Publish Message (id=26195) [hello103][Packet size limited during capture]
185 12.447000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Ack (id=26195)
186 12.447000 8.137.154.246 ? 10.21.56.15 MQTT 1093 Publish Message (id=10) [hello103][Packet size limited during capture]
188 12.532000 10.21.56.15 ? 8.137.154.246 MQTT 58 Publish Ack (id=10)
189 12.648000 10.21.56.15 ? 8.137.154.246 MQTT 78 Publish Message (id=26196) [hello1retain1]
192 12.694000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Ack (id=26196)
194 12.933000 10.21.56.15 ? 8.137.154.246 MQTT 74 Subscribe Request (id=26197) [hello1retain1]
195 12.995000 8.137.154.246 ? 10.21.56.15 MQTT 81 Subscribe Ack (id=26197), Publish Message [hello1retain1]
197 13.218000 10.21.56.15 ? 8.137.154.246 MQTT 78 Publish Message (id=26198) [hello1retain0]
198 13.249000 8.137.154.246 ? 10.21.56.15 MQTT 58 Publish Ack (id=26198)
200 13.496000 10.21.56.15 ? 8.137.154.246 MQTT 74 Subscribe Request (id=26199) [hello1retain0]
201 13.534000 8.137.154.246 ? 10.21.56.15 MQTT 59 Subscribe Ack (id=26199)
205 23.706000 10.21.56.15 ? 8.137.154.246 MQTT 67 Publish Message [hello103c]
206 23.759000 8.137.154.246 ? 10.21.56.15 MQTT 67 Publish Message [hello103c]
207 23.975000 10.21.56.15 ? 8.137.154.246 MQTT 71 Publish Message [hello103]
208 24.029000 8.137.154.246 ? 10.21.56.15 MQTT 71 Publish Message [hello103]
210 24.323000 10.21.56.15 ? 8.137.154.246 MQTT 70 Publish Message [hello103]
211 24.392000 8.137.154.246 ? 10.21.56.15 MQTT 70 Publish Message [hello103]
213 24.608000 10.21.56.15 ? 8.137.154.246 MQTT 72 Publish Message [hello103]
214 24.646000 8.137.154.246 ? 10.21.56.15 MQTT 72 Publish Message [hello103]
216 24.877000 10.21.56.15 ? 8.137.154.246 MQTT 323 Publish Message [hello103][Packet size limited during capture]
217 24.962000 8.137.154.246 ? 10.21.56.15 MQTT 323 Publish Message [hello103][Packet size limited during capture]
219 25.278000 10.21.56.15 ? 8.137.154.246 MQTT 70 Publish Message [hello103]
220 25.325000 8.137.154.246 ? 10.21.56.15 MQTT 70 Publish Message [hello103]
226 47.349000 10.21.56.15 ? 8.137.154.246 MQTT 56 Disconnect Req
227 47.403000 10.21.56.15 ? 8.137.154.246 MQTT 56 Disconnect Req
MQTT(Message Queuing Telemetry Transport)协议的数据包通常包含多个层次。在你提供的数据包分析中,我们可以看到该数据包包含了多个层次,每个层次负责不同的功能。下面是对各个层次的详细解释:
1. 以太网层 (ETH)
Destination: 00:00:00:00:00:00
Source: 00:00:00:00:00:00
Type: IPv4 (0x0800)
以太网层负责物理地址的传输,确保数据包能够在局域网内正确传输。这里的源和目的MAC地址都是全零,这通常表示无效或未设置的地址。
2. IP层 (IP)
Version: 4
Header Length: 20 bytes (5)
Differentiated Services Field: 0x04 (DSCP: LE, ECN: Not-ECT)
Total Length: 53
Identification: 0x0f00 (3840)
Flags: 0x4000, Don't fragment
Fragment offset: 0
Time to live: 49
Protocol: TCP (6)
Header checksum: 0x551c [validation disabled]
Source: 8.137.154.246
Destination: 10.21.56.15
IP层负责在网络层传输数据包,确保数据包能够从源地址到达目的地址。这里可以看到源IP地址是 8.137.154.246,目的IP地址是 10.21.56.15。
3. TCP层 (TCP)
Source Port: 1883
Destination Port: 64033
Sequence number: 7939 (relative sequence number)
Acknowledgment number: 8748 (relative ack number)
Header Length: 20 bytes (5)
Flags: 0x018 (PSH, ACK)
Window size value: 378
Checksum: 0x4d14 [unverified]
Urgent pointer: 0
TCP层负责提供可靠的端到端通信。这里可以看到源端口是 1883,这是MQTT协议的默认端口。目的端口是 64033。TCP标志位 PSH 和 ACK 表示这是一个带有推送标志的确认数据包。
4. MQTT层 (MQTT)
Header Flags: 0x30, Message Type: Publish Message, QoS Level: At most once delivery (Fire and Forget)
Msg Len: 11
Topic Length: 9
Topic: hello103c
Message: <MISSING>
MQTT层负责实际的MQTT消息传输。这里可以看到这是一个发布消息(Publish Message),QoS级别为0,表示“最多一次”交付(Fire and Forget)。主题(Topic)是 hello103c,但消息内容缺失。
总结
以太网层:处理物理地址和局域网内的传输。
IP层:处理网络层的传输,确保数据包从源地址到达目的地址。
TCP层:提供可靠的端到端通信。
MQTT层:处理MQTT协议的消息传输,包括发布、订阅等操作。