[FEAT] Wireshark数据包键盘输入提取
GamerNoTitle opened this issue · comments
描述你的诉求
如图,是一个Wireshark的数据包,里面是USB数据流的截取,其中键盘的数据流在usb.capdata里面
描述你想要的解决方案
可以利用tshark将数据提取为json文件,然后再根据键去索引到usb.capdata里面,提取出来,去第三节的内容,然后根据键盘码翻译为对应的按键
额外信息(可选)
具体可以参照这个https://github.com/GamerNoTitle/KBE
实在做不了就算了:D
附:json文件(节选)
[
{
"_index": "packets-2021-04-29",
"_type": "doc",
"_score": null,
"_source": {
"layers": {
"frame": {
"frame.interface_id": "0",
"frame.interface_id_tree": {
"frame.interface_name": "wireshark_extcap1932"
},
"frame.encap_type": "152",
"frame.time": "Apr 29, 2021 10:49:58.396073000 **标准时间",
"frame.offset_shift": "0.000000000",
"frame.time_epoch": "1619664598.396073000",
"frame.time_delta": "0.000000000",
"frame.time_delta_displayed": "0.000000000",
"frame.time_relative": "0.000000000",
"frame.number": "1",
"frame.len": "35",
"frame.cap_len": "35",
"frame.marked": "0",
"frame.ignored": "0",
"frame.protocols": "usb"
},
"usb": {
"usb.src": "1.7.1",
"usb.addr": "1.7.1",
"usb.dst": "host",
"usb.addr": "host",
"usb.usbpcap_header_len": "27",
"usb.irp_id": "0xffffcc885a3cda20",
"usb.usbd_status": "0x00000000",
"usb.function": "0x0009",
"usb.irp_info": "0x01",
"usb.irp_info_tree": {
"usb.irp_info.reserved": "0x00",
"usb.irp_info.direction": "0x01"
},
"usb.bus_id": "1",
"usb.device_address": "7",
"usb.endpoint_address": "0x81",
"usb.endpoint_address_tree": {
"usb.endpoint_address.direction": "1",
"usb.endpoint_address.number": "1"
},
"usb.transfer_type": "0x01",
"usb.data_len": "8",
"usb.bInterfaceClass": "0xff"
},
"usb.capdata": "00:00:25:00:00:00:00:00"
}
}
},
{
"_index": "packets-2021-04-29",
"_type": "doc",
"_score": null,
"_source": {
"layers": {
"frame": {
"frame.interface_id": "0",
"frame.interface_id_tree": {
"frame.interface_name": "wireshark_extcap1932"
},
"frame.encap_type": "152",
"frame.time": "Apr 29, 2021 10:49:58.396227000 **标准时间",
"frame.offset_shift": "0.000000000",
"frame.time_epoch": "1619664598.396227000",
"frame.time_delta": "0.000154000",
"frame.time_delta_displayed": "0.000154000",
"frame.time_relative": "0.000154000",
"frame.number": "2",
"frame.len": "27",
"frame.cap_len": "27",
"frame.marked": "0",
"frame.ignored": "0",
"frame.protocols": "usb"
},
"usb": {
"usb.src": "host",
"usb.addr": "host",
"usb.dst": "1.7.1",
"usb.addr": "1.7.1",
"usb.usbpcap_header_len": "27",
"usb.irp_id": "0xffffcc885a3cda20",
"usb.usbd_status": "0x00000000",
"usb.function": "0x0009",
"usb.irp_info": "0x00",
"usb.irp_info_tree": {
"usb.irp_info.reserved": "0x00",
"usb.irp_info.direction": "0x00"
},
"usb.bus_id": "1",
"usb.device_address": "7",
"usb.endpoint_address": "0x81",
"usb.endpoint_address_tree": {
"usb.endpoint_address.direction": "1",
"usb.endpoint_address.number": "1"
},
"usb.transfer_type": "0x01",
"usb.data_len": "0",
"usb.bInterfaceClass": "0xff"
}
}
}
},
{
"_index": "packets-2021-04-29",
"_type": "doc",
"_score": null,
"_source": {
"layers": {
"frame": {
"frame.interface_id": "0",
"frame.interface_id_tree": {
"frame.interface_name": "wireshark_extcap1932"
},
"frame.encap_type": "152",
"frame.time": "Apr 29, 2021 10:49:58.523096000 **标准时间",
"frame.offset_shift": "0.000000000",
"frame.time_epoch": "1619664598.523096000",
"frame.time_delta": "0.126869000",
"frame.time_delta_displayed": "0.126869000",
"frame.time_relative": "0.127023000",
"frame.number": "3",
"frame.len": "35",
"frame.cap_len": "35",
"frame.marked": "0",
"frame.ignored": "0",
"frame.protocols": "usb"
},
"usb": {
"usb.src": "1.7.1",
"usb.addr": "1.7.1",
"usb.dst": "host",
"usb.addr": "host",
"usb.usbpcap_header_len": "27",
"usb.irp_id": "0xffffcc88529efa20",
"usb.usbd_status": "0x00000000",
"usb.function": "0x0009",
"usb.irp_info": "0x01",
"usb.irp_info_tree": {
"usb.irp_info.reserved": "0x00",
"usb.irp_info.direction": "0x01"
},
"usb.bus_id": "1",
"usb.device_address": "7",
"usb.endpoint_address": "0x81",
"usb.endpoint_address_tree": {
"usb.endpoint_address.direction": "1",
"usb.endpoint_address.number": "1"
},
"usb.transfer_type": "0x01",
"usb.data_len": "8",
"usb.bInterfaceClass": "0xff"
},
"usb.capdata": "00:00:00:00:00:00:00:00"
}
}
},
{
"_index": "packets-2021-04-29",
"_type": "doc",
"_score": null,
"_source": {
"layers": {
"frame": {
"frame.interface_id": "0",
"frame.interface_id_tree": {
"frame.interface_name": "wireshark_extcap1932"
},
"frame.encap_type": "152",
"frame.time": "Apr 29, 2021 10:49:58.523235000 **标准时间",
"frame.offset_shift": "0.000000000",
"frame.time_epoch": "1619664598.523235000",
"frame.time_delta": "0.000139000",
"frame.time_delta_displayed": "0.000139000",
"frame.time_relative": "0.127162000",
"frame.number": "4",
"frame.len": "27",
"frame.cap_len": "27",
"frame.marked": "0",
"frame.ignored": "0",
"frame.protocols": "usb"
},
"usb": {
"usb.src": "host",
"usb.addr": "host",
"usb.dst": "1.7.1",
"usb.addr": "1.7.1",
"usb.usbpcap_header_len": "27",
"usb.irp_id": "0xffffcc88529efa20",
"usb.usbd_status": "0x00000000",
"usb.function": "0x0009",
"usb.irp_info": "0x00",
"usb.irp_info_tree": {
"usb.irp_info.reserved": "0x00",
"usb.irp_info.direction": "0x00"
},
"usb.bus_id": "1",
"usb.device_address": "7",
"usb.endpoint_address": "0x81",
"usb.endpoint_address_tree": {
"usb.endpoint_address.direction": "1",
"usb.endpoint_address.number": "1"
},
"usb.transfer_type": "0x01",
"usb.data_len": "0",
"usb.bInterfaceClass": "0xff"
}
}
}
}
]完整的json太大了,237KB,需要的话DD我我再发
是否可以直接引用您的 https://github.com/GamerNoTitle/KBE/blob/master/KBE.py 呢?
可以 请随意
可以提供一份完整的样本数据包吗?
邮箱:master@uniiem.com
发了 请查收