[SimpleXML] Récupération d'un attribut mobile dans un fichier XML

**ipfix31** · 12/04/2010, 11h42

Bonjour à tous,

Je fait actuellement de l'expertise réseau sous wireshark, pour ça je dois analyser des trames au niveau TCP et relever les données d'un autres protocole encapsulés, bref le bordel. Les données encapsulés proviennent d'un protocole propriétaire et sont en hexa. Pour me faciliter la lecture et gagner du temps (après!), plutot que de lire de l'hexa je suis en train d'écrire un petit script. Wireshark me permet d'exporter les captures pcap en pdml. Voici l'élément parent "paquet" dans lequel je dois récupérer mes données:

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
<?xml version="1.0"?>
<pdml version="0" creator="wireshark/1.0.5">
<packet>
  <proto name="geninfo" pos="0" showname="General information" size="73">
    <field name="num" pos="0" show="492" showname="Number" value="1ec" size="73"/>
    <field name="len" pos="0" show="73" showname="Packet Length" value="49" size="73"/>
    <field name="caplen" pos="0" show="73" showname="Captured Length" value="49" size="73"/>
    <field name="timestamp" pos="0" show="Mar 26, 2010 12:00:01.813697000" showname="Captured Time" value="1269601201.813697000" size="73"/>
  </proto>
  <proto name="frame" showname="Frame 492 (73 bytes on wire, 73 bytes captured)" size="73" pos="0">
    <field name="frame.time" showname="Arrival Time: Mar 26, 2010 12:00:01.813697000" size="0" pos="0" show="Mar 26, 2010 12:00:01.813697000"/>
    <field name="frame.time_delta" showname="Time delta from previous captured frame: 0.010582000 seconds" size="0" pos="0" show="0.010582000"/>
    <field name="frame.time_delta_displayed" showname="Time delta from previous displayed frame: 1.167821000 seconds" size="0" pos="0" show="1.167821000"/>
    <field name="frame.time_relative" showname="Time since reference or first frame: 1.167821000 seconds" size="0" pos="0" show="1.167821000"/>
    <field name="frame.number" showname="Frame Number: 492" size="0" pos="0" show="492"/>
    <field name="frame.pkt_len" showname="Packet Length: 73 bytes" hide="yes" size="0" pos="0" show="73"/>
    <field name="frame.len" showname="Frame Length: 73 bytes" size="0" pos="0" show="73"/>
    <field name="frame.cap_len" showname="Capture Length: 73 bytes" size="0" pos="0" show="73"/>
    <field name="frame.marked" showname="Frame is marked: False" size="0" pos="0" show="0"/>
    <field name="frame.protocols" showname="Protocols in frame: eth:ip:tcp:x11" size="0" pos="0" show="eth:ip:tcp:x11"/>
    <field name="frame.coloring_rule.name" showname="Coloring Rule Name: TCP" size="0" pos="0" show="TCP"/>
    <field name="frame.coloring_rule.string" showname="Coloring Rule String: tcp" size="0" pos="0" show="tcp"/>
  </proto>
  <proto name="eth" showname="Ethernet II, Src: Broadcom_2d:5b:91 (00:10:18:2d:5b:91), Dst: All-HSRP-routers_02 (00:00:0c:07:ac:02)" size="14" pos="0">
    <field name="eth.dst" showname="Destination: All-HSRP-routers_02 (00:00:0c:07:ac:02)" size="6" pos="0" show="00:00:0c:07:ac:02" value="00000c07ac02">
      <field name="eth.addr" showname="Address: All-HSRP-routers_02 (00:00:0c:07:ac:02)" size="6" pos="0" show="00:00:0c:07:ac:02" value="00000c07ac02"/>
      <field name="eth.ig" showname=".... ...0 .... .... .... .... = IG bit: Individual address (unicast)" size="3" pos="0" show="0" value="0" unmaskedvalue="00000c"/>
      <field name="eth.lg" showname=".... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)" size="3" pos="0" show="0" value="0" unmaskedvalue="00000c"/>
    </field>
    <field name="eth.src" showname="Source: Broadcom_2d:5b:91 (00:10:18:2d:5b:91)" size="6" pos="6" show="00:10:18:2d:5b:91" value="0010182d5b91">
      <field name="eth.addr" showname="Address: Broadcom_2d:5b:91 (00:10:18:2d:5b:91)" size="6" pos="6" show="00:10:18:2d:5b:91" value="0010182d5b91"/>
      <field name="eth.ig" showname=".... ...0 .... .... .... .... = IG bit: Individual address (unicast)" size="3" pos="6" show="0" value="0" unmaskedvalue="001018"/>
      <field name="eth.lg" showname=".... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)" size="3" pos="6" show="0" value="0" unmaskedvalue="001018"/>
    </field>
    <field name="eth.type" showname="Type: IP (0x0800)" size="2" pos="12" show="0x0800" value="0800"/>
  </proto>
  <proto name="ip" showname="Internet Protocol, Src: x.x.x.x (163.105.42.121), Dst: x.x.x.x (163.105.42.146)" size="20" pos="14">
    <field name="ip.version" showname="Version: 4" size="1" pos="14" show="4" value="45"/>
    <field name="ip.hdr_len" showname="Header length: 20 bytes" size="1" pos="14" show="20" value="45"/>
    <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)" size="1" pos="15" show="0" value="00">
      <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0x00)" size="1" pos="15" show="0x00" value="0" unmaskedvalue="00"/>
      <field name="ip.dsfield.ect" showname=".... ..0. = ECN-Capable Transport (ECT): 0" size="1" pos="15" show="0" value="0" unmaskedvalue="00"/>
      <field name="ip.dsfield.ce" showname=".... ...0 = ECN-CE: 0" size="1" pos="15" show="0" value="0" unmaskedvalue="00"/>
    </field>
    <field name="ip.len" showname="Total Length: 59" size="2" pos="16" show="59" value="003b"/>
    <field name="ip.id" showname="Identification: 0x1682 (5762)" size="2" pos="18" show="0x1682" value="1682"/>
    <field name="ip.flags" showname="Flags: 0x04 (Don&apos;t Fragment)" size="1" pos="20" show="0x04" value="40">
      <field name="ip.flags.rb" showname="0... = Reserved bit: Not set" size="1" pos="20" show="0" value="0" unmaskedvalue="40"/>
      <field name="ip.flags.df" showname=".1.. = Don&apos;t fragment: Set" size="1" pos="20" show="1" value="1" unmaskedvalue="40"/>
      <field name="ip.flags.mf" showname="..0. = More fragments: Not set" size="1" pos="20" show="0" value="0" unmaskedvalue="40"/>
    </field>
    <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="20" show="0" value="4000"/>
    <field name="ip.ttl" showname="Time to live: 64" size="1" pos="22" show="64" value="40"/>
    <field name="ip.proto" showname="Protocol: TCP (0x06)" size="1" pos="23" show="0x06" value="06"/>
    <field name="ip.checksum" showname="Header checksum: 0x885d [correct]" size="2" pos="24" show="0x885d" value="885d">
      <field name="ip.checksum_good" showname="Good: True" size="2" pos="24" show="1" value="885d"/>
      <field name="ip.checksum_bad" showname="Bad : False" size="2" pos="24" show="0" value="885d"/>
    </field>
    <field name="ip.src" showname="Source: x.x.x.x
(x.x.x.x)" size="4" pos="26" show="x.x.x.x" value="a3692a79"/>
    <field name="ip.addr" showname="Source or Destination Address: x.x.x.x(x.x.x.x)" hide="yes" size="4" pos="26" show="163.105.42.121" value="a3692a79"/>
    <field name="ip.src_host" showname="Source Host: x.x.x.x" hide="yes" size="4" pos="26" show="x.x.x.x" value="a3692a79"/>
    <field name="ip.host" showname="Source or Destination Host: x.x.x.x" hide="yes" size="4" pos="26" show="x.x.x.x" value="a3692a79"/>
    <field name="ip.dst" showname="Destination: x.x.x.x(x.x.x.x)" size="4" pos="30" show="x.x.x.x" value="a3692a92"/>
    <field name="ip.addr" showname="Source or Destination Address: x.x.x.x(x.x.x.x)" hide="yes" size="4" pos="30" show="x.x.x.x" value="a3692a92"/>
    <field name="ip.dst_host" showname="Destination Host: x.x.x.x" hide="yes" size="4" pos="30" show="x.x.x.x" value="a3692a92"/>
    <field name="ip.host" showname="Source or Destination Host: x.x.x.x" hide="yes" size="4" pos="30" show="x.x.x.x" value="a3692a92"/>
  </proto>
  <proto name="tcp" showname="Transmission Control Protocol, Src Port: 46616 (46616), Dst Port: 6002 (6002), Seq: 1, Ack: 1, Len: 7" size="32" pos="34">
    <field name="tcp.srcport" showname="Source port: 46616 (46616)" size="2" pos="34" show="46616" value="b618"/>
    <field name="tcp.dstport" showname="Destination port: 6002 (6002)" size="2" pos="36" show="6002" value="1772"/>
    <field name="tcp.port" showname="Source or Destination Port: 46616" hide="yes" size="2" pos="34" show="46616" value="b618"/>
    <field name="tcp.port" showname="Source or Destination Port: 6002" hide="yes" size="2" pos="36" show="6002" value="1772"/>
    <field name="tcp.len" showname="TCP Segment Len: 7" hide="yes" size="4" pos="34" show="7" value="b6181772"/>
    <field name="tcp.seq" showname="Sequence number: 1    (relative sequence number)" size="4" pos="38" show="1" value="651de7e0"/>
    <field name="tcp.nxtseq" showname="Next sequence number: 8    (relative sequence number)" size="0" pos="34" show="8"/>
    <field name="tcp.ack" showname="Acknowledgement number: 1    (relative ack number)" size="4" pos="42" show="1" value="d910fc54"/>
    <field name="tcp.hdr_len" showname="Header length: 32 bytes" size="1" pos="46" show="32" value="80"/>
    <field name="tcp.flags" showname="Flags: 0x18 (PSH, ACK)" size="1" pos="47" show="0x18" value="18">
      <field name="tcp.flags.cwr" showname="0... .... = Congestion Window Reduced (CWR): Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="18"/>
      <field name="tcp.flags.ecn" showname=".0.. .... = ECN-Echo: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="18"/>
      <field name="tcp.flags.urg" showname="..0. .... = Urgent: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="18"/>
      <field name="tcp.flags.ack" showname="...1 .... = Acknowledgment: Set" size="1" pos="47" show="1" value="1" unmaskedvalue="18"/>
      <field name="tcp.flags.push" showname=".... 1... = Push: Set" size="1" pos="47" show="1" value="1" unmaskedvalue="18"/>
      <field name="tcp.flags.reset" showname=".... .0.. = Reset: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="18"/>
      <field name="tcp.flags.syn" showname=".... ..0. = Syn: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="18"/>
      <field name="tcp.flags.fin" showname=".... ...0 = Fin: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="18"/>
    </field>
    <field name="tcp.window_size" showname="Window size: 46" size="2" pos="48" show="46" value="002e"/>
    <field name="tcp.checksum" showname="Checksum: 0x12db [correct]" size="2" pos="50" show="0x12db" value="12db">
      <field name="tcp.checksum_good" showname="Good Checksum: True" size="2" pos="50" show="1" value="12db"/>
      <field name="tcp.checksum_bad" showname="Bad Checksum: False" size="2" pos="50" show="0" value="12db"/>
    </field>
    <field name="tcp.options" showname="Options: (12 bytes)" size="12" pos="54" show="01:01:08:0a:72:f5:17:1d:08:13:af:24" value="0101080a72f5171d0813af24">
      <field name="" show="NOP" size="1" pos="54" value="01"/>
      <field name="" show="NOP" size="1" pos="55" value="01"/>
      <field name="tcp.options.time_stamp" showname="TCP Time Stamp Option: True" hide="yes" size="10" pos="56" show="1" value="080a72f5171d0813af24"/>
      <field name="" show="Timestamps: TSval 1928664861, TSecr 135507748" size="10" pos="56" value="080a72f5171d0813af24"/>
    </field>
    <field name="" show="TCP segment data (7 bytes)" size="7" pos="66" value="1cb3d50001ef0d"/>
  </proto>
</packet>

<packet>
...
</packet>

...

</pdml>

j'ai écrit le code suivant qui me permet de récupérer les valeurs dont j'ai besoin dans chaque paquet:

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
<?php
$xml = simplexml_load_file("test2.pdml");
//variable de numérotation des lignes
$i = 1;
 
echo "<table border='1' align='center' cellpadding='4'>";
echo 	"<tr align='center'>";
echo		"<th>Num</th>";
echo		"<th>IP Src</th>";
echo		"<th>IP Dest</th>";
echo		"<th>Port Src</th>";
echo		"<th>Port Dest</th>";
//echo		"<th>flag</th>";
echo		"<th>data</th>";
echo	"</tr>";
 
// itération sur tous les packets
foreach ($xml -> packet as $packet )
	{
	echo	"<tr>";
	echo 	"<td align='right'>".$i."</td>"; 											//numéro de ligne
	echo 	"<td>".$packet->proto[3]->field[10]->attributes()->show."</td>"; 			//adresse ip source
	echo 	"<td>".$packet->proto[3]->field[14]->attributes()->show."</td>"; 			//adresse ip destination
	echo 	"<td>".$packet->proto[4]->field[0]->attributes()->show."</td>"; 			// port source
	echo 	"<td>".$packet->proto[4]->field[1]->attributes()->show."</td>"; 			// port destination
	//echo 	"<td>".$packet->proto[4]->field[8]->field[0]->attributes()->show."</td>"; 	// flag TCP, à voir plus tard
	echo 	"<td>".$packet->proto[4]->field[13]->attributes()->value."</td>"; 			// les datas
	$i++;
	}
?>

Je pensais avoir réussit à tout récupérer seulement voila, il y a toujours le petit quelque chose qui fait que les choses ne sont jamais simple !
Il s'avère, qu'en fonction des paquets, l'élément contenant les data, dernier éléments de <paquet> se trouve :
- soit en : $packet->proto[4]->field[13]->attributes()->value
- soit en : $packet->proto[4]->field[14]->attributes()->value
- soit totalement absent car le paquet est par exemple un simple acquittement TCP.

En plus ce champ n'a pas de nom, la seule chose unique dont il dispose est show="TCP segment data (7 bytes)" , et encore car en fonction des paquets je peux avoir une taille de segment variable donc le nom change entre 5, 7, 8, 11, ou 12 bytes... foutu pdml !!!

Voila mon probleme, je ne sais pas comment faire le test pour voir si le champ est en position 13 ou 14 ou n'est pas présent!!

En espérant que vous aurez compris mon petit soucis !

Merci par avance à vous !

Pierre

[SimpleXML] Récupération d'un attribut mobile dans un fichier XML

Bibliothèques et frameworks PHP

Mode arborescent

Discussions similaires

Partager

Partager