TL; DR：如何通过UART正确管道远程tcpdump到本地wireshark的输出？

我尝试捕获流经嵌入式设备的数据包,我无法安装任何东西.幸运的是,在串行接口上​​打开了一个getty,并安装了tcpdump.可悲的是,没有SSH,没有dumpcap,没有tshark.

直接管道

我首先尝试配置tty并通过管道将数据传递给wireshark.

stty -F /dev/ttyUSB0 raw
stty -F /dev/ttyUSB0 -echo -echoe -echok
cat /dev/ttyUSB0 | wireshark -k -i -
# On another terminal:
echo "tcpdump -U -s0 -i eth0 -w - 2>/dev/null" > /dev/ttyUSB0

Wireshark抱怨输入是无效的libpcap格式,当然因为命令得到回应而我没有设法摆脱它.

使用原始PySerial

所以我决定创建一个python脚本来控制管道的工作方式：

import serial
import sys
import subprocess
import fcntl

def main(args):
    with serial.Serial('/dev/ttyUSB0', 115200, timeout=0) as ser:
        length = ser.write(b"tcpdump -U -s0 -i eth0 -w - 2> /dev/null\n") + 1
        # Discard the echoed command line
        while length > 0:
            discard = ser.read(length)
            length -= len(discard)
        # Spawn wireshark
        wireshark = subprocess.Popen(
            ["wireshark", "-k", "-i", "-"], stdin=subprocess.PIPE
        )
        # Pipe data from serial to wireshark's input
        while True:
            data = ser.read(256)
            wireshark.stdin.write(data)
            try:
                wireshark.stdin.flush()
            except BrokenPipeError as e:
                break
            if len(data) > 0: print(data)
        # Send "Ctrl+C" to tcpdump
        ser.write(b"\x03")
        wireshark.wait()
    return 0

if __name__ == '__main__':
    import sys
    sys.exit(main(sys.argv))

撇开脚本应如何正确结束的一些问题,这并不像我想象的那样好. Wireshark很高兴有一段时间了,但很快输入就会被破坏并且录制停止.我认为这是因为主机上的tty仍会转换一些特殊字符,可能是换行符或回车符.

变得愚蠢：在PySerial上使用hexdump

所以我知道这很蹩脚,但由于我没有其他想法,这就是我提出的：

import serial
import sys
import subprocess
import binascii

def main(args):
    with serial.Serial('/dev/ttyUSB0', 115200, timeout=5) as ser:
        # Spawn tcpdump on the host and convert the raw output to stupid hex format
        # We need hexdump -C because that's the only format that doesn't mess up with the endianess
        length = ser.write(b"tcpdump -U -s256 -i eth0 -w - 2> /dev/null | hexdump -C\n")
        # Discard command line that is echoed
        discard = ser.readline()
        # Spawn wireshark
        wireshark = subprocess.Popen(
            ["wireshark", "-k", "-i", "-"], stdin=subprocess.PIPE
        )
        while True:
            # Process each line separately
            data = ser.readline().decode('ascii')
            elements = data.split()
            # Remove the address and ascii convertion of hexdump and spaces
            hexa = "".join(elements[1:17])
            # Convert back hex to binary
            real_data = binascii.unhexlify(hexa)
            # Feed to the shark
            wireshark.stdin.write(real_data)
            try:
                wireshark.stdin.flush()
            except BrokenPipeError as e:
                break
        # Stop tcpdump
        ser.write(b"\x03")
        wireshark.wait()
    return 0

if __name__ == '__main__':
    import sys
    sys.exit(main(sys.argv))

唉,虽然它的工作时间比以前的版本长一点,但当帧太大时,wireshark会出现一个问题,说框架太大,长度确实很荒谬(如-1562980309832),而且录音停止.

请帮忙！