使用 Scapy 从 pcap 获取 HTTP 响应代码
[英]Getting HTTP response codes from a pcap with Scapy
问题描述
I'm reading a pcap file using scapy and I am interested in finding anomalies such as unusual TCP flags or HTTP codes like 403 , 429 etc.
我正在使用scapy读取 pcap 文件,并且我有兴趣查找异常,例如不寻常的 TCP 标志或 HTTP 代码,如403 、 429等。
I am able to find out using TCP ports that this traffic belongs to HTTP but how to get status codes of HTTP and flags of TCP?我能够使用 TCP 端口找出此流量属于 HTTP 但如何获取 HTTP 的状态代码和 HTTP 的标志和标志 Z293C9EA246FF9985DC6F62A650F78986A?
This is what I have done so far:这是我到目前为止所做的:
for pkt in PcapReader(pcap):
if (TCP in pkt and (pkt[TCP].sport == 80 or pkt[TCP].dport === 80)):
pList.append(pkt)
1 个解决方案
解决方案1
0 2019-11-12 16:45:42
If you use Scapy 2.4.3+, you can enable the HTTP plugin and simplify your code.如果您使用 Scapy 2.4.3+,您可以启用 HTTP 插件并简化您的代码。 See:看:
- DOC: https://scapy.readthedocs.io/en/latest/layers/http.html文档: https://scapy.readthedocs.io/en/latest/layers/http.html
- API ref: https://scapy.readthedocs.io/en/latest/api/scapy.layers.http.html API ref: https://scapy.readthedocs.io/en/latest/api/scapy.layers.http.html
Also, in order to use the TCPSession to automatically process HTTP packets, I'll use sniff(prn=) rather than PcapReader .此外,为了使用TCPSession自动处理 HTTP 数据包,我将使用sniff(prn=)而不是PcapReader 。 They do the same thing.他们做同样的事情。
from scapy.layers.http import *
from scapy.sessions import TCPSession
from scapy.sendrecv import sniff
plist = []
def func(pkt):
# called on each packet
if HTTP in pkt:
if HTTPResponse in pkt:
# status codes are only in responses
status = pkt[HTTPResponse].Status_Code
if int(status) in [403, 429]: # check code
plist.append(pkt)
sniff(offline="./my_file.pcap", prn=func, store=False, session=TCPSession)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.