Using Scapy to fitler HTTP packets
Question
I am trying to make a filter for packets that contain HTTP data, yet I don't have a clue on how to do so.
IE Is there a way to filter packets using Scapy that are only HTTP?
3 answers
solution1
4
Yes there is, with the .haslayer function and a bit of parsing:
methods=['GET','POST','HEAD','PUT','DELETE','CONNECT','OPTIONS','TRACE']#Define http methods
s=sniff(1)#sniff one packet to parse you can put this in a loop
a=[]
a.append(s[0])
if a[0].haslayer(TCP):#Checks for TCP protocol
if a[0].dport == 80:#Checks for http port 80
if a[0].haslayer(Raw):#Checks if packet has payload
r=a[0][0][Raw].load
for i in methods:#Checks if any of the http methods are present in load, if there are it prints to screen
if i in r:
print r
solution2
2 ACCPTED 2020-07-18 19:48:33
The other answers give you a solution that can only be so much accurate, as you can use HTTP in other ports than 80, and as for version 2.4.3 scapy team has released a new HTTP layer , so we don't have to rely on those assumptions anymore:
>>> import scapy.all as S
>>> S.load_layer("http")
>>> HTTPRequest
<class 'scapy.layers.http.HTTPRequest'>
>>> def filter_get_requests(pkg):
return pkg.haslayer(HTTPRequest) and pkg[HTTPRequest].Method==b'GET'
>>> s = S.sniff(lfilter=filter_get_requests)
Then make a GET request to your favorite HTTP site and there you have it :) You can read the whole HTTP layer doc in here .
solution3
1 2017-06-22 15:34:08
Yes, you can. You can filter by TCP port 80 (checking each packet or using BPF) and then check the TCP payload to ensure there is an HTTP header.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.