I'm reading a pcap file using scapy
and I am interested in finding anomalies such as unusual TCP flags or HTTP codes like 403
, 429
etc.
I am able to find out using TCP ports that this traffic belongs to HTTP but how to get status codes of HTTP and flags of TCP?
This is what I have done so far:
for pkt in PcapReader(pcap):
if (TCP in pkt and (pkt[TCP].sport == 80 or pkt[TCP].dport === 80)):
pList.append(pkt)
If you use Scapy 2.4.3+, you can enable the HTTP plugin and simplify your code. See:
Also, in order to use the TCPSession
to automatically process HTTP packets, I'll use sniff(prn=)
rather than PcapReader
. They do the same thing.
from scapy.layers.http import *
from scapy.sessions import TCPSession
from scapy.sendrecv import sniff
plist = []
def func(pkt):
# called on each packet
if HTTP in pkt:
if HTTPResponse in pkt:
# status codes are only in responses
status = pkt[HTTPResponse].Status_Code
if int(status) in [403, 429]: # check code
plist.append(pkt)
sniff(offline="./my_file.pcap", prn=func, store=False, session=TCPSession)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.