Scapy - TCPSession from list of packets

Question

I'm trying to use TCPSession funcionality (like: sniff(offline="./my_file.pcap", prn=func, store=False, session=TCPSession) ) but without creating a PCAP file.

I receive a list of RAW Packets so I can build a list of Scapy packets but I need the TCPSession funcionality because of the HTTP Packets: Without TCPSession the headers and the body are in different packets so HTTP Layers Class can't identify the body part.

So I have this code that finds the HTTP Requests :

import pickle
from scapy.all import *
from scapy.layers import http
load_layer("http")

def expand(x):
    yield x
    while x.payload:
        x = x.payload
        yield x

file_pickle = open('prueba.pkl','rb')
pkt_list = pickle.load(file_pickle)

for pkt_raw in pkt_list:
    p = Ether(pkt_raw)
    if p.haslayer(IP):
        srcIP = p[IP].src
        if p.haslayer(HTTP):
            if p.haslayer(HTTPRequest):
                print(list(expand(p)), end="\n---------------------------------------------------\n")

The execution of this code finds the HTTP Requests but without the Body part of the POST Requests:

[...]<HTTPRequest  Method='POST' Path='/NP3POCF.jsp' Http_Version='HTTP/1.1' Accept='*/*' Accept_Encoding='gzip, deflate' Connection='keep-alive' Content_Length='56' Content_Type='application/x-www-form-urlencoded' Host='172.16.191.129' User_Agent='python-requests/2.7.0 CPython/3.7.5 Linux/5.3.0-kali2-amd64' |>]

With a sniffer with TCPSession (such as Scapy sniff function) the packet has a Raw Layer that contains the body of the request.

Any help to apply TCPSession? Thank You.

Answer 1

You can call sniff(offline=X) with X a packet list, a packet, a file name or a list of files. Make sure you are using the github development version (see https://scapy.readthedocs.io/en/latest/installation.html#current-development-version ), as I'm not sure if this is in a release yet.