Reputation: 725
Associating HTTP Requests with Responses in large packet capture
I am attempting to work with large packet captures from wireshark that have been output in pdml format. These captures are then loaded into python using the lxml library to traverse over them. The issue I am having is that I can pull out information regarding a single HTTP response packet and then I need a way to associate this with its HTTP request packet.
The current solution I was thinking of implementing is to search for an HTTP request packet that is part of the same TCP stream as the response, however this seems like an inefficient solution to the problem, having to continually separate out TCP streams and then search through them for the request packet.
Is there a simple way to associate response packets with requests that I am missing?
Upvotes: 0
Views: 496
Answers (1)
Reputation: 725
Best solution I have come up with thus far is to use xpath under the assumption that each TCP connection only contains one request/response pair.
#Get the stream index from the packet
streamIndex = packet.xpath('proto/field[@name="tcp.stream"]')[0].attrib['show']
#Use that stream index to get the matching response packet
return packet.xpath('/pdml/packet[proto/field[@name="tcp.stream" and @show="' + streamIndex + '"] and proto/field[@name="http.request.full_uri"]]')[0]
Upvotes: 0
Related Questions
- Listening for HTTP responses
- Parse HTTP responses from a TCP stream
- Using Scapy to fitler HTTP packets
- HTTP Request and Response Inspection with Python
- reassemble pcap traces to recover HTTP level data
- How to capture tcp request packets?
- How to capture http request/response traffic results
- Mapping HTTP requests to HTTP responses
- Python analyze requests
- Decode HTTP packet content in python as seen in wireshark