Florian
Reputation: 312
Extract TCP payload from pcap file
Using tcpdump, I am capturing network traffic. I am interested in extracting the actual TCP payload data, i.e. HTTP traffic in my particular case.
I tried to achieve that using scapy, but I only found function remove_payload(). Is there a corresponding counterpart? Or do you know of any other tools that provide such functionality?
Unfortunately, I did not find a satisfactory scapy documentation.
Upvotes: 4
Views: 16695
Answers (2)
Florian
Reputation: 312
In case other users might have similar questions: I ended up using the following script:
infile=infile.pcap
outfile=outfile
ext=txt
rm -f ${outfile}_all.${ext}
for stream in $(tshark -nlr $infile -Y tcp.flags.syn==1 -T fields -e tcp.stream | sort -n | uniq | sed 's/\r//')
do
echo "Processing stream $stream: ${outfile}_${stream}.${ext}"
tshark -nlr $infile -qz "follow,tcp,raw,$stream" | tail -n +7 | sed 's/^\s\+//g' | xxd -r -p | tee ${outfile}_${stream}.${ext} >> ${outfile}_all.${ext}
done
Upvotes: 9
Jeff Bencteux
Reputation: 1426
You can read a pcap with Scapy easily with rdpcap, you can then use the Raw (right above TCP) layer of your packets to play with HTTP content:
from scapy.all import *
pcap = rdpcap("my_file.pcap")
for pkt in pcap:
if Raw in pkt:
print pkt[Raw]
Upvotes: 8
Related Questions
- How to download a file over HTTP?
- Who is listening on a given TCP port on Mac OS X?
- Node.js quick file server (static files over HTTP)
- "Cross origin requests are only supported for HTTP." error when loading a local file
- Performance and efficiency comparing between dump tools: tcpdump, tshark, dumpcap
- How does HTTP file upload work?
- How to resolve tcpdump dropped packets?
- What is the largest TCP/IP network port number allowable for IPv4?
- TCPDump and TCPReplay to record and replay requests to application servers