Using Scapy to fitler HTTP packets

Question

I am trying to make a filter for packets that contain HTTP data, yet I don't have a clue on how to do so.

I.E. Is there a way to filter packets using Scapy that are only HTTP?

Answer 1

The other answers give you a solution that can only be so much accurate, as you can use HTTP in other ports than 80, and as for version 2.4.3 scapy team has released a new HTTP layer, so we don't have to rely on those assumptions anymore:

>>> import scapy.all as S
>>> S.load_layer("http")
>>> HTTPRequest
<class 'scapy.layers.http.HTTPRequest'>
>>> def filter_get_requests(pkg):
        return pkg.haslayer(HTTPRequest) and pkg[HTTPRequest].Method==b'GET'

>>> s = S.sniff(lfilter=filter_get_requests) 

Then make a GET request to your favorite HTTP site and there you have it :) You can read the whole HTTP layer doc in here.

Answer 2

Yes there is, with the .haslayer function and a bit of parsing:

methods=['GET','POST','HEAD','PUT','DELETE','CONNECT','OPTIONS','TRACE']#Define http methods
s=sniff(1)#sniff one packet to parse you can put this in a loop
a=[]
a.append(s[0])
if a[0].haslayer(TCP):#Checks for TCP protocol
 if a[0].dport == 80:#Checks for http port 80
  if a[0].haslayer(Raw):#Checks if packet has payload
   r=a[0][0][Raw].load
   for i in methods:#Checks if any of the http methods are present in load, if there are it prints to screen
    if i in r:
     print r

Answer 3

Yes, you can. You can filter by TCP port 80 (checking each packet or using BPF) and then check the TCP payload to ensure there is an HTTP header.