Reputation: 21
Extracting the payload from an existing PCAP to identify any cleartext
I need a function that can extract the payload to identify whether any plaintext is within any HTTP packets.
The code below extracts the payload from a PCAP file however it seems it actually sniffs the first 1000 and then extract the payload.
How would I go about rewriting this so that I parse an existing PCAP rather than sniff and extract the payload on the go
os.system(tshark -T fields -e _ws.col.Info -e http -e frame.time -e "data.data -w WeMo_Data.pcap > WeMo_Data.txt -c 1000");
import os
from kamene.all import *
import subprocess
#Imported module
from getHTTPHeaders import HTTPHeaders, extractText
data = "WeMo.pcap"
a = rdpcap(data)
os.system(tshark -T fields -e _ws.col.Info -e http -e frame.time -e "data.data -w Eavesdrop_Data.pcap > Eavesdrop_Data.txt -c 1000");
sessions = a.sessions()
carved_texts = 1
for session in sessions:
http_payload = ""
for packet in sessions[session]:
try:
if packet[TCP].dport == 80 or packet[TCP].sport == 80:
http_payload += str(packet[TCP].payload)
except:
pass
headers = HTTPHeaders(http_payload)
if headers is None:
continue
text = extractText(headers,http_payload)
if text is not None:
print (text)
Here are the other 2 functions that I imported
import re
import zlib
def HTTPHeaders(http_payload):
try:
# isolate headers
headers_raw = http_payload[:http_payload.index("\r\n\r\n") + 2]
regex = ur"(?:[\r\n]{0,1})(\w+\-\w+|\w+)(?:\ *:\ *)([^\r\n]*)(?:[\r\n]{0,1})"
headers = dict(re.findall(regex, headers_raw, re.UNICODE))
print headers
return headers
except:
return None
if 'Content-Type' not in headers:
return None
return headers
def extractText(headers, http_payload):
text = None
try:
if 'text/plain' in headers['Content-Type']:
text = http_payload[http_payload.index("\r\n\r\n")+4:]
try:
if "Accept-Encoding" in headers.keys():
if headers['Accept-Encoding'] == "gzip":
text = zlib.decompress(text, 16+zlib.MAX_WBITS)
elif headers['Content-Encoding'] == "deflate":
text = zlib.decompress(text)
except: pass
except:
return None
return text
Any help would be great!
Upvotes: 0
Views: 3738
Answers (1)
Reputation: 5411
I see what you did there (https://medium.com/@vworri/extracting-the-payload-from-a-pcap-file-using-python-d938d7622d71)
Though honnestly this article isn't great. What I'd advise you to do is to simply use Scapy 2.4.3 and enable HTTP decoding using
from scapy.layers.http import *
or
load_layers("http")
You could just then do
for sess in sniff(offline="WeMo.pcap", session=TCPSession).sessions().values():
for packet in sess:
# Use TCPSession to automatically rebuild HTTP packets
if HTTP in packet and Raw in packet:
# packet is HTTP and has payload
http_payload = packet[Raw]
Basically all you have to do is remove the part where it calls tshark... you probably should take the time to understand the code you copy pasted :P
Upvotes: 1
Related Questions
- Reading PCAP file with scapy
- parse pcap file with scapy
- Extract TCP payload from pcap file
- Is there a way I can read packets from a pcap file into an array?
- Reading part of pcap file in Scapy
- Extract specific bytes in payload from a pcap file using scapy
- Read pcap through scapy and fetching a specific value
- Parsing the pcap file through scapy
- iterate through pcap file packet for packet using python/scapy
- Get specific bytes in payload from a pcap file