Reputation: 193
SCAPY: How to skip bytes when dissecting a packet?
I am working with SCAPY for dissecting network packets. Some of them have a lot of random padding between strings.
Is there a way to tell SCAPY to just "skip the next 4 bytes after this field"?
Currently I am using a StrFixedLen field for every one of them and it just blows up the output and is very space consuming, and distracting...
I can't use the padded fields because I need to provide a padding byte, but in my case the padding consists of random bytes..
Thanks for any advice!
EDIT: here an example of a packet
x01x07x08x01
x13
ThisIsAString
x02x04x01x01
x10
AnotherOne
The packet is TLV ordered, so the 4-bytes are the Tag, the 5th one is the Legnth of the string, and then there's the Value (string). As there are many tags and I am not and will not be able to distinguish them all, I just want to extract the Length and Value (the string) parts of the packet data. So I want to ignore the 4-byte Tags. Currently I am doing this by declaring a StrLenField which just reads 4 bytes. But this is obviously then shown in the summary of the packet, because it's interpreted as a legitimate field. But I just want to have it ignored, so that SCAPY just skips the 4 bytes of a TLV-field when dissecting.
EDIT 2:
Here is a code snippet of what I am currently doing vs what I want to do:
StrFixedLenField("Padding_1", None, length=4),
FieldLenField("Field_1_Length", None, length_of="Field_1"),
StrLenField("Field_1", "", length_from=lambda x: x.Field_1_Length),
StrFixedLenField("Padding_2", None, length=4),
FieldLenField("Field_2_Length", None, length_of="Field_2"),
StrLenField("Field_2", "", length_from=lambda x: x.Field_2_Length)
Instead of the StrFixedLenField I'd like to have something like skip_bytes(4) so that SCAPY completely ignores these bytes.
Upvotes: 1
Views: 780
Answers (1)
Reputation: 193
Based on this GitHub fork, in which the author added a functionality that is somewhat similar to what I was searching for, I found a solution.
I added a class to fields.py that just inherits from the field class that I want to hide, which in my case it StrFixedLenField:
class StrFixedLenFieldHidden(StrFixedLenField):
pass
Then in packet.py in the definition of _show_or_dump(...) in the for loop which iterates through the fields of the packets, I added this:
for f in self.fields_desc:
if isinstance(f, StrFixedLenFieldHidden):
continue
...
By this, Scapy just ignores the field when doing the summary. In my case it was also important to hide the fields in the PDF dump. This can be done by adding the same lines to the for loop in the do_ps_dump(...) function in packet.py.
Keep in mind that now when running .show() or .show2() Scapy will not show these fields anymore, ALTHOUGH they are still there, so the packet will be properly assembled when sending the packet with sr(...) or whatever.
Upvotes: 1
Related Questions
- How to remove a layer from a packet in python using scapy
- Converting a sniffed scapy packet to bytes
- How to import a packet to scapy as a byte stream?
- Undrstanding simple bytes output from scapy
- How can I retrieve a packet payload as a bytearray in Scapy?
- Whole packet length Scapy
- Scapy: Using a PacketListField to dissect multiple packets contained in a packet
- How to create a Scapy packet from raw bytes
- Parse packet bytes using Scapy
- Building scapy packets with PacketFields shorter than 8 bits