kbb
Reputation: 3415
Parsing Modbus packets in pcap file using Scapy
I am new to Scapy. I am trying to parse Modbus packets in a pcap file using scapy.contrib.modbus. I am however successful. I want to at least identify request and response packets based on the library. Below is the link for the pcap file:
https://github.com/tjcruz-dei/ICS_PCAPS/releases/download/MODBUSTCP%231/captures1.zip
Below is the sample code (doesn't work by the way):
from scapy.all import *
import scapy.contrib.modbus as mb
for pkt in PcapReader("captures1/clean/eth2dump-clean-0,5h_1.pcap"):
if pkt['TCP'].sport == 502:
pkt = mb.ModbusADUResponse(pkt)
print(type(pkt))
Kindly assist. Thank you.
Upvotes: 1
Views: 2528
Answers (1)
fgagnaire
Reputation: 898
the code is actually much simpler than you think:
import scapy.all as scapy
import scapy.contrib.modbus as mb
for pkt in scapy.PcapReader("eth2dump-clean-0,5h_1.pcap"):
if mb.ModbusADUResponse in pkt:
pkt.show()
let's got the detail of why/how it works. scapy has a few relationship between protocol to help decode.
in you case: https://github.com/secdev/scapy/blob/master/scapy/contrib/modbus.py#L948 is linking TCP.port 502 to ModbusADUResponse
Upvotes: 1
Related Questions
- Reading PCAP file with scapy
- trying to build a MODBUS packet with scapy
- Reading part of pcap file in Scapy
- Extract specific bytes in payload from a pcap file using scapy
- Parsing the pcap file through scapy
- iterate through pcap file packet for packet using python/scapy
- Get specific bytes in payload from a pcap file
- Python Scapy and read a pcap in reverse mode
- Parse packet bytes using Scapy
- Help in scapy and pcapy