Reputation: 43
How to import a packet to scapy as a byte stream?
Say i have a single packet as a byte-stream. I took it from the Wireshark via "Copy as a byte stream" context menu item. Like this: "6c410ead2be80050568a52d60800450004137bbd40004006419c0a0005342d863cd260ee0540510a37024a9554ff8018014b7d9100000101080a38cdaa36005e4184524553504d4f....." and so on. There is a full stack of layesrs, from l2 to l7. How do i create a correct packet in scapy from this stuff?
Upvotes: 1
Views: 2865
Answers (2)
Reputation: 3186
In the scapy terminal, you can convert this to a hex string, save as a packet, save as pcap, and then load the packet in the pcap.
>>> wireshark_bytes = "6c410ead2be80050568a52d60800450004137bbd40004006419c0a0005342d863cd260ee0540510a37024a9554ff8018014b7d9100000101080a38cdaa36005e4184524553504d4f4420696361703a2f2f34352e3133342e36302e3231303a313334"
>>> pkt = Ether(bytes.fromhex(wireshark_bytes))
>>> pkt
<Packet |<Raw load='lA\x0e\xad+\xe8\x00PV\x8aR\xd6\x08\x00E\x00\x04\x13
{\xbd@\x00@\x06A\x9c\n\x00\x054-
\x86<\xd2`\xee\x05@Q\n7\x02J\x95T\xff\x80\x18\x01K}\x91\x00\x00\x01\x
01\x08\n8\xcd\xaa6\x00^A\x84RESPMOD icap://45.134.60.210:134' |>>
>>> wrpcap('temp.pcap', pkt)
>>> exit()
We can then reload with rdpcap to get the packet parsed:
>>> pkts = rdpcap('temp.pcap')
>>> pkts[0]
<Ether dst=6c:41:0e:ad:2b:e8 src=00:50:56:8a:52:d6 type=IPv4 |<IP
version=4 ihl=5 tos=0x0 len=1043 id=31677 flags=DF frag=0 ttl=64
proto=tcp chksum=0x419c src=10.0.5.52 dst=45.134.60.210 |<TCP
sport=24814 dport=icap seq=1359623938 ack=1251300607 dataofs=8
reserved=0 flags=PA window=331 chksum=0x7d91 urgptr=0 options=
[('NOP', None), ('NOP', None), ('Timestamp', (953002550, 6177156))] |
<Raw load='RESPMOD icap://45.134.60.210:134' |>>>>
Upvotes: 0
Reputation: 45726
I was able to get your string parsed (or, at least what of the string you included) as follows:
from scapy.layers.l2 import Ether
from scapy.all import *
b = "6c410ead2be80050568a52d60800450004137bbd40004006419c0a0005342d863cd260ee0540510a37024a9554ff8018014b7d9100000101080a38cdaa36005e4184524553504d4f4420696361703a2f2f34352e3133342e36302e3231303a313334"
bs = bytes.fromhex(b)
ether = Ether(bs)
ether.show()
I won't show the output here because it looks like there might be some potentially sensitive information in there? It appears to be parsed fine though. It shows an IP layer with a type of 4, the MAC addresses correspond to a VMWare computer and Cisco device, and other sensical information.
The wildcard import could be avoided by manually importing the layers you need.
Upvotes: 2
Related Questions
- Converting a sniffed scapy packet to bytes
- How can I retrieve a packet payload as a bytearray in Scapy?
- how to packetize a file and send it using scapy in python?
- Using scapy.packet.raw
- How to "decode" python scapy packet "RAW load"
- Converting hex string to packet in Scapy
- Scapy: How to access RAW of a custom packet
- How to create a Scapy packet from raw bytes
- Scapy - How to sniff packet and send it as encapsulated data
- Parse packet bytes using Scapy