Reputation: 421
Stripping payload from a tcpdump?
Is there an automated way (either in tcpdump or via a helper app Out There) to generate a pcap file that contains only Ethernet, IP and Layer 4 (TCP in my case) headers, so that there is no payload/application data in the resulting pcap? I've found that since header sizes often vary, it's impossible to pick a capture size that won't catch any payload data.
Upvotes: 8
Views: 19905
Answers (3)
Reputation: 1
My solution was as follows. I'd love to hear how others do it without external libraries or truncation. I'd love to hear how others performed this, because I was unable to find the remove_payload() function in the Scapy documentation, making this answer unusable.
#read pcap file
pkts = rdpcap("packet-capture.pcap")
#write packet with payload "XXXXXXXXXX"
for pkt in pkts:
pkt.load = "XXXXXXXXXX"
#write new pcap
wrpcap("new.pcap", pkts)
The problem with this is that, when read with tcpdump, it leaves a bytes missing! for the src IP. I can verify the infromation is still there using scapy via
pkts[_packet_num].load
Is there a way to regenerate the whole capture so it looks as if it was unaltered?
Upvotes: -2
Reputation: 43077
You can strip out the TCP payload very easily with Python's scapy module
BEFORE
[mpenning@hotcoffee tshark_wd]$ tcpdump -n -r sample.pcap
reading from file sample.pcap, link-type EN10MB (Ethernet)
00:25:42.443559 IP 192.168.12.237.1052 > 192.168.12.236.22: Flags [P.],
seq 2445372969:2445373021, ack 1889447842, win 63432, length 52
00:25:42.443607 IP 192.168.12.236.22 > 192.168.12.237.1052: Flags [.],
ack 52, win 65535, length 0
00:25:42.443980 IP 192.168.12.236.22 > 192.168.12.237.1052: Flags [P.],
seq 1:389, ack 52, win 65535, length 388
PAYLOAD STRIPPING
Running this as root in linux...
#!/usr/bin/env python
from scapy.all import *
INFILE = 'sample.pcap'
OUTFILE = 'stripped.pcap'
paks = rdpcap(INFILE)
for pak in paks:
pak[TCP].remove_payload()
wrpcap(OUTFILE, paks)
AFTER
[mpenning@hotcoffee tshark_wd]$ tcpdump -n -r stripped.pcap
reading from file sample.pcap, link-type EN10MB (Ethernet)
00:25:42.443559 IP truncated-ip - 52 bytes missing! 192.168.12.237.1052
> 192.168.12.236.22: Flags [P.], seq 2445372969:2445373021,
ack 1889447842, win 63432, length 52
00:25:42.443607 IP 192.168.12.236.22 > 192.168.12.237.1052: Flags [.],
ack 52, win 65535, length 0
00:25:42.443980 IP truncated-ip - 388 bytes missing! 192.168.12.236.22
> 192.168.12.237.1052: Flags [P.], seq 1:389,
ack 52, win 65535, length 388
In the tcpdump above, notice the "XX bytes missing!" messages. That is because we have removed the TCP payload.
Upvotes: 10
Reputation: 725
If simple truncate would work for you, you could use:
tcpdump -i eth0 -s 96 -w test1.pcap
Later on you can analyze it with wireshark.
Upvotes: 1
Related Questions
- Extracting TCP data with Scapy
- Python/Scapy: sniff only incoming packets
- How to extract Raw of TCP packet using Scapy
- How to read whole ip layer and tcp layer from a packet when using scapy?
- Extract TCP payload from pcap file
- How can I extract TCP header for all the packets from a pcap file?
- Scapy - TCPSession from list of packets
- Extract specific bytes in payload from a pcap file using scapy
- Shortening TCP payload with Scapy results in [TCP Previous segment not captured]
- Parse packet bytes using Scapy