I just followed the following instructions. many thx XD
prepare pcap file ( HTTP )
root@bt:~# tshark /root/http.pcap -nr Running as user "root" and group "root". This could be dangerous. 1 0.000000 192.168.10.20 -> 192.168.10.11 TCP 43408 > 80 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSV=6038716 TSER=0 WS=6 2 0.000082 192.168.10.11 -> 192.168.10.20 TCP 80 > 43408 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 SACK_PERM=1 TSV=1215460559 TSER=6038716 WS=7 3 0.000703 192.168.10.20 -> 192.168.10.11 TCP 43408 > 80 [ACK] Seq=1 Ack=1 Win=14656 Len=0 TSV=6038716 TSER=1215460559 4 0.000716 192.168.10.20 -> 192.168.10.11 HTTP GET /index.html HTTP/1.0 5 0.000734 192.168.10.11 -> 192.168.10.20 TCP 80 > 43408 [ACK] Seq=1 Ack=122 Win=5888 Len=0 TSV=1215460560 TSER=6038716 6 0.001400 192.168.10.11 -> 192.168.10.20 HTTP HTTP/1.1 200 OK (text/html) 7 0.001486 192.168.10.11 -> 192.168.10.20 TCP 80 > 43408 [FIN, ACK] Seq=273 Ack=122 Win=5888 Len=0 TSV=1215460560 TSER=6038716 8 0.002151 192.168.10.20 -> 192.168.10.11 TCP 43408 > 80 [ACK] Seq=122 Ack=273 Win=15680 Len=0 TSV=6038717 TSER=1215460560 9 0.002902 192.168.10.20 -> 192.168.10.11 TCP 43408 > 80 [FIN, ACK] Seq=122 Ack=274 Win=15680 Len=0 TSV=6038717 TSER=1215460560 10 0.002912 192.168.10.11 -> 192.168.10.20 TCP 80 > 43408 [ACK] Seq=274 Ack=123 Win=5888 Len=0 TSV=1215460562 TSER=6038717 |
open http.pcap w/ Reader class
>>> import dpkt >>> f = open('/root/my_works/python_works/http.pcap') >>> pcap = dpkt.pcap.Reader(f) |
print out timestamp n’ data length
>>> for ts,buf in pcap: ... print ts,len(buf) ... 1306223785.13 74 1306223785.13 74 1306223785.13 66 1306223785.13 187 1306223785.13 66 1306223785.13 338 1306223785.13 66 1306223785.13 66 1306223785.13 66 1306223785.13 66 |
print out pcap file w/ dpkt
>>> for ts,buf in pcap: ... eth = dpkt.ethernet.Ethernet(buf) ... >>> >>> eth Ethernet(src='\x00&U\xe1\xae\xfa', dst='RT\x00oe\xa6', data=IP(src='\xc0\xa8\n\x0b', off=16384, dst='\xc0\xa8\n\x14', sum=57591, len=52, p=6, id=50268, data=TCP(seq=3239948698L, off_x2=128, ack=3287213264L, win=46, sum=14697, flags=16, dport=43408, sport=80))) >>> |
>>> ip = eth.data <- ip >>> tcp = ip.data <- tcp >>> >>> ip IP(src='\xc0\xa8\n\x0b', off=16384, dst='\xc0\xa8\n\x14', sum=57591, len=52, p=6, id=50268, data=TCP(seq=3239948698L, off_x2=128, ack=3287213264L, win=46, sum=14697, flags=16, dport=43408, sport=80)) >>> >>> tcp TCP(seq=3239948698L, off_x2=128, ack=3287213264L, win=46, sum=14697, flags=16, dport=43408, sport=80) >>> >>> ip.src '\xc0\xa8\n\x0b' >>> >>> tcp.seq 3239948698L >>> |
parse HTTP
>>> for ts, buf in pcap: ... eth = dpkt.ethernet.Ethernet(buf) ... ip = eth.data ... tcp = ip.data ... if tcp.dport == 80 and len(tcp.data) > 0: ... http = dpkt.http.Request(tcp.data) ... print http.uri ... print ts ... 1306223785.13 1306223785.13 1306223785.13 /index.html 1306223785.13 1306223785.13 1306223785.13 1306223785.13 1306223785.13 1306223785.13 1306223785.13 >>> |
get only HTTP method
>>> for ts,buf in pcap: ... eth = dpkt.ethernet.Ethernet(buf) ... ip = eth.data ... tcp = ip.data ... if tcp.dport == 80 and len(tcp.data) > 0: ... http = dpkt.http.Request(tcp.data) ... >>> http Request(uri='/index.html') >>> http.method 'GET' >>> http.uri '/index.html' >>> http.version '1.0' >>> http.headers {'host': '192.168.10.11', 'connection': 'Keep-Alive', 'accept': '*/*', 'user-agent': 'Wget/1.12 (linux-gnu)'} |
len(tcp.data) > 0 eliminates non HTTP packets , such as syn , ack , fin ,rst.
parse HTTP packets
client -------------------------- Apache
-> HTTP request ( tcp src = 43408 , dst dst = 80 )
<- HTTP response ( tcp src = 80 , tcp dst = 43408 )
>>> for ts,buf in pcap: ... eth = dpkt.ethernet.Ethernet(buf) ... ip = eth.data ... tcp = ip.data ... if tcp.sport == 80 and len(tcp.data) > 0: ... http = dpkt.http.Response(tcp.data) ... >>> http Response(version='1.1') >>> http.version '1.1' >>> http.status '200' >>> http.reason 'OK' >>> http.headers {'content-length': '6', 'accept-ranges': 'bytes', 'server': 'Apache/2.2.3 (CentOS)', 'last-modified': 'Wed, 09 Mar 2011 10:25:26 GMT', 'connection': 'close', 'etag': '"1b60d31-6-49e0a25b01180"', 'date': 'Tue, 24 May 2011 07:56:25 GMT', 'content-type': 'text/html; charset=UTF-8'} >>> http.body 'hello\n' >>> |
HTTP request n’ response parser.
# cat http_request_response_parser.py #!/usr/bin/env python import dpkt f = open('/root/my_works/python_works/http.pcap') pcap = dpkt.pcap.Reader(f) # load HTTP pcap file n' link to dpkt attributes for ts,buf in pcap: eth = dpkt.ethernet.Ethernet(buf) ip = eth.data tcp = ip.data if tcp.dport == 80 and len(tcp.data) > 0: http_req = dpkt.http.Request(tcp.data) if tcp.sport == 80 and len(tcp.data) > 0: http_res = dpkt.http.Response(tcp.data) # HTTP request parser print "\r\n" print "HTTP Request\r\n" print tcp.dport print http_req.method print http_req.uri print http_req.version print http_req.headers print "\r\n" print "\r\n" # HTTP response parser print "HTTP Response\r\n" print tcp.sport print http_res.status print http_res.reason print http_res.version print http_res.headers print http_res.body f.close() # |
output
root@bt:~/my_works/python_works# ./http_request_response_parser.py The following is HTTP Request 43408 GET /index.html 1.0 {'host': '192.168.10.11', 'connection': 'Keep-Alive', 'accept': '*/*', 'user-agent': 'Wget/1.12 (linux-gnu)'} The following is HTTP Response 80 200 OK 1.1 {'content-length': '6', 'accept-ranges': 'bytes', 'server': 'Apache/2.2.3 (CentOS)', 'last-modified': 'Wed, 09 Mar 2011 10:25:26 GMT', 'connection': 'close', 'etag': '"1b60d31-6-49e0a25b01180"', 'date': 'Tue, 24 May 2011 07:56:25 GMT', 'content-type': 'text/html; charset=UTF-8'} hello |
the last code i used but i have a problem for that.
ReplyDeletemy error message is :
if tcp.dport == 80 and len(tcp.data)> 0 :
AttributeError : 'ICMP' object has no attribute 'dport'
i m using win7 python 2.6