2

I'm trying to parse a pcap file with scapy (in python), and getting raw data at the layer above TCP. on wireshark, all the layers are shown correctly: wireshark

but on scapy all i'm seeing is just a Raw layer... enter image description here

i'm thinking maybe it didn't parsed the packet well? maybe the NetBIOS moduled did not load? or maybe i didn't import the module right? (i tryied: import scapy.all, import scapy, import scapy.layers.smb ) how do i make scapy load the layers of the packet correctly?

thanks!

ToMeRh
  • 51
  • 4
  • Can you show us your code and possibly packet data? – Mark R. Feb 15 '15 at 10:57
  • hey! i just sniffed some traffic from my home network, the code at the python interpreter was just creating a PcapReader with the pcap file, and showing it's first packet... – ToMeRh Feb 16 '15 at 11:59
  • @ToMeRh Did you found a solution to your problem? – 1337 Nov 18 '18 at 12:03

1 Answers1

0

If someone has a similar problem… You need something like packet[TCP].decode_payload_as(NBTSession)

And then you Will get the decoded layers by scapy:

 packet[TCP].show()


[ TCP ]
 sport     = microsoft_ds


 options   = []
[ NBT Session Packet ]### 
    TYPE      = Session Message
    RESERVED  = 0
    LENGTH    = 4873
[ SMBNegociate Protocol Request Header ]### 
       Start     = '\xfeSMB'
       Command   = 64
       Error_Class= 0
       Reserved  = 1
       Error_code= 0
       Flags     = 0
       Flags2    = 0
       PIDHigh   = 5
       Signature = 0
       Unused    = 0
       TID       = 183
       PID       = 0
       UID       = 0
       MID       = 0
       WordCount = 0
       ByteCount = 0
[ SMB Negotiate Protocol Request Tail ]###
BufferFormat= 0
          BufferData= '\x03'

Also you can try after that to decode the packet with the different clases:

packet.decode_payload_as(SMBNegociate Protocol Request Header)
Cabbo
  • 31
  • 11
  • A better answer would be to bind the TCP port you are using to the SMB packet yourself. Scapy does not register all possible ports by default. See `bind_layers` – Cukic0d Feb 27 '20 at 16:22
  • @Cukic0d do you mean something like this? `bind_layers(TCP, smb, sport=445) bind_layers(TCP, smb, dport=445)` I get and Error ` AttributeError: module 'scapy.layers.smb' has no attribute '_overload_fields' ` – Cabbo Feb 28 '20 at 12:05
  • It's not going to be "smb" but a real packet. Because SMB upper layer is netbios have a look at the scapy/layers/netbios.py file in scapy's source code. You just have to mimic the bindings at the bottom for your own protocol – Cukic0d Feb 28 '20 at 14:43