2

Using wireshark, I could see the html page I was requesting (segment reconstruction). I was not able to use pyshark to do this task, so I turned around to scapy. Using scapy and sniffing wlan0, I am able to print request headers with this code: 

from scapy.all import *

def http_header(packet):
    http_packet=str(packet)
    if http_packet.find('GET'):
            return GET_print(packet)

def GET_print(packet1):
    ret = packet1.sprintf("{Raw:%Raw.load%}\n")
    return ret

sniff(iface='wlan0', prn=http_header, filter="tcp port 80")

Now, I wish to be able to reconstruct the full request to find images and print the html page requested.

Paul Roub
  • 36,322
  • 27
  • 84
  • 93
Bob Ebert
  • 1,342
  • 4
  • 22
  • 41

2 Answers2

2

What you are searching for is

  • IP Packet defragmentation
  • TCP Stream reassembly

see here

scapy

provides best effort ip.defragmentation via defragment([list_of_packets,]) but does not provide generic tcp stream reassembly. Anyway, here's a very basic TCPStreamReassembler that may work for your usecase but operates on the invalid assumption that a consecutive stream will be split into segments of the max segment size (mss). It will concat segments == mss until a segment < mss is found. it will then spit out a reassembled TCP packet with the full payload.

Note TCP Stream Reassembly is not trivial as you have to take care of Retransmissions, Ordering, ACKs, ...

tshark

according to this answer tshark has a command-line option equivalent to wiresharks "follow tcp stream" that takes a pcap and creates multiple output files for all the tcp sessions/"conversations"

since it looks like pyshark is only an interface to the tshark binary it should be pretty straight forward to implement that functionality if it is not already implemented.

tintin
  • 3,176
  • 31
  • 34
0

With Scapy 2.4.3+, you can use

sniff([...], session=TCPSession)

to reconstruct the HTTP packets

Cukic0d
  • 5,111
  • 2
  • 19
  • 48