0

I am Trying to read a PCAP file using SCAPY with HTTP Layer request.and there is no output. the expected out put should be :

"192.168.1.70 just requested a GET 192.168.1.68:8060/dial/dd.xml"

Any help will be really appreciated. Thank You.

try:
    from scapy.all import * 
except ImportError:
    import scapy

try:
    import scapy_http.http
except ImportError:
    from scapy.layers import http



packet = rdpcap('lo.pcap')

for p in packet:
    if not packet.haslayer('HTTPRequest'):
        return
    http_layer= packet.getlayer('HTTPRequest').fields
    ip_layer = packet.getlayer('IP').fields
    print('\n{0[src]} just  requested a {1[Method]} {1[Host]}{1[Path}]}'.format(ip_layer,http_layer))
Alcie Smith
  • 11
  • 1
  • 3

1 Answers1

1

You mostly had it but the there was a mix up with your variable names so I renamed the first packet to packets and p to packet in the for statement, also the return statement was incorrect - you needed a continue. It's useful to know that one can use 'HTTPRequest' interchangeably with scapy_http.http.HTTPRequest in the get/haslayer() calls. Here's a fixed version:

packets = rdpcap('lo.pcap')

for packet in packets:
    if not packet.haslayer('HTTPRequest'):
        continue
    http_layer= packet.getlayer('HTTPRequest').fields
    ip_layer = packet.getlayer('IP').fields
    print('\n{0[src]} just requested a {1[Method]} {1[Host]}{1[Path]}'.format(ip_layer,http_layer))

Update: Scapy now has built-in support for handling HTTP sessions (the scapy_http package is now deprecated). Though they're not actually needed for extracting HTTP Requests for this application (so you can omit the session=TCPSession) but can be useful for extracting multipacket responses. So this can be more simply (though one now needs to decode/convert the bytes to strings):

from scapy.layers.http import HTTPRequest
from scapy.all import *    
sniff(offline='lo.pcap', session=TCPSession, prn=lambda x: f'{x[IP].src} just requested a {x[HTTPRequest].Method.decode("utf-8")} {x[HTTPRequest].Host.decode("utf-8")}{x[HTTPRequest].Path.decode("utf-8")}' if x.haslayer(HTTPRequest) else None)
Pierz
  • 7,064
  • 52
  • 59