Getting HTTP response codes from a pcap with Scapy

Question

I'm reading a pcap file using scapy and I am interested in finding anomalies such as unusual TCP flags or HTTP codes like 403, 429 etc.

I am able to find out using TCP ports that this traffic belongs to HTTP but how to get status codes of HTTP and flags of TCP?

This is what I have done so far:

for pkt in PcapReader(pcap):
    if (TCP in pkt and (pkt[TCP].sport == 80 or pkt[TCP].dport === 80)):
        pList.append(pkt)

Answer 1

If you use Scapy 2.4.3+, you can enable the HTTP plugin and simplify your code. See :

• DOC: https://scapy.readthedocs.io/en/latest/layers/http.html
• API ref: https://scapy.readthedocs.io/en/latest/api/scapy.layers.http.html

Also, in order to use the TCPSession to automatically process HTTP packets, I'll use sniff(prn=) rather than PcapReader. They do the same thing.

from scapy.layers.http import *
from scapy.sessions import TCPSession
from scapy.sendrecv import sniff
plist = []

def func(pkt):
    # called on each packet
    if HTTP in pkt:
        if HTTPResponse in pkt:
            # status codes are only in responses
            status = pkt[HTTPResponse].Status_Code
            if int(status) in [403, 429]: # check code
                plist.append(pkt)

sniff(offline="./my_file.pcap", prn=func, store=False, session=TCPSession)