0
pcap = rdpcap(".pcap file")

for pkt in pcap:
    if Raw in pkt:
        f=pkt[Raw]
        print f

The above code gives the output as shown below:

HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Type: text/html; charset=utf-8
P3P: CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND"
Vary: Accept-Encoding
Content-Encoding: gzip
Date: Sat, 30 Mar 2013 19:23:33 GMT
Content-Length: 15534
Accept-Encoding: gzip, deflate

?}k{?H????+0?#!?,_???$?:?7vf?w?Hb???ƊG???9???/9U?\$;3{9g?ycAӗ???????W{?o?~?FZ?e ]>??<??n????׻?????????d?t??a?3?
?2?p??eBI?e??????ܒ?P??-?Q?-L?????ǼR?³?ׯ??%'
?2Kf?7???c?Y?I?1+c??,ae]?????<{?=ƞ,?^?J?ď???y??6O?_?z????_?ޞ~?_?????Bo%]???_?????W=?

How can I remove the headers such that the output is just:

?}k{?H????+0?#!?,_???$?:?7vf?w?Hb???ƊG???9???/9U?\$;3{9g?ycAӗ???????W{?o?~?FZ?e ]>??<??n????׻?????????d?t??a?3?
?2?p??eBI?e??????ܒ?P??-?Q?-L?????ǼR?³?ׯ??%'
?2Kf?7???c?Y?I?1+c??,ae]?????<{?=ƞ,?^?J?ď???y??6O?_?z????_?ޞ~?_?????Bo%]???_?????W=?
Mark
  • 3
  • 2

1 Answers1

0
  1. Make sure you are using Scapy 2.4.3
  2. Load the http layer before reading the pcap: from scapy.layers.http import *
  3. read the pcap
  4. You'll get the output you're looking for as the raw layer

Note: you can turn off auto decompression using

conf.contribs["http"]["auto_compression"] = True

Moreover it's possible to automatically match the fragments / chunks (not used here). See sniff with "TCPSession " at https://scapy.readthedocs.io/en/latest/layers/http.html

Cukic0d
  • 5,111
  • 2
  • 19
  • 48