5

I parse pcap file with scapy python , and there is TCP packet in that pcap that I want to know what is the answer of this pcaket, How can I do that?

For example : client and server TCP stream

client-> server : "hi" server-> client : "how are you"

When I get "hi" packet (with scapy) how can I get "how are you" ?

paramikoooo
  • 177
  • 2
  • 16

1 Answers1

2

Look at the TCP sequence number of the message from the client. Call this SeqC.

Then look for the first message from the client whose TCP acknowledgement sequence is higher than SeqC (usually it will be equal to SeqC plus the size of the client's TCP payload). Call this PacketS1.

Starting with PacketS1, collect the TCP payloads from all packets until you see a packet sent by the server with the TCP PSH (push) flag set. This suggests the end of the application-layer message. Call these payloads PayloadS1 to PayloadSN.

Concatenate PayloadS1 to PayloadSN. This is the likely application-layer response to the client message.

John Zwinck
  • 239,568
  • 38
  • 324
  • 436
  • 1
    Thank you about you reply but I didn't understand how can I do that in Scapy Python? – paramikoooo Dec 06 '20 at 11:31
  • 1
    The TCP sequence number which I called `SeqC` you can get from Scapy using `pkt[TCP].seq`. The ack number which I called `PacketS1` you can get using `pkt[TCP].ack`. Do you know how to load packets in Scapy so you can do `pkt[TCP]` to get the headers? – John Zwinck Dec 07 '20 at 06:04
  • I didn't get you , can you write a simple python code to implement that ? – paramikoooo Dec 28 '20 at 12:30