0

I am using pyshark to parse .pcap files specifically with HTTP packets. Unlike as in Wireshark, where it shows the \r\n\r\n bytes at the end of the HTTP header, pyshark does not show them and instead shows a single \r\n.

Is there any way to properly parse the HTTP layer of the packet to display the \r\n\r\n's? If so, how? I have done a fair amount of searching through the web but the sources are limited and does not answer my question.

Also, with pyshark, the headers do not come in the same order as seen on Wireshark. Is there any reason to that as well?

Python code

#!/bin/env python3

import pyshark

packets = []
with pyshark.FileCapture('testing-mutillidae1.pcap') as capture:
    for pkt in capture:                 # storing packets in list
        packets.append(pkt)

print(packets[3])                       # printing packet details of packet no. 4

HTTP header

I have included the full output of the packet on pastebin: https://pastebin.com/qxjxY6Hw . Since it is too long, I have added only the HTTP layer in this question

Layer HTTP:
        GET /mutillidae/index.php?page=add-to-your-blog.php HTTP/1.1\r\n
        Expert Info (Chat/Sequence): GET /mutillidae/index.php?page=add-to-your-blog.php HTTP/1.1\r\n
        GET /mutillidae/index.php?page=add-to-your-blog.php HTTP/1.1\r\n
        Severity level: Chat
        Group: Sequence
        Request Method: GET
        Request URI: /mutillidae/index.php?page=add-to-your-blog.php
        Request URI Path: /mutillidae/index.php
        Request URI Query: page=add-to-your-blog.php
        Request URI Query Parameter: page=add-to-your-blog.php
        Request Version: HTTP/1.1
        Host: 10.0.2.13\r\n
        User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0\r\n
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
        Accept-Language: en-US,en;q=0.5\r\n
        Accept-Encoding: gzip, deflate\r\n
        Referer: http://10.0.2.13/mutillidae/index.php\r\n
        Connection: keep-alive\r\n
        Cookie: showhints=0; PHPSESSID=511be46cfd6922ff8sqqhtqmbn\r\n
        Cookie pair: showhints=0
        Cache-Control: max-age=0\r\n
        Full request URI: http://10.0.2.13/mutillidae/index.php?page=add-to-your-blog.php
        HTTP request 1/1
        \r\n
        Upgrade-Insecure-Requests: 1\r\n
        Cookie pair: PHPSESSID=511be46cfd6922ff8sqqhtqmbn

Here is the screenshot on my wireshark (I cannot post pictures yet)

xplo1t
  • 15
  • 2
  • 7
  • Please provide a minimal code and pcap which shows your problem. My guess is that the problem is not pyshark but how you use it - only this is unknown. – Steffen Ullrich Jul 10 '21 at 12:20
  • @SteffenUllrich Thanks, I have now added the code and output. – xplo1t Jul 10 '21 at 14:54
  • 1
    I'm not sure what your problem is. Wireshark shows a single `\r\n` as end of header as does your output. The preceding `\r\n` is part of the `Cache-Control: max-age=0\r\n` field in the HTTP header, both in the image from Wireshark and also in the output from your code. – Steffen Ullrich Jul 10 '21 at 15:18
  • I see now. The headers being out of order was confusing me. – xplo1t Jul 10 '21 at 22:18

0 Answers0