0

I am creating a tool to capture packets in python. I want to use pkt.http.Response and dpkt.http.Request together. The purpose is to detect erroneous packets and get the information from the pacap from Request to Response.

However, Response is not work.

Please tell me why And if this is the wrong way to do it, please tell me the right way. Thanks in advance

import pcap
import re
import dpkt

nonErrorCode=['200']

sniffer = pcap.pcap(name='cali7f35c4176d5@if3',promisc=True,immediate=True,timeout_ms=50)
sniffer.setfilter('tcp and port 80') # set packet filter

for t, p in sniffer:
    eth = dpkt.ethernet.Ethernet(p)
    ip = eth.data
    tcp = ip.data

    try:
        if len(tcp.data) > 0:
            if 80 == tcp.dport:
                print(f'request : {tcp.data}')
                req = dpkt.http.Request(tcp.data)
                print(f'req : {repr(req)}')

            if 80 == tcp.sport:
                print(f'response : {tcp.data}')
                res = dpkt.http.Response(tcp.data)
                print(f'res : {repr(res)}')
            
    except:
        pass

Result

request : b'GET / HTTP/1.1\r\nHost: 10.80.69.40:30003\r\nUser-Agent: curl/7.68.0\r\nAccept: */*\r\n\r\n'
req : Request(version='1.1', method='GET', uri='/', headers=OrderedDict([('host', '10.80.69.40:30003'), ('user-agent', 'curl/7.68.0'), ('accept', '*/*')]), body=b'', data=b'')
response : b'HTTP/1.1 200 OK\r\nServer: nginx/1.23.4\r\nDate: Thu, 18 May 2023 02:04:27 GMT\r\nContent-Type: text/html\r\nContent-Length: 615\r\nLast-Modified: Tue, 28 Mar 2023 15:01:54 GMT\r\nConnection: keep-alive\r\nETag: "64230162-267"\r\nAccept-Ranges: bytes\r\n\r\n'
response : b'<!DOCTYPE html>\n<html>\n<head>\n<title>Welcome to nginx!</title>\n<style>\nhtml { color-scheme: light dark; }\nbody { width: 35em; margin: 0 auto;\nfont-family: Tahoma, Verdana, Arial, sans-serif; }\n</style>\n</head>\n<body>\n<h1>Welcome to nginx!</h1>\n<p>If you see this page, the nginx web server is successfully installed and\nworking. Further configuration is required.</p>\n\n<p>For online documentation and support please refer to\n<a href="http://nginx.org/">nginx.org</a>.<br/>\nCommercial support is available at\n<a href="http://nginx.com/">nginx.com</a>.</p>\n\n<p><em>Thank you for using nginx.</em></p>\n</body>\n</html>\n'

there is no 'res : ~~ '

Subin
  • 1
  • 2
  • How are you imagining that a single packet might contain both a Request and a Response? That is simply not how HTTP works. – jasonharper May 18 '23 at 01:14
  • Sorry, that was my mistake. I realized that the request and response are in different packets. I've updated them again. Can you take a look? Thank you. – Subin May 18 '23 at 02:07
  • The `dpkt` documentation mentions the need for doing stream reassembly whenever a message is split over multiple packets - which is the case for your response here. – jasonharper May 18 '23 at 02:36

0 Answers0