pcap parsing using dpkt

ss5h (25) in network • 7 years ago

어쩌다 pcap에서 http 통신을 하는 패킷을 찾아내고 Request에 들어가는 값들을 파싱해야하는 일이 생겼다.

그래서 사용한게 dpkt 라이브러리이다.

사용법은 엄청 간단하다. pcap파일을 rb모드로 open하고 dpkt.pcap.Reader라는 함수에 넣어주면 기초 작업은 끝이다.

f = open(sys.argv[1],'rb')
pcap = dpkt.pcap.Reader(f)

그 후엔 다음과 같이 사용할 수 있다.

for ts, buf in pcap:
            eth = dpkt.ethernet.Ethernet(buf)
            ip = eth.data
            tcp = ip.data
            try:
                    if (tcp.dport == 80 or tcp.dport == 443) and len(tcp.data) > 0:
                            request = dpkt.http.Request(tcp.data)
            except:
                    pass

그래서 request에서 많은 정보들을 뽑아 올 수 있다.
ex) request.body, request.header, request.header['user-agent']

network pcap dpkt python

7 years ago by ss5h (25)

$0.00

1 vote

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!

Sort Order:

Trending

[-]

steemitboard (66) · 6 years ago

Congratulations @ss5h! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 1 year!

_{Click here to view your Board}

Support SteemitBoard's project! Vote for its witness and get one more award!

$0.00

[-]

steemitboard (66) · 5 years ago

Congratulations @ss5h! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 2 years!

_{You can view your badges on your Steem Board and compare to others on the Steem Ranking}

Vote for @Steemitboard as a witness to get one more award and increased upvotes!

$0.00