从现有的PCAP中提取有效载荷以识别任何明文

时间:2019-11-26 16:33:25

标签: python scapy

我需要一个可以提取有效载荷的功能,以识别任何HTTP数据包中是否包含任何明文。

下面的代码从PCAP文件中提取有效载荷,但实际上它实际上嗅探了前1000个,然后提取了有效载荷。

我将如何重写它,以便我解析现有的PCAP而不是嗅探并在旅途中提取有效载荷

os.system(tshark -T fields -e _ws.col.Info -e http -e frame.time -e "data.data -w WeMo_Data.pcap > WeMo_Data.txt -c 1000"); 

import os
from kamene.all import *
import subprocess

#Imported module 
from getHTTPHeaders import HTTPHeaders, extractText

data = "WeMo.pcap"
a = rdpcap(data)

os.system(tshark  -T fields -e _ws.col.Info -e http -e frame.time -e "data.data -w Eavesdrop_Data.pcap > Eavesdrop_Data.txt -c     1000");

sessions = a.sessions()
carved_texts = 1
for session in sessions:
    http_payload = ""
    for packet in sessions[session]:
        try:
            if packet[TCP].dport == 80 or packet[TCP].sport == 80:
                http_payload += str(packet[TCP].payload)
        except:
            pass
        headers = HTTPHeaders(http_payload)
    if headers is None:
        continue
    text = extractText(headers,http_payload)
    if text is not None:
         print (text)

这是我导入的其他两个函数


import re
import zlib

def HTTPHeaders(http_payload):
    try:
        # isolate headers
        headers_raw = http_payload[:http_payload.index("\r\n\r\n") + 2]
        regex = ur"(?:[\r\n]{0,1})(\w+\-\w+|\w+)(?:\ *:\ *)([^\r\n]*)(?:[\r\n]{0,1})"
        headers = dict(re.findall(regex, headers_raw, re.UNICODE))
        print headers
        return headers
    except:
        return None
    if 'Content-Type' not in headers:
        return None
    return headers

def extractText(headers, http_payload):
        text = None
        try:
            if 'text/plain' in headers['Content-Type']:
                text = http_payload[http_payload.index("\r\n\r\n")+4:]
                try:
                    if "Accept-Encoding" in headers.keys():
                        if headers['Accept-Encoding'] == "gzip":
                            text = zlib.decompress(text,  16+zlib.MAX_WBITS)
                    elif headers['Content-Encoding'] == "deflate":
                        text = zlib.decompress(text)
                except: pass
        except:
            return None
        return text

任何帮助都会很棒!

1 个答案:

答案 0 :(得分:0)

我知道你在那里做什么(https://medium.com/@vworri/extracting-the-payload-from-a-pcap-file-using-python-d938d7622d71

尽管如此,这篇文章并不好。我建议您做的只是使用Scapy 2.4.3 and enable HTTP解码 from scapy.layers.http import * 要么 load_layers("http")

您可以那样做

for sess in sniff(offline="WeMo.pcap", session=TCPSession).sessions().values():
    for packet in sess:
        # Use TCPSession to automatically rebuild HTTP packets
        if HTTP in packet and Raw in packet:
            # packet is HTTP and has payload
            http_payload = packet[Raw]

基本上,您所需要做的就是删除它称为tshark的部分...您可能应该花些时间来了解复制粘贴的代码:P

相关问题
最新问题