我需要一个可以提取有效负载的函数,以识别是否有任何明文在任何HTTP数据包中。
下面的代码从PCAP文件中提取有效负载,但似乎它实际上嗅探了前1000个,然后提取了有效负载。
我将如何重写它,以便我解析现有的PCAP,而不是在旅途中嗅探和提取有效负载
os.system(tshark -T fields -e _ws.col.Info -e http -e frame.time -e "data.data -w WeMo_Data.pcap > WeMo_Data.txt -c 1000");
import os
from kamene.all import *
import subprocess
#Imported module
from getHTTPHeaders import HTTPHeaders, extractText
data = "WeMo.pcap"
a = rdpcap(data)
os.system(tshark -T fields -e _ws.col.Info -e http -e frame.time -e "data.data -w Eavesdrop_Data.pcap > Eavesdrop_Data.txt -c 1000");
sessions = a.sessions()
carved_texts = 1
for session in sessions:
http_payload = ""
for packet in sessions[session]:
try:
if packet[TCP].dport == 80 or packet[TCP].sport == 80:
http_payload += str(packet[TCP].payload)
except:
pass
headers = HTTPHeaders(http_payload)
if headers is None:
continue
text = extractText(headers,http_payload)
if text is not None:
print (text)
这是我导入的其他 2 个函数
import re
import zlib
def HTTPHeaders(http_payload):
try:
# isolate headers
headers_raw = http_payload[:http_payload.index("rnrn") + 2]
regex = ur"(?:[rn]{0,1})(w+-w+|w+)(?: *: *)([^rn]*)(?:[rn]{0,1})"
headers = dict(re.findall(regex, headers_raw, re.UNICODE))
print headers
return headers
except:
return None
if 'Content-Type' not in headers:
return None
return headers
def extractText(headers, http_payload):
text = None
try:
if 'text/plain' in headers['Content-Type']:
text = http_payload[http_payload.index("rnrn")+4:]
try:
if "Accept-Encoding" in headers.keys():
if headers['Accept-Encoding'] == "gzip":
text = zlib.decompress(text, 16+zlib.MAX_WBITS)
elif headers['Content-Encoding'] == "deflate":
text = zlib.decompress(text)
except: pass
except:
return None
return text
任何帮助都会很棒!
我知道你在那里做了什么(https://medium.com/@vworri/extracting-the-payload-from-a-pcap-file-using-python-d938d7622d71(
虽然这篇文章不是很好。我建议您做的是简单地使用Scapy 2.4.3并使用HTTP解码from scapy.layers.http import *或load_layers("http")
你可以这样做
for sess in sniff(offline="WeMo.pcap", session=TCPSession).sessions().values():
for packet in sess:
# Use TCPSession to automatically rebuild HTTP packets
if HTTP in packet and Raw in packet:
# packet is HTTP and has payload
http_payload = packet[Raw]
基本上您所要做的就是删除它称为tshark的部分...您可能应该花时间了解复制粘贴的代码:P