Read pcap and assemble HTTP requests
Project description
Pcaper provides class to read pcap file, assemble and iterate HTTP requests. The package based on dpkt.
Installation
pip install pcaper
Import
import pcaper
reader = pcaper.HTTPRequest()
or
from pcaper import HTTPRequest
reader = HTTPRequest()
Examples
Iterate HTTP requests
Read pcap file, assemble and iterate HTTP requests
reader = pcaper.HTTPRequest()
params = {
'input': 'file.pcap',
}
for request in reader.read_pcap(params):
print request.origin
Extract HTTP request headers
You can extract header by name
reader = pcaper.HTTPRequest()
params = {
'input': 'file.pcap',
}
for request in reader.read_pcap(params):
print request.headers['host']
print request.headers['user-agent']
Filter TCP/IP packets
It is possible to filter out excess packets
reader = pcaper.HTTPRequest()
params = {
'input': 'file.pcap',
'filter': 'tcp.dst == 1.1.1.1'
}
for request in reader.read_pcap(params):
print request.origin
You can combine tcp and ip filters in dpkt style
reader = pcaper.HTTPRequest()
params = {
'input': 'file.pcap',
'filter': '(ip.src == 10.4.0.136 or ip.dst == 10.1.40.61) and tcp.dport == 8888'
}
for request in reader.read_pcap(params):
print request.origin
It is possible to use excluding filter in dpkt style
reader = pcaper.HTTPRequest()
params = {
'input': 'file.pcap',
'filter': 'tcp.dport != 8888 and ip.dst != 10.1.40.61'
}
for request in reader.read_pcap(params):
print request.origin
Notes
Such fields of HTTP request are available as: - timestamp - the last packet timestamp of HTTP request - src - source IP address - dst - destination IP address - sport - source port - dport - destination port - method - HTTP request method - version - HTTP protocol version - uri - HTTP request URI - headers - ordered dict of HTTP headers - body - HTTP request body
New pcapng format is not supported by dpkt package, but you can convert input file from pcapng to pcap format with standard utility, which is installed with wireshark package.
mergecap file.pcapng -w out.pcap -F pcap
Scripts
parse_http
The parse_http script is installed to Python directory and can be executed directly in command line
It simplify parsing of pcap files. Just extract HTTP requests including its headers and body and print out complete data to console or file.
Print HTTP requests from pcap file:
parse_http file.pcap
Filter TCP/IP packets, extract HTTP requests and write to external file:
parse_http -f "tcp.dport == 8080" -e "ip.dst == 10.10.10.10" -o file.out file.pcap
Filter HTTP packets
pcap2ammo -i file.pcap -F '"rambler.ru" in http.uri'
You can use logical expressions in filters
pcap2ammo -i file.pcap -F '"keep-alive" in http.headers["connection"] or "Keep-alive" in http.headers["connection"]'
Standard Python string functions over HTTP request headers
pcap2ammo -i file.pcap -F '"keep-alive" in http.headers["connection"].lower()'
Use excluding filters also
pcap2ammo -i file.pcap -F '"rambler.ru" not in http.uri'
Print statistics about counted requests:
parse_http -f "ip.src == 10.10.10.10" -S file.pcap
Stats:
total: 1
complete: 1
incorrect: 0
incomplete: 0
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for pcaper-1.0.5-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | c9e4e09d8541ca9d4a8a611cfc735acf0e776ab24b335b7605afd670091f08c0 |
|
MD5 | fd06ff5e8f1707d3f4f1f27b95575714 |
|
BLAKE2b-256 | d0b877e9599b8c2749cb56257c5557448427422056c5d25bff8e1342e3c14d25 |