tags:

views:

950

answers:

3
+1  Q: 

How can I filter a pcap file by specific protocol using python?

Hello

I have some pcap files and I want to filter by protocol, i.e., if I want to filter by HTTP protocol, anything but HTTP packets will remain in the pcap file.

There is a tool called openDPI, and it's perfect for what I need, but there is no wrapper for python language.

Does anyone knows any python modules that can do what I need?

Thanks

Edit 1:

HTTP filtering was just an example, there is a lot of protocols that I want to filter.

Edit 2:

I tried Scapy, but I don't figure how to filter correctly. The filter only accepts Berkeley Packet Filter expression, i.e., I can't apply a msn, or HTTP, or another specific filter from upper layer. Can anyone help me?

A: 

Try pylibpcap.

Dave Bacher  2010-02-11 19:48:18
But I don't want to parse each packet to check for the protocol that I want, I want a simple solution (like openDPI). Also, I don't want to worry about "magic number" of all protocols that exists. If there is no solution, then I will have to do that. Thanks
coelhudo  2010-02-11 20:09:18
A couple thoughts: 1. most of the python pcap libraries allow you to set a BPF filter on the captured packets. HTTP is an easy filter `tcp port 80`. 2. You could use Wireshark or a similar GUI to isolate the packets that you want, save those to a dumpfile and use pylibpcap or another of these libraries to operate on them.
Dave Bacher  2010-02-11 23:04:43
There is no way besides "parsing each packet". You can have a program which does it behind the scenes for you, that's all you can hope.
bortzmeyer  2010-02-14 17:21:14
+2  A: 

maybe this can help Scapy?

Ib33X  2010-02-11 22:12:51
I hadn't seen scapy before. That's pretty powerful. I figured out how to do filters: `"TCP" in pkt and pkt.sport == 80` but couldn't decipher how to get at the payload of the upper layers given an Ethernet packet from a dump file.
Dave Bacher  2010-02-11 23:10:00
sorry I really don't have any real experience with it, only tried few thing's from online doc's.
Ib33X  2010-02-15 12:30:16
I discovered that protocol filtering it's not so "easy" as I expected, but Scapy will serve for my purposes. Thanks
coelhudo  2010-02-17 12:59:21
+1  A: 

Something along the lines of

from pcapy import open_offline
from impacket.ImpactDecoder import EthDecoder
from impacket.ImpactPacket import IP, TCP, UDP, ICMP

decoder = EthDecoder()

def callback(jdr, data):
    packet = decoder.decode(data)
    child = packet.child()
    if isinstance(child, IP):
        child = packet.child()
        if isinstance(child, TCP):
            if child.get_th_dport() == 80:
                print 'HTTP'

pcap = open_offline('net.cap')
pcap.loop(0, callback)

using

http://oss.coresecurity.com/projects/impacket.html

fraca7  2010-02-12 09:15:06

related questions

Programmatically talking to a Serial Port in OS X or Linux
Best ways to teach a beginner to program?
Calling a Function From a String With the Function's Name in Python
An executable Python app
Text Editor For Linux (Besides Vi)?
What Hosting Service is best for Django applications?
File size differences after copying a file to a server vía FTP
Python: what is the difference between (1,2,3) and [1,2,3], and when should I use each?
Python: What OS am I running on?
How do I make a menu in python that does not require the user to press (enter) to make a selection?
How do you express binary literals in Python?
What is the most efficient graph data structure in Python?
Adding a Method to an Existing Object
How to learn Python: Good Example Code?
How do I use Python's itertools.groupby()?
Python and MySQL
Class views in Django
Is there an IDE that provides code completion for Python
Using 'in' to match an attribute of Python objects in an array
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Continuous Integration System for a Python Codebase
Get a preview jpeg of a pdf on windows?
How can I find the full path to a font from its display name on a Mac?
XML Processing in Python