pcaper 1.0.5

Read pcap and assemble HTTP requests

Pcaper provides class to read pcap file, assemble and iterate HTTP requests. The package based on dpkt.

Installation

pip install pcaper

Import

import pcaper
reader = pcaper.HTTPRequest()

or

from pcaper import HTTPRequest
reader = HTTPRequest()

Examples

Iterate HTTP requests

Read pcap file, assemble and iterate HTTP requests

reader = pcaper.HTTPRequest()
params = {
    'input': 'file.pcap',
}
for request in reader.read_pcap(params):
    print request.origin

Extract HTTP request headers

You can extract header by name

reader = pcaper.HTTPRequest()
params = {
    'input': 'file.pcap',
}
for request in reader.read_pcap(params):
    print request.headers['host']
    print request.headers['user-agent']

Filter TCP/IP packets

It is possible to filter out excess packets

reader = pcaper.HTTPRequest()
params = {
    'input': 'file.pcap',
    'filter': 'tcp.dst == 1.1.1.1'
}
for request in reader.read_pcap(params):
    print request.origin

You can combine tcp and ip filters in dpkt style

reader = pcaper.HTTPRequest()
params = {
    'input': 'file.pcap',
    'filter': '(ip.src == 10.4.0.136 or ip.dst == 10.1.40.61) and tcp.dport == 8888'
}
for request in reader.read_pcap(params):
    print request.origin

It is possible to use excluding filter in dpkt style

reader = pcaper.HTTPRequest()
params = {
    'input': 'file.pcap',
    'filter': 'tcp.dport != 8888 and ip.dst != 10.1.40.61'
}
for request in reader.read_pcap(params):
    print request.origin

Notes

Such fields of HTTP request are available as: - timestamp - the last packet timestamp of HTTP request - src - source IP address - dst - destination IP address - sport - source port - dport - destination port - method - HTTP request method - version - HTTP protocol version - uri - HTTP request URI - headers - ordered dict of HTTP headers - body - HTTP request body

New pcapng format is not supported by dpkt package, but you can convert input file from pcapng to pcap format with standard utility, which is installed with wireshark package.

mergecap file.pcapng -w out.pcap -F pcap

Scripts

parse_http

The parse_http script is installed to Python directory and can be executed directly in command line

It simplify parsing of pcap files. Just extract HTTP requests including its headers and body and print out complete data to console or file.

Print HTTP requests from pcap file:

parse_http file.pcap

Filter TCP/IP packets, extract HTTP requests and write to external file:

parse_http -f "tcp.dport == 8080" -e "ip.dst == 10.10.10.10" -o file.out file.pcap

Filter HTTP packets

pcap2ammo -i file.pcap -F '"rambler.ru" in http.uri'

You can use logical expressions in filters

pcap2ammo -i file.pcap -F '"keep-alive" in http.headers["connection"] or "Keep-alive" in http.headers["connection"]'

Standard Python string functions over HTTP request headers

pcap2ammo -i file.pcap -F '"keep-alive" in http.headers["connection"].lower()'

Use excluding filters also

pcap2ammo -i file.pcap -F '"rambler.ru" not in http.uri'

Print statistics about counted requests:

parse_http -f "ip.src == 10.10.10.10" -S file.pcap

Stats:
    total: 1
    complete: 1
    incorrect: 0
    incomplete: 0