Skip to content

Instantly share code, notes, and snippets.

@MarkBaggett MarkBaggett/scapy_helper.py
Last active Apr 21, 2019

Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Python - SCAPY - Full Packet Session Reassembly
Raw
scapy_helper.py
#From here https://pen-testing.sans.org/blog/2017/10/13/scapy-full-duplex-stream-reassembly
def full_duplex(p):
sess = "Other"
if 'Ether' in p:
if 'IP' in p:
if 'TCP' in p:
sess = str(sorted(["TCP", p[IP].src, p[TCP].sport, p[IP].dst, p[TCP].dport],key=str))
elif 'UDP' in p:
sess = str(sorted(["UDP", p[IP].src, p[UDP].sport, p[IP].dst, p[UDP].dport] ,key=str))
elif 'ICMP' in p:
sess = str(sorted(["ICMP", p[IP].src, p[IP].dst, p[ICMP].code, p[ICMP].type, p[ICMP].id] ,key=str))
else:
sess = str(sorted(["IP", p[IP].src, p[IP].dst, p[IP].proto] ,key=str))
elif 'ARP' in p:
sess = str(sorted(["ARP", p[ARP].psrc, p[ARP].pdst],key=str))
else:
sess = p.sprintf("Ethernet type=%04xr,Ether.type%")
return sess
@MarkBaggett

This comment has been minimized.

Sign in to view
Copy link
Owner Author

commented Oct 16, 2017

Example modified version of the Original session_extractor() function from scapy source:
https://github.com/secdev/scapy/blob/master/scapy/plist.py
@sundhaug92

This comment has been minimized.

Sign in to view
Copy link

commented Oct 1, 2018

This incorrectly assumes IP has to be in an ethernet-frame, IP could also be in a Dot11 frame for example
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.