Python - SCAPY - Full Packet Session Reassembly
#From here https://pen-testing.sans.org/blog/2017/10/13/scapy-full-duplex-stream-reassembly | |
def full_duplex(p): | |
sess = "Other" | |
if 'Ether' in p: | |
if 'IP' in p: | |
if 'TCP' in p: | |
sess = str(sorted(["TCP", p[IP].src, p[TCP].sport, p[IP].dst, p[TCP].dport],key=str)) | |
elif 'UDP' in p: | |
sess = str(sorted(["UDP", p[IP].src, p[UDP].sport, p[IP].dst, p[UDP].dport] ,key=str)) | |
elif 'ICMP' in p: | |
sess = str(sorted(["ICMP", p[IP].src, p[IP].dst, p[ICMP].code, p[ICMP].type, p[ICMP].id] ,key=str)) | |
else: | |
sess = str(sorted(["IP", p[IP].src, p[IP].dst, p[IP].proto] ,key=str)) | |
elif 'ARP' in p: | |
sess = str(sorted(["ARP", p[ARP].psrc, p[ARP].pdst],key=str)) | |
else: | |
sess = p.sprintf("Ethernet type=%04xr,Ether.type%") | |
return sess |
This comment has been minimized.
This comment has been minimized.
This incorrectly assumes |
This comment has been minimized.
This comment has been minimized.
Thanks, Mark, for the code and blog post; very useful tip. Small caveat to keep in mind: This is simplified session reassembly as it does not consider TCP FIN/RST packets. Packets are mapped to their respective session based solely on the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
Example modified version of the Original session_extractor() function from scapy source:
https://github.com/secdev/scapy/blob/master/scapy/plist.py