Python - SCAPY - Full Packet Session Reassembly

scapy_helper.py

#From here https://pen-testing.sans.org/blog/2017/10/13/scapy-full-duplex-stream-reassembly

def full_duplex(p):
    sess = "Other"
    if 'Ether' in p:
        if 'IP' in p:
            if 'TCP' in p:
                sess = str(sorted(["TCP", p[IP].src, p[TCP].sport, p[IP].dst, p[TCP].dport],key=str))
            elif 'UDP' in p:
                sess = str(sorted(["UDP", p[IP].src, p[UDP].sport, p[IP].dst, p[UDP].dport] ,key=str))
            elif 'ICMP' in p:
                sess = str(sorted(["ICMP", p[IP].src, p[IP].dst, p[ICMP].code, p[ICMP].type, p[ICMP].id] ,key=str)) 
            else:
                sess = str(sorted(["IP", p[IP].src, p[IP].dst, p[IP].proto] ,key=str)) 
        elif 'ARP' in p:
            sess = str(sorted(["ARP", p[ARP].psrc, p[ARP].pdst],key=str)) 
        else:
            sess = p.sprintf("Ethernet type=%04xr,Ether.type%")
    return sess

Example modified version of the Original session_extractor() function from scapy source:
https://github.com/secdev/scapy/blob/master/scapy/plist.py

This incorrectly assumes IP has to be in an ethernet-frame, IP could also be in a Dot11 frame for example

Thanks, Mark, for the code and blog post; very useful tip.

Small caveat to keep in mind: This is simplified session reassembly as it does not consider TCP FIN/RST packets. Packets are mapped to their respective session based solely on the (src_ip, src_port, dst_ip, dst_port) four-tuple. If the client (or server) closes a TCP stream and the client by chance selects the same ephemeral port number when contacting the same server again, the two different TCP streams will be identified as a single stream.