Created
January 16, 2014 23:01
-
-
Save athoune/8465184 to your computer and use it in GitHub Desktop.
Dumping http stuff from a tcpdump file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import socket | |
| import dpkt | |
| f = open(sys.argv[1], 'r') | |
| pcap = dpkt.pcap.Reader(f) | |
| buffers = {} | |
| requests = {} | |
| timers = {} | |
| for ts, buf in pcap: | |
| eth = dpkt.ethernet.Ethernet(buf) | |
| if not isinstance(eth.data, dpkt.ip.IP): | |
| continue | |
| ip = eth.data | |
| if not isinstance(ip.data, dpkt.tcp.TCP): | |
| continue | |
| tcp = ip.data | |
| if (tcp.dport == 80 or tcp.sport == 80) and len(tcp.data) > 0: | |
| bk = (ip.src, tcp.sport, ip.dst, tcp.dport) | |
| if bk not in buffers: | |
| buffers[bk] = tcp.data | |
| else: | |
| buffers[bk] += tcp.data | |
| if bk not in timers: | |
| timers[bk] = ts | |
| try: | |
| if tcp.dport == 80: | |
| http = dpkt.http.Request(buffers[bk]) | |
| if tcp.sport == 80: | |
| http = dpkt.http.Response(buffers[bk]) | |
| except dpkt.dpkt.UnpackError: | |
| pass | |
| else: | |
| del buffers[bk] | |
| if tcp.dport == 80: | |
| requests[(ip.src, tcp.sport, ip.dst, tcp.dport)] = http | |
| else: | |
| rk = (ip.dst, tcp.dport, ip.src, tcp.sport) | |
| if rk in requests: | |
| print "%s:%i -> %s:%i" % (socket.inet_ntoa(ip.dst), | |
| tcp.dport, | |
| socket.inet_ntoa(ip.src), | |
| tcp.sport) | |
| print "http://%s/%s" % (requests[rk].headers['host'], | |
| requests[rk].uri) | |
| print "latency:", ts - timers[bk] | |
| print "\t", requests[rk].headers | |
| print "Status:", http.status | |
| print "Chrono:", ts - timers[rk] | |
| print "\t", http.headers | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
http://zerocomment.com/ is for sale
Ceci n'est pas un spam
dpkt dans les libs standard ?