Nailgun pcaps decoder

scapy_nailgun.py

#!/usr/bin/env python

# Usage:
#   $ scapy_nailgun.py example.pcap
# Creating the pcap with tcpdump:
#   $ tcpdump -w example.pcap -i lo tcp port 8212
# Output format is:
#   [sender:port | type | length] content
# where:
#   sender - 'C' for client, 'S' for server
#   type - Nailgun's message type
#   length - length of content

import sys
import struct
from scapy.all import *

def nailgun_decode(payload):
    if len(payload) < 5:
        return (None, None, None, payload)

    length, type = struct.unpack('!Ic', payload[0:5])

    if len(payload) < 5 + length:
        return (None, None, None, payload)

    content = payload[5:5+length]
    rest = payload[5+length:]

    return (length, type, content, rest)

def nailgun_dump_packet(packet, buffers):
    port = packet[TCP].sport
    sender = 'C'
    buffer = "%c:%5d" % (sender, port)
    buffers[buffer] = (buffers.get(buffer) or '') + packet[TCP].load
    if port == 8212:
        port = packet[TCP].dport
        sender = 'S'
    while buffers[buffer] != '':
        length, type, payload, buffers[buffer] = nailgun_decode(buffers[buffer])
        if payload == None:
            break
        else:
            print("[%c:%5d | %c | %4d] %s" % (sender, port, type, length, payload))

def nailgun_dump(packets):
    buffers = {}
    for packet in packets:
        if packet.haslayer(Raw):
            nailgun_dump_packet(packet, buffers)

if __name__ == "__main__":
    path = sys.argv[1]
    packets = scapy.utils.rdpcap(path)
    nailgun_dump(packets)