dpkt and parsing of pcap file

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • lepetal
    New Member
    • Nov 2012
    • 3
    #1

    dpkt and parsing of pcap file

    I need to calculate delta between SYN and SYN-ACK or ACK packet for each http.uri request.

    Why is my code not working for it?

    Code:
    #!/usr/bin/env python

import dpkt

def ip_decode(p):
   return ".".join(["%d" % ord(x) for x in str(p)])

def tcp_flags(flags):
        ret = ''
        if flags & dpkt.tcp.TH_FIN:
                ret = ret + 'F'
        if flags & dpkt.tcp.TH_SYN:
                ret = ret + 'S'
        if flags & dpkt.tcp.TH_RST:
                ret = ret + 'R'
        if flags & dpkt.tcp.TH_PUSH:
                ret = ret + 'P'
        if flags & dpkt.tcp.TH_ACK:
                ret = ret + 'A'
        if flags & dpkt.tcp.TH_URG:
                ret = ret + 'U'
        if flags & dpkt.tcp.TH_ECE:
                ret = ret + 'E'
        if flags & dpkt.tcp.TH_CWR:
                ret = ret + 'C'

        return ret

f = open('mycapture.cap')
pcap = dpkt.pcap.Reader(f)



for ts, buf in pcap:
    eth = dpkt.ethernet.Ethernet(buf)
    ip = eth.data
    tcp = ip.data
    timestamp = 0
    timestamp2 = 0
    timestampresult = 0

    if tcp.dport == 80 and len(tcp.data) > 0:
        try :
                http = dpkt.http.Request(tcp.data)
                http_compare = http.uri
                if tcp_flags(tcp.flags) == 'S':
                        timestamp = ts
                        for ts, buf in pcap:
                                eth = dpkt.ethernet.Ethernet(buf)
                                ip = eth.data
                                tcp = ip.data

                                if tcp.dport == 80 and len(tcp.data) > 0:
                                        try:
                                                http = dpkt.http.Request(tcp.data)
                                                if http_compare == http.uri and tcp_flags(tcp.flags) == 'A':
                                                        timestamp2 = ts
                                        except dpkt.dpkt.NeedData:
                                                continue
                                        except dpkt.dpkt.UnpackError:
                                                continue
                                else:
                                        continue

        except dpkt.dpkt.NeedData:
                continue
        except dpkt.dpkt.UnpackError:
                continue
    else:
        continue
    timestampresult = timestamp2 - timestamp
    print "http://" + "%s" % ip_decode( ip.dst ) + http.uri, timestampresult



f.close()
    Tags: None
    • zmbd
      Recognized Expert Moderator Expert
      • Mar 2012
      • 5501
      #2
      Why is my code not working for it?
      - Please take a few moments and provide us with the details... are you receiving any errors and if so EXACTLY what are they (number and description) and where in the code they are occureing.

      - With some example data... tell us what you expected and what you received.

      - Tell us what steps you've already taken to troubleshoot your code... I for one get a tad frustrated when a suggestion is made and OP replies... "already tried that" in so many words.

        Comment

        • lepetal
          New Member
          • Nov 2012
          • 3
          #3
          @zmbd, No, i'm not receiving errors, i'm receiving zeros as the result of timestamps subtraction. In the result I would like to have substraction between ACK and SYN for each HTTP request for server.

          I made file with using of tcpdump:
          Code:
          tcpdump -i eth0 -w mycapture.cap
          After that I did some HTTP request in my Firefox and after that I made

          Code:
          tcpdump -i eth0 -w mycapture.cap
^C
python parsing.py

http://87.250.250.203/ 0
http://87.250.250.119/watch/723233 0
http://217.73.200.222/V13a****yandex_ru/ru/CP1251/tmsec=yandex_ya/0 0
http://93.158.134.143/su/ 0
http://87.250.251.91/page/168?callback=jQuery16301684296573399927_1351376662464&_=1351376662536 0
http://93.158.134.203/data/mail.js?yaru=y 0
          I think that it's because I'm trying to compare requests for HTTP-header, but in some cases I can't get http, because 'A' datagrams of tcp don't have a body (tcp.data), and I can't receive http-uri.

            Comment

            • zmbd
              Recognized Expert Moderator Expert
              • Mar 2012
              • 5501
              #4
              Much better :)

              Forewarning... PYTHON is not something I am very familiar with so my advise should be taken with a grain of salt.

              Line 45: http_compare = http.uri
              Should that be:
              Line 45: http_compare = http.urL??

              Maybe not as I see you have the same construct in other parts of the code and you mention that in your second post too.

              I would try to run against the IP addressing as that is less likely to get mangled.
              Last edited by zmbd; Nov 3 '12, 06:04 PM.

                Comment

                • lepetal
                  New Member
                  • Nov 2012
                  • 3
                  #5
                  No, because http://www.commercialventvac.com/dpk...mozTocId957220

                    Comment

                    • AndrewM
                      New Member
                      • Jan 2013
                      • 1
                      #6
                      Nice example. You are got zero because you set zeros:
                      Code:
                          timestamp = 0
    timestamp2 = 0
                      - these counters never changed.
                      The condition:
                      Code:
                          if tcp_flags(tcp.flags) == 'S'
                      not working, because packet with http request could not be with "SYN" flag. TCP session is established (SYN - SYN/ACK - ACK) before http protocol start to send request. You need to formulate the task more carefull. What time delta you would like to calculate?

                        Comment

                        Previous template Next
                        Working...