從libpcap python腳本重建HTTP網頁

Question

我正在嘗試從python腳本的libpcap文件中重建網頁。我擁有所有的數據包，所以我猜想的目標是將一個libpcap文件作爲輸入，並且您可以找到所有必需的數據包，並以某種方式將網頁文件作爲輸出，並顯示來自該頁面的所有圖片和數據。任何人都可以讓我從正確的方向開始。我想我需要dkpt和/或scaPY。

更新1：代碼在下面！這是我在Python中已經出現的代碼。假設從單個HTTP會話中獲取第一組數據包，其中SYN和ACK標誌設置爲1，並且FIN標誌設置爲1的數據包結束。

假設只有在數據包捕獲期間訪問的一個網站是否附加了重建訪問網頁所需的所有必要數據包？

假設我有所有必需的數據包，我該如何重構網頁？

import scaPy 

pktList = list() #create a list to store the packets we want to keep 
pcap = rdpcap('myCapture.pcap') #returns a packet list with every packet in the pcap 
count = 0      #will store the index of the syn-ack packet in pcap 
for pkt in pcap:    #loops through packet list named pcap one packet at a time 
    count = count + 1  #increments by 1 
    if pkt[TCP].flags == 0x12 and pkt[TCP].sport == 80: #if it is a SYN-ACK packet session has been initiated as http 
    break #breaks out of the for loop 
currentPkt = count #loop from here 
while pcap[currentPkt].flags&0x01 != 0x01: #while the FIN bit is set to 0 keep loops stop when it is a 1 
    if pcap[currentPkt].sport == 80 and pcap[currentPkt].dport == pcap[count].dport and pcap[currentPkt].src == pcap[count].src and pcap[currentPkt].dst == pcap[count].dst: 
      #if the src, dst ports and IP's are the same as the SYN-ACK packet then the http packets belong to this session and we want to keep them 

     pktList.append(pcap[currentPkt]) 
#once the loop exits we have hit the packet with the FIN flag set and now we need to reconstruct the packets from this list. 
     currentPkt = currentPkt + 1 

Answer 1

也許像tcpick -r your.pcap -wRS這樣的工作給你。

• http://tcpick.sourceforge.net/?t=1&p=OPTIONS

Answer 2

這python腳本將提取所有未加密的HTTP網頁是一個PCAP文件，並將其輸出爲HTML文件。它使用scaPY來處理單個數據包（另一個好的python模塊是dpkt）。

from scapy.all import * 
from operator import * 
import sys 



def sorting(pcap): 
    newerList = list() 
     #remove everything not HTTP (anything not TCP or anything TCP and not HTTP (port 80) 
    #count = 0 #dont need this it was for testing 
    for x in pcap: 
     if x.haslayer(TCP) and x.sport == 80 and bin(x[TCP].flags)!="0b10100": 
      newerList.append(x); 
    newerList = sorted(newerList, key=itemgetter("IP.src","TCP.dport")) 
    wrpcap("sorted.pcap", newerList) 
    return newerList 


def extract(pcap,num, count): 
    listCounter = count 
    counter = 0 
    #print listCounter 

    #Exit if we have reached the end of the the list of packets 
    if count >= len(pcap): 
     sys.exit() 
    #Create a new file and find the packet with the payload containing the beginning HTML code and write it to file 
    while listCounter != len(pcap): 
     thisFile = "file" + str(num) + ".html" 
     file = open(thisFile,"a") 
     s = str(pcap[listCounter][TCP].payload) 
     #print "S is: ", s 
     x,y,z = s.partition("<") 
     s = x + y + z #before was y+z 
     if s.find("<html") != -1: 
      file.write(s) 
      listCounter = listCounter + 1 
      break 
     listCounter = listCounter + 1 

    #Continue to loop through packets and write their contents until we find the close HTML tag and 
    #include that packet as well 
    counter = listCounter 
    while counter != len(pcap): 
     s = str(pcap[counter][TCP].payload) 
     if s.find("</html>") != -1: 
      file.write(s) 
      file.close 
      break 
     else: 
      file.write(s) 
      counter = counter + 1 

    #Recursively call the function incrementing the file name by 1 
    #and giving it the last spot in the PCAP we were in so we continue 
    #at the next PCAP 
    extract(pcap, num+1, counter) 


if __name__ == "__main__": 
    #Read in file from user 
    f = raw_input("Please enter the name of your pcap file in this directory. Example: myFile.pcap") 
    pcapFile = rdpcap(f) 
    print "Filtering Pcap File of non HTTP Packets and then sorting packets" 
    #Sort and Filter the PCAP 
    pcapFile = sorting(pcapFile) 
    print "Sorting Complete" 
    print "Extracting Data" 
    #Extract the Data 
    extract(pcapFile,1,0) 
    Print "Extracting Complete"