7

To start off, I have read through other raw answers pertaining to scapy on here, however none have been useful, maybe I am just doing something wrong and thats what has brought me here today.

So, for starters, I have a pcap file, which started corrupted with some retransmissions, to my belief I have gotten it back to gether correctly.

It contains Radiotap header, IEEE 802.11 (dot11), logical-link control, IPv4, UDP, and DNS.

To my understanding, the udp packets being transmitted hold this raw data, however, do to a some recent quirks, maybe the raw is in Radiotap/raw.

Using scapy, I'm iterating through the packets, and when a packet with the Raw layer is found, I am using the .show() function of scapy to view it.

As such, I can see that there is a raw load available

###[ Raw ]###
 \load      \
  |###[ Raw ]###
  |  load      = '@\x00\x00\x00\xff\xff\xff\xff\xff\xff\x10h?'

So, I suppose my question is, how can I capture this payload to receive whatever this may be, To my knowledge the load is supposed to be an image file, however I have trouble believing such, so I assume I have misstepped somewhere.

Here is the code I'm using to achieve the above result

from scapy.all import *
from scapy.utils import *


pack = rdpcap('/home/username/Downloads/new.pcap')
for packet in pack:
    if packet.getlayer(Raw):
        print '[+] Found Raw' + '\n'
        l = packet.getlayer(Raw)
        rawr = Raw(l)
        rawr.show()

Any help, or insight for further reading would be appreciated, I am new to scapy and no expert in packet dissection.

*Side note, previously I had tried (using separate code and server) to replay the packets and send them to myself, to no avail. However I feel thats due to my lack of knowledge in receipt of UDP packets.

UPDATES - I have now tested my pcap file with a scapy reassembler, and I've confirmed I have no fragmented packets, or anything of the sort, so I assume all should go smoothly... Upon opening my pcap in wireshark, I can see that there are retransmissions, but I'm not sure how much that will affect my goals since no fragmentation occurred?

Also, I have tried the getlayer(Raw).load, if I use print on it I get some gibberish to the screen, I'm assuming its the data to my would-be-image, however I need to now get it into a usable format.

Torxed
  • 22,866
  • 14
  • 82
  • 131
Colabambino
  • 504
  • 1
  • 4
  • 11

4 Answers4

8

You can do:

data = packet[Raw].load
Yohan Obadia
  • 2,552
  • 2
  • 24
  • 31
0

You should be able to access the field in this way:

l = packet.getlayer(Raw).load
rebrid
  • 430
  • 8
  • 27
  • I have previously tried this, as most places ive done research say this is the answer. However, while this doesnt throw any errors, it also does nothing. Perhaps i am missing storing this loaded data, or writing to a file? I have now tried using the stored variable of getlayer, so for example i have " print l.load ", which now does print, however it returns me this " @������h? " – Colabambino Dec 16 '15 at 13:32
  • I was always able to access the load in that way but usually in my case it was just a string. Indeed Raw load is just a string. You should find a way to convert it into want you need – rebrid Dec 16 '15 at 16:27
0

Using Scapy’s interactive shell I was successful doing this:

pcap = rdpcap('sniffed_packets.pcap')
s = pcap.sessions()

for key, value in s.iteritems():

     # Looking for telnet sessions
     if ':23' in key:
         for v in value:
             try:
                 v.getlayer(Raw).load
             except AttributeError:
                 pass
insecure-IT
  • 2,068
  • 4
  • 18
  • 26
0

If you are trying to get the load part of the packet only, you can try :

def handle_pkt(pkt):
    if TCP in pkt and pkt[TCP].dport == 5201:
        #print("got a packet")
        print(pkt[IP])
        load_part = pkt[IP].load
        print("Load#",load_part)
        pkt.show2()
        sys.stdout.flush()
Nagmat
  • 373
  • 4
  • 14