Filter HTTP Get requests packets using scapy

Question

I am trying to filter HTTP Get request packets using scapy by using the Raw information of the packet for deciding which packet is a Get request and which isn't but I didn't find a way to decode the Raw section of the packet, something that looks like that (Not sure if that packet is a HTTP Get request):

<Raw  `load="\x17\x03\x03\x00m\xb8G\xdb\n\xff\x94s\x90y\xe3y\xfa\xa1\x81[-\x05\xf8'Jpq\xf3\x98\xa0\x04d\x08N\xf6\x08\x93\xb1\xd9\xed\xc4^;\xc15\xf2D\xa7\xb4_\x95\x8f\x14l5~[9\xb0\x9f^EI\xbb\xcd\x89\x06\x11`\xa2\xbf\xdd\x8b\x14y!\xae\xbe-D&DW\x96\xf7\xcf\x19\xb0_\xba\xe80b\x9c\xe6\xee\x9c\xf3\xbb\r\x87c\xff\xf9G\xf6K\x8fn\rS\x83?\x05" |>`

Is there a known way of doing this. i have already tried the next filter:

def http_get_filter(packet):
       return (TCP in packet and Raw in packet and 
       str(packet[Raw]).startswith('GET'))

But it didn't worked and raised the next exceptions:

WARNING: Calling str(pkt) on Python 3 makes no sense!
WARNING: Calling str(pkt) on Python 3 makes no sense!
WARNING: more Calling str(pkt) on Python 3 makes no sense!
WARNING: Calling str(pkt) on Python 3 makes no sense!
WARNING: Calling str(pkt) on Python 3 makes no sense!
WARNING: more Calling str(pkt) on Python 3 makes no sense!

I am using python 3.6 version and scapy 2.4.4rc2 version.

Thanks for the help.

unique code may cause issue depending on value of constant/variable you stored with in incoming request. — Ammad Khalid, Aug 09 '20 at 02:05
Replacing `str` by `bytes` and `'GET'` by `b'GET'` works for me with HTTP (and suppresses the warnings). But is it really HTTP and not HTTPS? — qouify, Aug 09 '20 at 09:49
why not using the HTTP layer from scapy? https://scapy.readthedocs.io/en/latest/layers/http.html — fgagnaire, Aug 10 '20 at 02:07

Eyni Kave · Answer 1 · 2021-08-04T22:45:49.547

This warn is for scapy source code(packet.py), not for python compiler:

warning("Calling str(pkt) on Python 3 makes no sense!")

Then, base on source, the bytes function return an analysable byte array with no warning fire:

...
if six.PY2:
    def __str__(self):
        # type: () -> str
        return self.build()
else:
    def __str__(self):
        # type: () -> str
        warning("Calling str(pkt) on Python 3 makes no sense!")
        return str(self.build())

def __bytes__(self):
    # type: () -> bytes
    return self.build()
...

Instead of using str(packet) its better use bytes(packet)

For convert byte array to string:

packetstr = "".join(map(chr, bytes(packet)))

score 1 · Answer 2 · edited Aug 14 '21 at 14:44

1

You can try something along the lines of:

if packet.haslayer(Raw):
   data = str(packet.getlayer(Raw))

edited Aug 14 '21 at 14:44

d1sh4

1,710
5
21

answered Aug 14 '21 at 08:08

ssi

11
2

please use code bracket `like this` for code – Willy satrio nugroho Aug 14 '21 at 11:51
`Inline code` segments with backticks \` or code block using *4 spaces*. Or using Ctrl+K. – Ivan Aug 14 '21 at 14:08

Filter HTTP Get requests packets using scapy

2 Answers2

Linked