469,307 Members | 1,839 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,307 developers. It's quick & easy.

dpkt and parsing of pcap file

I need to calculate delta between SYN and SYN-ACK or ACK packet for each http.uri request.

Why is my code not working for it?

Expand|Select|Wrap|Line Numbers
  1. #!/usr/bin/env python
  2.  
  3. import dpkt
  4.  
  5. def ip_decode(p):
  6.    return ".".join(["%d" % ord(x) for x in str(p)])
  7.  
  8. def tcp_flags(flags):
  9.         ret = ''
  10.         if flags & dpkt.tcp.TH_FIN:
  11.                 ret = ret + 'F'
  12.         if flags & dpkt.tcp.TH_SYN:
  13.                 ret = ret + 'S'
  14.         if flags & dpkt.tcp.TH_RST:
  15.                 ret = ret + 'R'
  16.         if flags & dpkt.tcp.TH_PUSH:
  17.                 ret = ret + 'P'
  18.         if flags & dpkt.tcp.TH_ACK:
  19.                 ret = ret + 'A'
  20.         if flags & dpkt.tcp.TH_URG:
  21.                 ret = ret + 'U'
  22.         if flags & dpkt.tcp.TH_ECE:
  23.                 ret = ret + 'E'
  24.         if flags & dpkt.tcp.TH_CWR:
  25.                 ret = ret + 'C'
  26.  
  27.         return ret
  28.  
  29. f = open('mycapture.cap')
  30. pcap = dpkt.pcap.Reader(f)
  31.  
  32.  
  33.  
  34. for ts, buf in pcap:
  35.     eth = dpkt.ethernet.Ethernet(buf)
  36.     ip = eth.data
  37.     tcp = ip.data
  38.     timestamp = 0
  39.     timestamp2 = 0
  40.     timestampresult = 0
  41.  
  42.     if tcp.dport == 80 and len(tcp.data) > 0:
  43.         try :
  44.                 http = dpkt.http.Request(tcp.data)
  45.                 http_compare = http.uri
  46.                 if tcp_flags(tcp.flags) == 'S':
  47.                         timestamp = ts
  48.                         for ts, buf in pcap:
  49.                                 eth = dpkt.ethernet.Ethernet(buf)
  50.                                 ip = eth.data
  51.                                 tcp = ip.data
  52.  
  53.                                 if tcp.dport == 80 and len(tcp.data) > 0:
  54.                                         try:
  55.                                                 http = dpkt.http.Request(tcp.data)
  56.                                                 if http_compare == http.uri and tcp_flags(tcp.flags) == 'A':
  57.                                                         timestamp2 = ts
  58.                                         except dpkt.dpkt.NeedData:
  59.                                                 continue
  60.                                         except dpkt.dpkt.UnpackError:
  61.                                                 continue
  62.                                 else:
  63.                                         continue
  64.  
  65.         except dpkt.dpkt.NeedData:
  66.                 continue
  67.         except dpkt.dpkt.UnpackError:
  68.                 continue
  69.     else:
  70.         continue
  71.     timestampresult = timestamp2 - timestamp
  72.     print "http://" + "%s" % ip_decode( ip.dst ) + http.uri, timestampresult
  73.  
  74.  
  75.  
  76. f.close()
  77.  
Nov 3 '12 #1
5 21107
zmbd
5,400 Expert Mod 4TB
Why is my code not working for it?
- Please take a few moments and provide us with the details... are you receiving any errors and if so EXACTLY what are they (number and description) and where in the code they are occureing.

- With some example data... tell us what you expected and what you received.

- Tell us what steps you've already taken to troubleshoot your code... I for one get a tad frustrated when a suggestion is made and OP replies... "already tried that" in so many words.
Nov 3 '12 #2
@zmbd, No, i'm not receiving errors, i'm receiving zeros as the result of timestamps subtraction. In the result I would like to have substraction between ACK and SYN for each HTTP request for server.

I made file with using of tcpdump:
Expand|Select|Wrap|Line Numbers
  1. tcpdump -i eth0 -w mycapture.cap
After that I did some HTTP request in my Firefox and after that I made

Expand|Select|Wrap|Line Numbers
  1. tcpdump -i eth0 -w mycapture.cap
  2. ^C
  3. python parsing.py
  4.  
  5. http://87.250.250.203/ 0
  6. http://87.250.250.119/watch/723233 0
  7. http://217.73.200.222/V13a****yandex_ru/ru/CP1251/tmsec=yandex_ya/0 0
  8. http://93.158.134.143/su/ 0
  9. http://87.250.251.91/page/168?callback=jQuery16301684296573399927_1351376662464&_=1351376662536 0
  10. http://93.158.134.203/data/mail.js?yaru=y 0
I think that it's because I'm trying to compare requests for HTTP-header, but in some cases I can't get http, because 'A' datagrams of tcp don't have a body (tcp.data), and I can't receive http-uri.
Nov 3 '12 #3
zmbd
5,400 Expert Mod 4TB
Much better :)

Forewarning... PYTHON is not something I am very familiar with so my advise should be taken with a grain of salt.

Line 45: http_compare = http.uri
Should that be:
Line 45: http_compare = http.urL??

Maybe not as I see you have the same construct in other parts of the code and you mention that in your second post too.

I would try to run against the IP addressing as that is less likely to get mangled.
Nov 3 '12 #4
Nice example. You are got zero because you set zeros:
Expand|Select|Wrap|Line Numbers
  1.     timestamp = 0
  2.     timestamp2 = 0
- these counters never changed.
The condition:
Expand|Select|Wrap|Line Numbers
  1.     if tcp_flags(tcp.flags) == 'S'
not working, because packet with http request could not be with "SYN" flag. TCP session is established (SYN - SYN/ACK - ACK) before http protocol start to send request. You need to formulate the task more carefull. What time delta you would like to calculate?
Jan 10 '13 #6

Post your reply

Sign in to post your reply or Sign up for a free account.

Similar topics

7 posts views Thread by Kylotan | last post: by
reply views Thread by Earl Eiland | last post: by
3 posts views Thread by =?ISO-8859-1?Q?Fabian_L=F3pez?= | last post: by
5 posts views Thread by amjadcsu | last post: by
31 posts views Thread by broli | last post: by
reply views Thread by Astan Chee | last post: by
1 post views Thread by CARIGAR | last post: by
reply views Thread by zhoujie | last post: by
reply views Thread by harlem98 | last post: by
reply views Thread by harlem98 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.