How to capture a proper pcap file?

[SaigeGithub]

The command I use on a MacOS: tcpdump -i en0 -w test.pcap This pcap file can be parsed, the IP, TCP could be extracted. but the HTTP header had an 'invalid header' error and if I add a try and catch, it would be empty. The pcap is too big to be attached here. Thank you!!!

[SaigeGithub]

pcap = dpkt.pcap.Reader(f)

for timestamp, buf in pcap:
  eth = dpkt.ethernet.Ethernet(buf)

  if eth.type != dpkt.ethernet.ETH_TYPE_IP6 and eth.type != dpkt.ethernet.ETH_TYPE_IP:
    print('Non IP Packet type not supported %s\n' % eth.data.__class__.__name__)
    continue

  if eth.type == dpkt.ethernet.ETH_TYPE_IP:

    ip = eth.data
    if ip.p == dpkt.ip.IP_PROTO_TCP:

        tcp = ip.data
        try:
          request = dpkt.http.Request(tcp.data)
        except (dpkt.dpkt.NeedData, dpkt.dpkt.UnpackError):
          continue
        print ('HTTP Message: %s\n' % repr(request))

But the output is empty, there is something wrong when dpkt tried to parser the http

[kbandla]

• Were you able to verify in Wireshark that the pcap has valid http data?
• Assuming that stands true, not all tcp data is http
  • Check for src/dst tcp port to be http and then try to parse it as http
  • Your code parses all tcp packets like http (and it should do the job if there is a http packet in the pcap, which is why I am wondering if there was http data captured in the pcap to begin with)