How to get payload of pcap package?

[montagsmodell]

Dears, I have a pcap file containing one sniffed packet which was sent via UDP protocol. I need the content (not source or destination port etc. as shown in the examples but really the payload) of said package. I have two intermediate successful codes that run but do not give me what I want.

Possibility 1:

import dpkt

sourcefile = "output.pcap"
f = open(sourcefile, 'rb')
pcap = dpkt.pcap.Reader(f)

#Mgl 1
for ts, buf in pcap:
    eth = dpkt.ethernet.Ethernet(buf)
    print(eth.data)
    print(len(eth.data))
    for i in eth.data:
        print(i)

That returns:

b'E\x00\x01\xbc8\xd1@\x00@\x11\xeb`\n\x00\x00\x01\n\x00\x00\xff\'\x0f\'\x0f\x01\xa8\xd8\xb6\xee\xdc\xfb\xb5\xbb\x1c\x03\xc8\xbf\xd3\xba\xd8\x84\x87X\x83,~|\xae\xe6\xf2\xadtwU<i\xaaN\xed_5\xb8\xef\xd9\x8a[\xa3\xd7\xbd5\x9d\xbe\x97N\x13\xa4\xb3\xd8*\xe2\x05as\x90\xdf78d\xab\xec\xfc\xa0z:l\xfbX\x17\x01\x98\x9b#\xeb!Y\x99\xc7\xb6\xe0\xf7\xabS~*\xf7\xa3\xca\x04\xb5\x7f\x0c\xf2\xba\x1a\x8f\xf9\x15\xe27v47\xbd\xe1!\xaa1C\xfa\xb9\xca\x8e}\x90/\xbf\xd0\xe2\x1d\x87 \x1cK8\xc2q\xb8l\xc6\x8e/\xf9\xd9\xca\xc7\x8b~\x9fW*_\xfd\x92\xbf\x90\x9d\xc7\xb1Z\xcc\x17\xef4\xa02\x13k\x84\x1c\xeb\xe0\x9c\x112\xf6}\xc9+\x91\xcf+\xdf\x07#\x99\xe8\xd2\xe6C_I]\xfd\xe0\xce\xb1\xf8r\xc1\x84\x15N\xf4\x99\xd4\x03z\xc6?w\x14G\x8a\xe2\xdc\xe5A\xa3\x87\xa5}\xbaob\xc7\x06\x88\xdc\x1e4>Y\xe2\x9a\x8e{\xbe7.\xd6\xff\xc9\xd8\rs\xeb6\xfeft\x1bd\xbd\x87\xb6\xc8\x9b\x95\xa6\\\xfd\xa9\x1a\x8b\xf5\x1f}km[(\xcac\xde\xce\x8e\x11\xb3\xe1\xcd\x10\x02\xbd\xafl\xf0\x1c\x95aOu\xd1"L\xe4T\xc4\xb3\xd5\xbb\x12v\xb5\xa6Q\xd1\xc4\x12Zr\xe9-5\xf0\x95x\x03Z<\xa7\xe9/\xe6\xf4\xa7k\xc3:\x89\xef\xcf\xd4\xcf$\xd4\x99\xddG\x82\xf7\x02\r\x80\x04w:\xe0\xc1eT\xdc]\xa5\x8fh\x13\xb6\xb3\xb0\xc3\x03qB\xa8&\\\xe1O\xcb\x0el\xa4\x08dT \xda}\x9d\x155\xa7\xbe\xa3\x8c\xb2\xe7\xd2\xe3\xab\x1ed\xc4\xee\xdf\x8d\xd6Y\x81\x8e\x8d\'H\x8e\x94\x038G\xb3\xd8*\xe2\x05as\x90X\x04\xbc\x8b\x13\x1f:|'
444
('_v_hl', 69)
('tos', 0)
('len', 444)
('id', 14545)
('off', 16384)
('ttl', 64)
('p', 17)
('sum', 60256)
('src', b'\n\x00\x00\x01')
('dst', b'\n\x00\x00\xff')

Possibility 2 is:

import dpkt

sourcefile = "output.pcap"
f = open(sourcefile, 'rb')
pcap = dpkt.pcap.Reader(f)

for ts, buf in pcap:
    eth = dpkt.ethernet.Ethernet(buf)
    ip = eth.data
    tcp = ip.data
    print(tcp)

That returns

b'\'\x0f\'\x0f\x01\xa8\xd8\xb6\xee\xdc\xfb\xb5\xbb\x1c\x03\xc8\xbf\xd3\xba\xd8\x84\x87X\x83,~|\xae\xe6\xf2\xadtwU<i\xaaN\xed_5\xb8\xef\xd9\x8a[\xa3\xd7\xbd5\x9d\xbe\x97N\x13\xa4\xb3\xd8*\xe2\x05as\x90\xdf78d\xab\xec\xfc\xa0z:l\xfbX\x17\x01\x98\x9b#\xeb!Y\x99\xc7\xb6\xe0\xf7\xabS~*\xf7\xa3\xca\x04\xb5\x7f\x0c\xf2\xba\x1a\x8f\xf9\x15\xe27v47\xbd\xe1!\xaa1C\xfa\xb9\xca\x8e}\x90/\xbf\xd0\xe2\x1d\x87 \x1cK8\xc2q\xb8l\xc6\x8e/\xf9\xd9\xca\xc7\x8b~\x9fW*_\xfd\x92\xbf\x90\x9d\xc7\xb1Z\xcc\x17\xef4\xa02\x13k\x84\x1c\xeb\xe0\x9c\x112\xf6}\xc9+\x91\xcf+\xdf\x07#\x99\xe8\xd2\xe6C_I]\xfd\xe0\xce\xb1\xf8r\xc1\x84\x15N\xf4\x99\xd4\x03z\xc6?w\x14G\x8a\xe2\xdc\xe5A\xa3\x87\xa5}\xbaob\xc7\x06\x88\xdc\x1e4>Y\xe2\x9a\x8e{\xbe7.\xd6\xff\xc9\xd8\rs\xeb6\xfeft\x1bd\xbd\x87\xb6\xc8\x9b\x95\xa6\\\xfd\xa9\x1a\x8b\xf5\x1f}km[(\xcac\xde\xce\x8e\x11\xb3\xe1\xcd\x10\x02\xbd\xafl\xf0\x1c\x95aOu\xd1"L\xe4T\xc4\xb3\xd5\xbb\x12v\xb5\xa6Q\xd1\xc4\x12Zr\xe9-5\xf0\x95x\x03Z<\xa7\xe9/\xe6\xf4\xa7k\xc3:\x89\xef\xcf\xd4\xcf$\xd4\x99\xddG\x82\xf7\x02\r\x80\x04w:\xe0\xc1eT\xdc]\xa5\x8fh\x13\xb6\xb3\xb0\xc3\x03qB\xa8&\\\xe1O\xcb\x0el\xa4\x08dT \xda}\x9d\x155\xa7\xbe\xa3\x8c\xb2\xe7\xd2\xe3\xab\x1ed\xc4\xee\xdf\x8d\xd6Y\x81\x8e\x8d\'H\x8e\x94\x038G\xb3\xd8*\xe2\x05as\x90X\x04\xbc\x8b\x13\x1f:|'

Can somebody please help me figure out how to get only the payload of the packet without destination ip or source ip etc.

Thanks! any help is appreciated.

[obormot]

Possibility 2 looks pretty close, you just need to descend 1 more layer into the UDP data (Ethernet -> IP -> UDP -> payload). Something like

for ts, buf in pcap:
    eth = dpkt.ethernet.Ethernet(buf)
    ip = eth.data
    udp = ip.data
    print(udp.data)

or simply

    print(eth.ip.udp.data)

[montagsmodell]

Hey, thanks for the fast answer @obormot ! This might actually work, but I am not sure, maybe you can clarify for me: Does this command only print out the content of the packet without the header, IP adress etc.? I cant check for myself because the traffic im capturing is encrypted additionally right now.

[obormot]

@montagsmodell I've shown how you could print the UDP payload with dpkt. This is not an issue with dpkt - closing the ticket.