search

kbandla / dpkt

fast, simple packet creation / parsing, with definitions for the basic TCP/IP protocols
Other
1.08k stars 270 forks source link

dpkt.http.Response always fails #621

Closed id88 closed 2 years ago

id88 commented 2 years ago

dpkt.http.Response always fails when body is divided into several parts which are transported in different tcp packets.

Code

import dpkt

def process_pcap(pcap):
    for timestamp, buf in pcap:
        try:
            eth = dpkt.ethernet.Ethernet(buf)
        except Exception:
            continue

        ip = eth.data

        if isinstance(ip.data, dpkt.tcp.TCP):
            tcp = ip.data
            if tcp.data[:4] == str.encode('HTTP'):
                respx = dpkt.http.Response(tcp.data)

if __name__ == "__main__":
    with open("test.pcap", 'rb') as fp:
        try:
            capture = dpkt.pcap.Reader(fp)
        except ValueError as e:
            raise Exception("File doesn't appear to be a PCAP: %s" % e)
        process_pcap(capture)

Result:

Traceback (most recent call last):
  File "C:\Users\admin\Desktop\dpktTest\demo.py", line 28, in <module>
    process_pcap(capture)
  File "C:\Users\admin\Desktop\dpktTest\demo.py", line 19, in process_pcap
    respx = dpkt.http.Response(tcp.data)
  File "D:\Anaconda\lib\site-packages\dpkt\http.py", line 100, in __init__
    self.unpack(args[0])
  File "D:\Anaconda\lib\site-packages\dpkt\http.py", line 232, in unpack
    Message.unpack(self, f.read(), is_body_allowed)
  File "D:\Anaconda\lib\site-packages\dpkt\http.py", line 117, in unpack
    self.body = parse_body(f, self.headers)
  File "D:\Anaconda\lib\site-packages\dpkt\http.py", line 74, in parse_body
    raise dpkt.NeedData('short body (missing %d bytes)' % (n - len(body)))
dpkt.dpkt.NeedData: short body (missing 262727 bytes)
[Finished in 0.1s]

will always raise an exception because the body is divided into several parts which are transported in different tcp packets. I am not sure whether it is a bug or not, but I actually don't know how to deal with it. Thanks

screenshot

图片

Details:

brifordwylie commented 2 years ago

@id88 Dpkt is just handling simple packet parsing. The package does not provide support for reconstructing ‘flows’ (TCP Reassembly https://www.wireshark.org/docs/wsug_html_chunked/ChAdvReassemblySection.html). A HTTP request (and response if you tried to parse it) will only parse correctly if they fit within a single packet. Requests can often fit in a single packet but Responses almost never will.

obormot commented 2 years ago

Expected behavior - closing