search

sridhar19091986 / pcapsctpspliter

Automatically exported from code.google.com/p/pcapsctpspliter
0 stars 0 forks source link

split pcap problem #1

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 

pcap文件按照协议映射字节长度分割重组包,出现问题:[Malfor
med Packet: SCTP]?

Original issue reported on code.google.com by cn.wei.hp@gmail.com on 12 Nov 2010 at 3:01

GoogleCodeExporter commented 9 years ago 
Reassembling Sniffed Firmware or a Binary With Scapy

https://www.openrce.org/blog/vie ... a_Binary_With_Scapy

Author:  apridgen          # Views: 315

So, I got bored one night (or morning depending on your perspective), and I 
decided to sniff the firmware upgrade process for my network printer, Fun!   I 
used Wireshark (yeah my tcpdump foo is bar) to isolate the TCP stream between 
the VM upgrading the firmware and the printer and saved the pcap.

I have been meaning to play with Scapy for quite some time, so I fired up 
ipython and in about 20 minutes I had a quick script to extract the data I 
needed.  The script is pretty basic and may not work in all cases, but I 
figured I'd document somewhere just in case or someone else might need it in 
the future.

# IP Address of the VM sending the upgrade
src="192.168.44.128"
f = "captured_firmware_upgrade.pcap"
pcap = rdpcap(f)

data = ""
for packet in pcap:
  il = packet.getlayer("IP"
  if il.src != src:
    continue
  tl = packet.getlayer("TCP"
  # check for data in the payload, if not skip the packet
  if isinstance(tl.payload,scapy.NoPayload):
    continue
  data += str(tl.payload)
# write our raw data file
f = open("raw_data.dat", 'w')
f.write(data)
f.close()

Hope it helps someone in the future

Original comment by cn.wei.hp@gmail.com on 12 Nov 2010 at 5:40

GoogleCodeExporter commented 9 years ago 
Control Protocol dissection
The user can control how protocols are dissected.
Each protocol has its own dissector, so dissecting a complete packet will 
typically involve several dissectors. As Wireshark tries to find the right 
dissector for each packet (using static "routes" and heuristics "guessing"), it 
might choose the wrong dissector in your specific case. For example, Wireshark 
won't know if you use a common protocol on an uncommon TCP port, e.g. using 
HTTP on TCP port 800 instead of the standard port 80.

There are two ways to control the relations between protocol dissectors: 
disable a protocol dissector completely or temporarily divert the way Wireshark 
calls the dissectors.

Original comment by cn.wei.hp@gmail.com on 12 Nov 2010 at 6:31

GoogleCodeExporter commented 9 years ago 
C.newip=ethhdr[14:34]
C.sctphdr=C.sctp[:(12+0)]
C.lastsctp=C.sctp[C.sctps[C.sctpNum]-12:]
while len(C.dumpnewsctp)<C.totallen:
      C.dumpnewsctp +=editcaptag

Original comment by cn.wei.hp@gmail.com on 14 Nov 2010 at 2:50