Skip to content
/ pcap-parser Public
forked from hsiafan/httpdump

Parse pcap file and display http traffics with python

License

View license
0 stars 176 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

erikodiony/pcap-parser

1 Branch0 Tags
This branch is 127 commits ahead of, 91 commits behind hsiafan/httpdump:master.

Folders and files

NameName
Last commit message
Last commit date

Latest commit

author
Dong Liu
bug fix
Dec 20, 2014
499824c · Dec 20, 2014

History

127 Commits
pcapparser
pcapparser
Dec 20, 2014
.gitignore
.gitignore
Aug 6, 2014
LICENSE.md
LICENSE.md
May 11, 2013
README.md
README.md
Dec 12, 2014
parse_pcap
parse_pcap
Dec 13, 2014
proxy_cap
proxy_cap
Dec 12, 2014
requirements.txt
requirements.txt
Apr 9, 2014
setup.py
setup.py
Dec 6, 2014

Repository files navigation

Parse and show http traffics. Python 2.7.* required.

This module parse pcap/pcapng file, retrieve http data and show as text. Pcap files can be obtained via tcpdump or wireshark or other network traffic capture tools.

Features:

  • Http requests/responses grouped by tcp connections, the requests in one keep-alive http connection will display together.
  • Managed chunked and compressed http requests/responses.
  • Managed character encoding
  • Format json content to a beautiful way.

Install

This module can be installed via pip:

pip install pcap-parser

Parse Pcap File

Use tcpdump to capture packets:

tcpdump -wtest.pcap tcp port 80

Then:

# only output the requested URL and response status
parse_pcap test.pcap
# output http req/resp headers
parse_pcap -v test.pcap
# output http req/resp headers and body which belong to text type
parse_pcap -vv test.pcap
# output http req/resp headers and body
parse_pcap -vvv test.pcap
# display and attempt to do url decoding and formatting json output
parse_pcap -vvb test.pcap

Or use pipe:

sudo tcpdump -w- tcp port 80 | parse_pcap

Group

Use -g to group http request/response:

parse_pcap -g test.pcap

The result looks like:

********** [10.66.133.90:56240] -- -- --> [220.181.90.13:80] **********
GET http://s1.rr.itc.cn/w/u/0/20120611181946_24.jpg
HTTP/1.1 200 OK
GET http://s1.rr.itc.cn/p/images/imgloading.jpg
HTTP/1.1 200 OK
GET http://s1.rr.itc.cn/w/u/0/20130201103132_66.png
HTTP/1.1 200 OK
GET http://s1.rr.itc.cn/w/u/0/20120719174136_77.png
HTTP/1.1 200 OK
GET http://s1.rr.itc.cn/p/images/pic_prev_open.png
HTTP/1.1 200 OK

********** [10.66.133.90:47526] -- -- --> [220.181.90.13:80] **********
GET http://s1.rr.itc.cn/w/u/0/20130227132442_43.png
HTTP/1.1 200 OK
GET http://s1.rr.itc.cn/p/images/pic_next.png
HTTP/1.1 200 OK
GET http://s1.rr.itc.cn/p/images/pic_prev.png
HTTP/1.1 200 OK
GET http://s1.rr.itc.cn/p/images/pic_next_open.png
HTTP/1.1 200 OK

Filter

You can use the -p/-i to specify the ip/port of source and destination, will only display http data meets the specified conditions:

parse_pcap -p55419 -vv test.pcap
parse_pcap -i192.168.109.91 -vv test.pcap

Use -d to specify the http domain, only display http req/resp with the domain:

parse_pcap -dwww.baidu.com -vv test.pcap

Use -u to specify the http uri pattern, only dispay http req/resp which url contains the url pattern:

parse_pcap -u/api/update -vv test.pcap

Encoding

Use -e can forced the encoding http body used:

parse_pcap -i192.168.109.91 -p80 -vv -eutf-8 test.pcap

About

Parse pcap file and display http traffics with python

Resources

Readme

License

View license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%