Python Scapy - Loading HTTP from a file

Question

I'm using this extension for scapy to detect and analyze HTTP packets. It works great, but when I save the HTTP packets to a pcap file with wrpcap and then load it with rdpcap it doesn't give me the same packet, it only detects its HTTP packet but not HTTP Requests, it also occurs when I do this -

from scapy.all import *
from scapy_http.http import *

packets = sniff(count=10, lfilter=lambda p: HTTPRequest in p)
wrpcap('file.pcap', packets)
restored = rdpcap('file.pcap')
print len([x for x in restored if HTTPRequest in p]) # prints 0

Why this is happening? how can I recover the packets?

Answer 1

I am very new to Python in general, Scapy in particular but is this what you are looking for?

from scapy.all import *

def http_request(pkt):
    if pkt.haslayer('HTTPRequest'):  ##Use HTTPResponse for response packets
        pkt.show()
        exit(0)  ##Omit to show more then the first packet

pkts = rdpcap('/root/Desktop/example_network_traffic.pcap')
for p in pkts:
    http_request(p)

##For sniffing packets
##sniff(prn=http_request)

I think the problem may be the way Scapy exorts packets. When I run your code and inspect the packet in Wireshark, the protocol is listed as TCP. When I use Wireshark to capture the same type of packet, it lists the protocol as HTTP. If I export the packet from Wireshark and read it using rdpcap, you get the results you are looking for, ie the HTTPRequest/HTTPResponse layers. I don't know this for fact, but I checked the Berkeley Packet Filter syntax, and they don't list HTTP as a protocol. If Scapy is based on the BPF syntax, and they don't use the HTTP protocol, maybe it exports the packet with a protocol of TCP and Scapy-Http just parses the Raw load during sniff(). Just a guess.