Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False negative using packet.haslayer() #33

Open
guidoiaquinti opened this issue Feb 28, 2018 · 1 comment
Open

False negative using packet.haslayer() #33

guidoiaquinti opened this issue Feb 28, 2018 · 1 comment

Comments

@guidoiaquinti
Copy link

guidoiaquinti commented Feb 28, 2018
edited
Loading

The HTTP layer detection doesn't seems to work properly. I have a sample pcap file with a single packet that is correctly parsed by Wireshark but not by this script:

from scapy.all import *
from scapy_http.http import HTTPRequest

packets = rdpcap('scapy_repro.pcap')

for packet in packets:
    print
    print packet.show()
    print
    print "HTTP" if packet.haslayer(HTTPRequest) else "NOT HTTP"

(.virtualenv) ➜  workspace/scapy git:(master) ✗ python scapy_repro.py

###[ Ethernet ]###
  dst       = 00:00:00:00:00:00
  src       = 00:00:00:00:00:00
  type      = 0x800
###[ IP ]###
     version   = 4L
     ihl       = 5L
     tos       = 0x0
     len       = 284
     id        = 37297
     flags     = DF
     frag      = 0L
     ttl       = 64
     proto     = tcp
     chksum    = 0xaa28
     src       = 127.0.0.1
     dst       = 127.0.0.1
     \options   \
###[ TCP ]###
        sport     = 38364
        dport     = fmtp
        seq       = 4275972702
        ack       = 1395008342
        dataofs   = 8L
        reserved  = 0L
        flags     = PA
        window    = 14338
        chksum    = 0xff10
        urgptr    = 0
        options   = [('NOP', None), ('NOP', None), ('Timestamp', (137714020, 137714020))]
###[ Raw ]###
           load      = 'GET /v1/kv/vitess/deploy/restart/us_east_1/vtctld/vtctld-0d28e6af524075ec1 HTTP/1.1\r\nHost: 127.0.0.1:8500\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nUser-Agent: python-requests/2.18.4\r\n\r\n'

None

NOT HTTP

Probably linked with #31?

(.virtualenv) ➜  workspace/scapy git:(master) ✗ pip freeze
cffi==1.11.5
dnet==1.12
libpcap==1.0.0b9
pcapy==0.11.1
pycparser==2.18
scapy==2.3.3
scapy-http==1.8

I might be wrong but I think this evaluation is not correct as the type is not a string?
@rufengsuixing
Copy link

rufengsuixing commented Mar 1, 2018
edited
Loading

it is not from port 80
only 80 will have layer http and be judged
codes in scapy-http/scapy_http/http.py 260-265
bind_layers(TCP, HTTP, dport=80)
bind_layers(TCP, HTTP, sport=80)

#For Proxy
bind_layers(TCP, HTTP, sport=8080)
bind_layers(TCP, HTTP, dport=8080)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@guidoiaquinti @rufengsuixing