scapy를 이용한 http network 패킷 분석 프로그램

 

scapy를 이용한 network 패킷 분석 에 이어서 scapy를 이용한 http network 패킷 분석 프로그램을 만들어보았다.

우선은 sniffing 하지 않고 그냥 pcap 파일을 읽어서 하는 방식으로 작업했다.
(PacketInside.com 의 Examples 을 입맛에 맞게 수정했다.)

pcap의 파일에서 200개의 패킷을 읽어서 http의 request와 response 의 특정 header 정보를 출력한다.

]$ cat ./http.py
#!/usr/bin/python
import sys
from scapy.all import *

CNT = 200
p_list = list()

def run(target):
    try:
        pkt = rdpcap(target, count=CNT)
    except MemoryError:
        print "Sorry - Memory Error"
        sys.exit()
    numPkt = len(pkt)

    print "Analyzing : " + target
    print "Total Packets: %d\n" % numPkt

    for packet in pkt:
        layer = packet.payload
        p_dict = dict()
        while layer:
            layerName = layer.name
            if layerName == "IP":
                p_dict["srcip"] = layer.src
                p_dict["dstip"] = layer.dst
            if layerName == "TCP":
                if layer.flags == 2 : flags = "SYN"
                if layer.flags == 16 : flags = "ACK"
                if layer.flags == 17 : flags = "FIN,ACK"
                if layer.flags == 18 : flags = "SYN,ACK"
                if layer.flags == 24 : flags = "PSH,ACK"
                p_dict["sport"] = layer.sport
                p_dict["dport"] = layer.dport
                p_dict["seq"] = layer.seq
                p_dict["ack"] = layer.ack
                p_dict["flags"] = flags
            if layerName == "Raw":
                result = processHTTP(layer.load)
                for k,v in result.items() :
                    p_dict[k] = v

            layer = layer.payload

            if p_dict.has_key("http") :
                p_list.append(p_dict)
                print(p_dict)

def processHTTP(data):
    info = dict()
    headers = str(data).splitlines();
    for header in headers:
        if header.startswith("GET") :
            info["http"] = "request"
            info["method"] = header.split()[0]
            info["uri"] = header.split()[1]
        if header.startswith("POST") :
            info["http"] = "request"
            info["method"] = header.split()[0]
            info["uri"] = header.split()[1]
        if header.startswith("HTTP") :
            info["http"] = "response"
            info["status"] = header.split()[1]

        if header.startswith("HOST") : info["host"] = header.split(":",1)[1]
        if header.startswith("User-Agent") : info["user-agent"] = header.split(":",1)[1]
        if header.startswith("Referer") : info["referer"] = header.split(":",1)[1]
        if header.startswith("Cookie") : info["cookies"] = header.split(":",1)[1]

    return info

run("test11.pcap")

결과는 아래와 같이 나온다.

]$ sudo ./http.py
WARNING: No route found for IPv6 destination :: (no default route?)
Analyzing : test11.pcap
Total Packets: 200


{'cookies': ' NNB=2KYKWJCN7IRVC; NB=GE4TKMJXGEYTOMRY; npic=yJlHW+olU5oYh40SmhtyJhoT23h+BF06nbGA+rwVWwXxx96MBYWsAgwUfWvmyHUvCA==; nid_inf=-1714996177; NID_AUT=Wzd/5wWYo/OJZqTVX2Udv9AIE2eknJRIM2v+stdCUCDCOg5CWxJKM0pIxn80bf6zSTMbVkf6jh+CWSAmrL22PdN+LRrKMJ6JV2tjl9RFqRcWfA/HRfL5j6u57huHJQO7; pop_1359091437=Y; NID_SES=AAABUkyR9gUxxea1Gfn8Bh2N8atxE8w69JYpxc6PCdbrbFx43LDJkGk/ICX25WD58+H59c1PLuXojIEevpTjiOQh2O5s6MuD3jTRPCMyYzVLFYnU1L2NaRAf3OrIlxtsvMNqpbcJTxLrjuJmyw7z1iuSVSxfQ2b4wMqQhS/YX3lsZI8lsPHihfYGDmVLliQxXHvi8QzIZBuudI/VGqXfcYE74np8FBovl371yMSWGV+lXFYi3NfsOGcyJF8hUlAdquRh8PQ4USJ80X5mteax9m41/DqWFeNw0bD0XmaNtbv6ouCRI+6cmcKO0OGD7l6xhS8bcZn40pm/QlKcsoto8hkrV4Ub2zGXKhqsI9jq09BJrgpez2Pfq7N9r9F9yXgTHNuo6Js6Y9Il9U5EbLBu3OC4QCY8HSukgwr/FD9AK2WI76MxTFCxOCrCU5OlPIT7rBZ7ELDybxGQ2M01ASG0HKNYpyA=; page_uid=Rfd0IF5Y7uNsstnSKWdsssssstw-264956; _naver_usersession_=USQ04nJvL', 'dstip': 'xxx.xxx.xxx.10', 'http': 'request', 'seq': 863658826, 'ack': 120913057, 'uri': 'http://cr.naver.com/rd?m=0&px=290&py=354&sx=290&sy=354&p=Rfd0IF5Y7uNsstnSKWdsssssstw-264956&q=tshark&ssc=tab.nx.all&f=nexearch&w=nexearch&s=USQ04nJvLCoAACRVczk&time=1361327412508&t=2&a=blg_1st*x.tit&r=3&i=a00000fa_9090bfaa4d6feb6d8b3a3ed2&u=http%3A//www.xxxxxxxx.com/wp/%3Fp%3D1082&cr=1', 'user-agent': ' Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17', 'dport': 8080, 'flags': 'PSH,ACK', 'srcip': 'xxx.xxx.xxx.242', 'referer': ' http://search.xxxxxx.com/search?..............', 'sport': 52211, 'method': 'GET'}
{'dstip': 'xxx.xxx.xxx.10', 'http': 'request', 'seq': 823727297, 'ack': 3321226627, 'uri': 'http://www.xxxxxxxx.com/wp/?p=1082', 'user-agent': ' Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17', 'dport': 8080, 'flags': 'PSH,ACK', 'srcip': 'xxx.xxx.xxx.242', 'referer': ' http://search.xxxx.com/search?...........', 'sport': 52217, 'method': 'GET'}
{'status': '204', 'dstip': 'xxx.xxx.xxx.242', 'http': 'response', 'seq': 120913057, 'ack': 863660437, 'dport': 52211, 'flags': 'PSH,ACK', 'srcip': 'xxx.xxx.xxx.10', 'sport': 8080}
{'status': '200', 'dstip': 'xxx.xxx.xxx.242', 'http': 'response', 'seq': 3321226627, 'ack': 823727842, 'dport': 52217, 'flags': 'ACK', 'srcip': 'xxx.xxx.xxx.10', 'sport': 8080}
{'dstip': 'xxx.xxx.xxx.10', 'http': 'request', 'seq': 551180696, 'ack': 834479893, 'uri': 'http://connect.xxxxxx.net/en_US/all.js', 'user-agent': ' Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17', 'dport': 8080, 'flags': 'PSH,ACK', 'srcip': 'xxx.xxx.xxx.242', 'referer': ' http://www.xxxxxxxx.com/wp/?p=1082', 'sport': 52218, 'method': 'GET'}
{'status': '304', 'dstip': 'xxx.xxx.xxx.242', 'http': 'response', 'seq': 834479893, 'ack': 551181181, 'dport': 52218, 'flags': 'PSH,ACK', 'srcip': 'xxx.xxx.xxx.10', 'sport': 8080}
{'status': '200', 'dstip': 'xxx.xxx.xxx.242', 'http': 'response', 'seq': 3935123174, 'ack': 2420200966, 'dport': 52219, 'flags': 'PSH,ACK', 'srcip': 'xxx.xxx.xxx.10', 'sport': 8080}
{'status': '200', 'dstip': 'xxx.xxx.xxx.242', 'http': 'response', 'seq': 590452402, 'ack': 1882676730, 'dport': 52224, 'flags': 'PSH,ACK', 'srcip': 'xxx.xxx.xxx.10', 'sport': 8080}
{'status': '200', 'dstip': 'xxx.xxx.xxx.242', 'http': 'response', 'seq': 356404777, 'ack': 3908736851, 'dport': 52223, 'flags': 'PSH,ACK', 'srcip': 'xxx.xxx.xxx.10', 'sport': 8080}
{'status': '200', 'dstip': 'xxx.xxx.xxx.242', 'http': 'response', 'seq': 3725610989, 'ack': 3843291703, 'dport': 52220, 'flags': 'PSH,ACK', 'srcip': 'xxx.xxx.xxx.10', 'sport': 8080}
{'status': '200', 'dstip': 'xxx.xxx.xxx.242', 'http': 'response', 'seq': 1730383986, 'ack': 3715684314, 'dport': 52222, 'flags': 'PSH,ACK', 'srcip': 'xxx.xxx.xxx.10', 'sport': 8080}
{'status': '200', 'dstip': 'xxx.xxx.xxx.242', 'http': 'response', 'seq': 1561795117, 'ack': 3516294071, 'dport': 52221, 'flags': 'PSH,ACK', 'srcip': 'xxx.xxx.xxx.10', 'sport': 8080}

참고
http://www.packetinside.com/2010/10/scapy-%EC%9D%98-%EB%8B%A4%EC%96%91%ED%95%9C-%EA%B8%B0%EB%8A%A5%EC%9D%84-%EC%9D%B5%ED%98%80%EB%B3%B4%EC%9E%90-%EB%91%90%EB%B2%88%EC%A7%B8.html

 

This entry was posted in Network, Python/Ruby/Perl and tagged , , , , , . Bookmark the permalink.

2 Responses to scapy를 이용한 http network 패킷 분석 프로그램

댓글 남기기