scapy.sessions

Sessions: decode flow of packets when sniffing

class scapy.sessions.DefaultSession(prn: Optional[Callable[[scapy.packet.Packet], Any]] = None, store: bool = False, supersession: Optional[scapy.sessions.DefaultSession] = None, *args: Any, **karg: Any)[source]

Bases: object

Default session: no stream decoding

property count
on_packet_received(pkt: Optional[scapy.packet.Packet]) None[source]

DEV: entry point. Will be called by sniff() for each received packet (that passes the filters).

property prn
property store
toPacketList() scapy.plist.PacketList[source]
class scapy.sessions.IPSession(*args: Any, **kwargs: Any)[source]

Bases: scapy.sessions.DefaultSession

Defragment IP packets ‘on-the-flow’.

Usage: >>> sniff(session=IPSession)

on_packet_received(pkt: Optional[scapy.packet.Packet]) None[source]
class scapy.sessions.StringBuffer[source]

Bases: object

StringBuffer is an object used to re-order data received during a TCP transmission.

Each TCP fragment contains a sequence number, which marks (relatively to the first sequence number) the index of the data contained in the fragment.

If a TCP fragment is missed, this class will fill the missing space with zeros.

append(data: bytes, seq: int) None[source]
clear() None[source]
full() bool[source]
class scapy.sessions.TCPSession(app: bool = False, *args: Any, **kwargs: Any)[source]

Bases: scapy.sessions.IPSession

A Session that matches seq/ack packets together to dissect special protocols, such as HTTP.

DEV: implement a class-function tcp_reassemble in your Packet class:

@classmethod
def tcp_reassemble(cls, data, metadata):
    # data = the reassembled data from the same request/flow
    # metadata = empty dictionary, that can be used to store data
    [...]
    # If the packet is available, return it. Otherwise don't.
    # Whenever you return a packet, the buffer will be discarded.
    return pkt
    # Otherwise, maybe store stuff in metadata, and return None,
    # as you need additional data.
    return None

For more details and a real example, see: https://scapy.readthedocs.io/en/latest/usage.html#how-to-use-tcpsession-to-defragment-tcp-packets

Parameters

app – Whether the socket is on application layer = has no TCP layer. This is used for instance if you are using a native TCP socket. Default to False

fmt = 'TCP {IP:%IP.src%}{IPv6:%IPv6.src%}:%r,TCP.sport% > {IP:%IP.dst%}{IPv6:%IPv6.dst%}:%r,TCP.dport%'
on_packet_received(pkt: Optional[scapy.packet.Packet]) None[source]

Hook to the Sessions API: entry point of the dissection. This will defragment IP if necessary, then process to TCP reassembly.