scapy.sessions¶
Sessions: decode flow of packets when sniffing
-
class
scapy.sessions.DefaultSession(prn=None, store=False, supersession=None, *args, **karg)¶ Bases:
objectDefault session: no stream decoding
-
property
count¶
-
on_packet_received(pkt)¶ DEV: entry point. Will be called by sniff() for each received packet (that passes the filters).
-
property
prn¶
-
property
store¶
-
toPacketList()¶
-
property
-
class
scapy.sessions.IPSession(*args, **kwargs)¶ Bases:
scapy.sessions.DefaultSessionDefragment IP packets ‘on-the-flow’.
Usage: >>> sniff(session=IPSession)
-
on_packet_received(pkt)¶
-
-
class
scapy.sessions.StringBuffer¶ Bases:
objectStringBuffer is an object used to re-order data received during a TCP transmission.
Each TCP fragment contains a sequence number, which marks (relatively to the first sequence number) the index of the data contained in the fragment.
If a TCP fragment is missed, this class will fill the missing space with zeros.
-
append(data, seq)¶
-
clear()¶
-
full()¶
-
-
class
scapy.sessions.TCPSession(app=False, *args, **kwargs)¶ Bases:
scapy.sessions.IPSessionA Session that matches seq/ack packets together to dissect special protocols, such as HTTP.
DEV: implement a class-function tcp_reassemble in your Packet class:
@classmethod def tcp_reassemble(cls, data, metadata): # data = the reassembled data from the same request/flow # metadata = empty dictionary, that can be used to store data [...] # If the packet is available, return it. Otherwise don't. # Whenever you return a packet, the buffer will be discarded. return pkt # Otherwise, maybe store stuff in metadata, and return None, # as you need additional data. return None
A (hard to understand) example can be found in scapy/layers/http.py
- Parameters
app – Whether the socket is on application layer = has no TCP layer. Default to False
-
fmt= 'TCP {IP:%IP.src%}{IPv6:%IPv6.src%}:%r,TCP.sport% > {IP:%IP.dst%}{IPv6:%IPv6.dst%}:%r,TCP.dport%'¶
-
on_packet_received(pkt)¶ Hook to the Sessions API: entry point of the dissection. This will defragment IP if necessary, then process to TCP reassembly.