Sessions: decode flow of packets when sniffing
- class scapy.sessions.DefaultSession(prn: Callable[[Packet], Any] | None = None, store: bool = False, supersession: DefaultSession | None = None, *args: Any, **karg: Any)¶
Default session: no stream decoding
- property count¶
- on_packet_received(pkt: Packet | None) None ¶
DEV: entry point. Will be called by sniff() for each received packet (that passes the filters).
- property prn¶
- property store¶
- class scapy.sessions.IPSession(*args: Any, **kwargs: Any)¶
Defragment IP packets ‘on-the-flow’.
Usage: >>> sniff(session=IPSession)
- class scapy.sessions.StringBuffer¶
StringBuffer is an object used to re-order data received during a TCP transmission.
Each TCP fragment contains a sequence number, which marks (relatively to the first sequence number) the index of the data contained in the fragment.
If a TCP fragment is missed, this class will fill the missing space with zeros.
- append(data: bytes, seq: int) None ¶
- clear() None ¶
- full() bool ¶
- class scapy.sessions.TCPSession(app: bool = False, *args: Any, **kwargs: Any)¶
A Session that matches seq/ack packets together to dissect special protocols, such as HTTP.
DEV: implement a class-function tcp_reassemble in your Packet class:
@classmethod def tcp_reassemble(cls, data, metadata, session): # data = the reassembled data from the same request/flow # metadata = empty dictionary, that can be used to store data # during TCP reassembly # session = a dictionary proper to the bidirectional TCP session, # that can be used to store anything [...] # If the packet is available, return it. Otherwise don't. # Whenever you return a packet, the buffer will be discarded. return pkt # Otherwise, maybe store stuff in metadata, and return None, # as you need additional data. return None
For more details and a real example, see: https://scapy.readthedocs.io/en/latest/usage.html#how-to-use-tcpsession-to-defragment-tcp-packets
app – Whether the socket is on application layer = has no TCP layer. This is used for instance if you are using a native TCP socket. Default to False