pcap

I'd like to be able to intercept/ modify data in tcp flow, on the side of tcp client. Examples for pcap show how to parse tcp packet header/ payload. But suppose, i want to modify packet payload before tcp client reads it, or drop the packet entirely. How can i do that with pcap capure? As above, you can't do interception/modification with pcap. For this you need one of the following OS-dependent techniques: Linux : libnetfilter_queue + iptables MacOS , FreeBSD : divert sockets + ipfw Windows : WinPkFilter (commercial), WinDivert (LGPL), or write your own NDIS IM or WFP call-out driver. (usual

I have a pcap_loop function in another function, that captures packets until the user stops it, i.e. void functionA() { signal(SIGINT, terminate_process); pcap_loop(handle, -1, callback, NULL); ... } void terminate_process(int signum) { pcap_breakloop(handle); pcap_close(handle); } Is it possible to set a duration for when packets would be captured? Something like: if (time(NULL) - start_time > 100) pcap_breakloop(handle); But I don't know where to put this, because so far all the examples I've seen used pcap_breakloop in a signal handler, which requires user intervention. How will the time

I'm trying to install pypcap from: https://github.com/dugsong/pypcap/blob/master/INSTALL#L75 I'm trying to install it on Windows 10 - 64 bit and python 2.7.11 64 bit. I downloaded the source and moved it to c:\pypcap . downloaded pyrex and installed it as well. It put the wpdpack files in c:\wpdpack like the install page says. Created the config file and changed the makefile. I also installed the mingw from their website with the basic package and the g++ package. I try to do: C:\pypcap> set PATH=%PATH%;c:\MinGW\bin;c:\Python27 C:\pypcap> mingw32-make and here it fails, it gets the following

I'm trying to parse a previously-captured trace for HTTP headers using the dpkt module: import dpkt import sys f=file(sys.argv[1],"rb") pcap=dpkt.pcap.Reader(f) for ts, buf in pcap: eth=dpkt.ethernet.Ethernet(buf) ip=eth.data tcp=ip.data if tcp.dport==80 and len(tcp.data)>0: try: http=dpkt.http.Request(tcp.data) print http.uri except: print 'issue' continue f.close() While it seems to effectively parse most of the packets, I'm receiving a NeedData("premature end of headers") exception on some. They appear to be valid packets within WireShark, so I'm a bit confused as to why the exceptions are

I need to save UDP packets to a file and would like to use the pcap format to reuse the various tools available (wireshark, tcpdump, ...). There are some information in this thread but I can't find how to write the global file header 'struct pcap_file_header'. pcap_t* pd = pcap_open_dead(DLT_RAW, 65535); pcap_dumper_t* pdumper = pcap_dump_open(pd, filename); struct pcap_file_header file_hdr; file_hdr.magic_number = 0xa1b2c3d4; file_hdr.version_major = 2; file_hdr.version_minor = 4; file_hdr.thiszone = 0; file_hdr.sigfigs = 0; file_hdr.snaplen = 65535; file_hdr.linktype = 1; // How do I write

I have some pcap files and I want to filter by protocol, i.e., if I want to filter by HTTP protocol, anything but HTTP packets will remain in the pcap file. There is a tool called openDPI , and it's perfect for what I need, but there is no wrapper for python language. Does anyone knows any python modules that can do what I need? Thanks Edit 1: HTTP filtering was just an example, there is a lot of protocols that I want to filter. Edit 2: I tried Scapy, but I don't figure how to filter correctly. The filter only accepts Berkeley Packet Filter expression, i.e., I can't apply a msn, or HTTP, or