python-3.xscapyhuman-readable

Decode raw Scapy data to human readable

I'm trying to switch to using Scapy instead of Wireshark, but am having trouble decoding the data I'm getting. In Wireshark I can easily see the last layer for filtered packets labeled as "Distributed Interactive Simulation", but in Scapy the last layer is "Raw". I'm trying to get the data from this layer in the same human readable format. So far I've gotten:

# Capture with Scapy
from scapy.all import sniff
capture = sniff(filter="dst 10.6.255.255 and port 3000", count=5)
packet = capture[0]
raw = pkt.lastlayer()
print(raw)

<Raw  load='\x068\x14\x05L\x88nK\x00x\x00\x00\x00\x94\x08\x88\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x9f\x00\x00\x02 \x00\x01sj\x9b\xf4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04p\x00\x08\x00\x00\x00\x00\x00\x00d\xe9Y<\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x8c\x00\x00\x113\x00\x00\x00\x01\x00\x02\x0c\x00\x00\x00\x01\x02\x00\x00\x00\x041187\x00\x00\x00\x00\x00' |>

Could someone show me how to make this human readable?

Solution

  • First, you have an error in your script. raw = pkt.lastlayer() should be raw = packet.lastlayer().

    Try adding print(packet.show()) to your script for a more readable format which will give you something similar to this:

    ###[ Ethernet ]###
  dst       = 94:c6:91:1c:68:c3
  src       = 94:c6:91:1c:68:1d
  type      = 0x800
###[ IP ]###
     version   = 4
     ihl       = 5
     tos       = 0x0
     len       = 84
     id        = 49689
     flags     = DF
     frag      = 0
     ttl       = 64
     proto     = icmp
     chksum    = 0x1938
     src       = 192.168.111.4
     dst       = 192.168.111.2
     \options   \
###[ ICMP ]###
        type      = echo-request
        code      = 0
        chksum    = 0xb468
        id        = 0x6d3
        seq       = 0xab
###[ Raw ]###
           load      = '\x0e\x85\x96[\x00\x00\x00\x00\xd2e\x06\x00\x00\x00\x00\x00\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./01234567'

None

    You can also use hexdump command to show the raw load in a more readable format.

    from scapy.utils import hexdump
raw = packet.lastlayer()
hexdump(raw)

    Which will output something like this:

    0000  D091965B0000000080FD0E0000000000 ...[............
0010  101112131415161718191A1B1C1D1E1F ................
0020  202122232425262728292A2B2C2D2E2F  !"#$%&'()*+,-./
0030  3031323334353637                 01234567
0000  063814054CC2886E4B0078000000C294 .8..L..nK.x.....
0010  08C2880000C3BFC3BFC3BFC3BF000000 ................
0020  00000000000000000000000000000100 ................
0030  0000C29F000002200001736AC29BC3B4 ....... ..sj....
0040  00000000000000000000000470000800 ............p...
0050  000000000064C3A9593C000000000000 .....d..Y<......
0060  0000000004C28C000011330000000100 ..........3.....
0070  020C0000000102000000043131383700 ...........1187.
0080  00000000                         ....