Issue 1: split pcap problem
Status:  Accepted
Owner:
Project Member Reported by cn.wei.hp@gmail.com, Nov 12, 2010

pcap文件按照协议映射字节长度分割重组包,出现问题:[Malformed Packet: SCTP]?


Nov 12, 2010
Project Member #1 cn.wei.hp@gmail.com
Reassembling Sniffed Firmware or a Binary With Scapy

https://www.openrce.org/blog/vie ... a_Binary_With_Scapy

Author:  apridgen          # Views: 315

So, I got bored one night (or morning depending on your perspective), and I decided to sniff the firmware upgrade process for my network printer, Fun!   I used Wireshark (yeah my tcpdump foo is bar) to isolate the TCP stream between the VM upgrading the firmware and the printer and saved the pcap.

I have been meaning to play with Scapy for quite some time, so I fired up ipython and in about 20 minutes I had a quick script to extract the data I needed.  The script is pretty basic and may not work in all cases, but I figured I'd document somewhere just in case or someone else might need it in the future.



# IP Address of the VM sending the upgrade
src="192.168.44.128"
f = "captured_firmware_upgrade.pcap"
pcap = rdpcap(f)


data = ""
for packet in pcap:
  il = packet.getlayer("IP"
  if il.src != src:
    continue
  tl = packet.getlayer("TCP"
  # check for data in the payload, if not skip the packet
  if isinstance(tl.payload,scapy.NoPayload):
    continue
  data += str(tl.payload)
# write our raw data file
f = open("raw_data.dat", 'w')
f.write(data)
f.close()



Hope it helps someone in the future 
Nov 12, 2010
Project Member #2 cn.wei.hp@gmail.com
Control Protocol dissection
The user can control how protocols are dissected.
Each protocol has its own dissector, so dissecting a complete packet will typically involve several dissectors. As Wireshark tries to find the right dissector for each packet (using static "routes" and heuristics "guessing"), it might choose the wrong dissector in your specific case. For example, Wireshark won't know if you use a common protocol on an uncommon TCP port, e.g. using HTTP on TCP port 800 instead of the standard port 80.

There are two ways to control the relations between protocol dissectors: disable a protocol dissector completely or temporarily divert the way Wireshark calls the dissectors. 


Nov 14, 2010
Project Member #3 cn.wei.hp@gmail.com
C.newip=ethhdr[14:34]
C.sctphdr=C.sctp[:(12+0)]
C.lastsctp=C.sctp[C.sctps[C.sctpNum]-12:]
while len(C.dumpnewsctp)<C.totallen:
      C.dumpnewsctp +=editcaptag