scapy not parsing GTP layers

2019-08-21 11:30发布

I want to use scapy to parse my GTP packets from the pcap files that I have. I am able to use scapy to parse normal UDP/TCP packets. For example, if my packet is udppacket, then

udppacket[3]

shows me the data part of the udp packet. For a GTP packet, it has more layers following the udp layers and the data is inside the last layer. So if my gtp packet is gtppacket, then

gtppacket[4]

gives me error saying IndexError : layer 4 not found. Actually if I use

gtppacket[3]

Then I can see the data along with other information from the other layers. So is there any way for me to traverse inside the layer 3 of gtppacket and access only the part of it that I am interested in it. The data that I need to extract from layer 3 always lies after a constant offset. The following is the output of hexdump(gtppacket[3]).

0000   30 FF 00 B6 F8 8E EA 50  45 00 00 B6 04 D2 40 00   0......PE.....@.
0010   7E 11 6D F1 C0 A8 05 02  C0 A8 03 21 22 B8 15 B3   ~.m........!"...
0020   00 A2 3C C2 00 00 00 09  00 00 00 00 00 00 00 00   ..<.............
0030   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0040   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0050   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0060   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0070   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0080   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0090   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00a0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
00b0   00 00 00 00 00 00 00 00  00 00 00 00 00 00         ..............

The data starting from 09 is what i actually want to extract. I am not interested in the other data. Another idea is to save this output a character array and then access using the correct offset. But I do not know if there are any better ideas to extract what I want.

标签: parsing scapy
1条回答
可以哭但决不认输i
2楼-- · 2019-08-21 11:54

Scapy support the gtp library. Hey you can use the scapy gtp library to do the things. You copy the hexstring in a variable like this a = '30FF00B6F88EEA50450000B604D240007E116DF1C0A80502C0A8032122B815B300A23CC200000009000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'

import the scapy module

from scapy.layers.gtp import *

decode the gtp header by giving the raw hex

GTPHeader(a) Out[8]: >>

查看更多
登录 后发表回答