I want to use scapy to parse my GTP packets from the pcap files that I have. I am able to use scapy to parse normal UDP/TCP packets. For example, if my packet is udppacket, then
udppacket[3]
shows me the data part of the udp packet. For a GTP packet, it has more layers following the udp layers and the data is inside the last layer. So if my gtp packet is gtppacket, then
gtppacket[4]
gives me error saying IndexError : layer 4 not found. Actually if I use
gtppacket[3]
Then I can see the data along with other information from the other layers. So is there any way for me to traverse inside the layer 3 of gtppacket and access only the part of it that I am interested in it. The data that I need to extract from layer 3 always lies after a constant offset. The following is the output of hexdump(gtppacket[3]).
0000 30 FF 00 B6 F8 8E EA 50 45 00 00 B6 04 D2 40 00 0......PE.....@.
0010 7E 11 6D F1 C0 A8 05 02 C0 A8 03 21 22 B8 15 B3 ~.m........!"...
0020 00 A2 3C C2 00 00 00 09 00 00 00 00 00 00 00 00 ..<.............
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
The data starting from 09 is what i actually want to extract. I am not interested in the other data. Another idea is to save this output a character array and then access using the correct offset. But I do not know if there are any better ideas to extract what I want.
Scapy support the gtp library. Hey you can use the scapy gtp library to do the things. You copy the hexstring in a variable like this a = '30FF00B6F88EEA50450000B604D240007E116DF1C0A80502C0A8032122B815B300A23CC200000009000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
import the scapy module
from scapy.layers.gtp import *
decode the gtp header by giving the raw hex
GTPHeader(a) Out[8]: >>