reassemble pcap traces to recover HTTP level data

I have tcpdump traces from which I want to recover reassemble HTTP requests and responses. Is there a g开发者_如何学运维ood tool to do that. Python preferred but willing to write a wrapper if python solution not available.

Bro performs robust TCP stream reassembly and parses a variety of application-layer protocols in a port-independent fashion. That is, if your trace contains HTTP traffic on any non-standard HTTP ports, Bro detects it.

Bro's HTTP analyzer does exactly what you need out of the box: it takes the TCP stream and deconstructs it into HTTP headers and bodies, for both requests and responses. Simply run Bro and look at the http.log:

bro -r trace.pcap
less http.log

Bro also comes with Python bindings, meaning, you can send all HTTP events to your custom Python script for individual processing.

You're probably looking for tcpreplay.

To appeal to your python sensibilities, you might also want to look at Scapy.

##this_script.bro##
@load-sigs /usr/local/bro/share/bro/policy/frameworks/signatures/detect-payload.sig 
global x: string = "";

redef tcp_content_delivery_ports_orig += {[80/tcp] = T};
event tcp_contents(c: connection, is_orig: bool, seq: count, contents: string)
{
x += contents;
}

event signature_match(state:signature_state, msg:string, data:string)
{
print fmt(msg);
print data;  
}

event bro_done()
{
print x;    #reassemble payload
}

This is a script that displays the tcp stream reassembled payloads on port 80. You can run by bro -i iface_name this_script.bro. This helps you in analyzing the request made