How can I filter a pcap file by specific protocol using python?
I have some pcap files and I want to filter by protocol, i.e., if I want to filter by HTTP protocol, anything but HTTP packets will remain in the pcap file.
There is a tool called openDPI, and it's perfect for what I need, but there is no wrapper for python language.
Does anyone knows any python modules that can do what I need?
Thanks
Edit 1:
HTTP filtering was just an example, there is a lot of protocols that I want to filter.
Edit 2:
I tried Scapy, but I don't figure how to filter correctly. The filter only accepts Berkeley Packet Filter expression, i.e., I can't apply a msn, or HTTP, or another specific filter from upper layer. Can anyone help me?
Answer
A quick example using Scapy, since I just wrote one:
pkts = rdpcap('packets.pcap')
ports = [80, 25]
filtered = (pkt for pkt in pkts if
TCP in pkt and
(pkt[TCP].sport in ports or pkt[TCP].dport in ports))
wrpcap('filtered.pcap', filtered)
That will filter out packets that are neither HTTP nor SMTP. If you want all the packets but HTTP and SMTP, the third line should be:
filtered = (pkt for pkt in pkts if
not (TCP in pkt and
(pkt[TCP].sport in ports or pkt[TCP].dport in ports)))
wrpcap('filtered.pcap', filtered)