Pcap Plugin¶

class chepy_pcaps.Pcap(*data)¶

This plugin allows handling of various pcap related operations.

scapy is a requirement for this plugin.

pcap_convos(bpf_filter: str = '')¶

Get layer 3 conversation states

Parameters:	bpf_filter (str, optional) – Apply a BPF filter to the packets
Returns:	The Chepy object.
Return type:	ChepyPlugin

pcap_dns_queries()¶

Get DNS queries and their frame numbers

Returns:	The Chepy object.
Return type:	ChepyPlugin

Examples

>>> Chepy("tests/files/test.pcapng").read_pcap().pcap_dns_queries().o
[
    b'fcmconnection.googleapis.com.',
    ...
    b'google.com.'
]

pcap_http_streams()¶

Get a dict of HTTP req/res

This method does full fully assemble when data exceeds a certain threshold.

Returns:	The Chepy object.
Return type:	ChepyPlugin

pcap_layer_stats(bpf_filter: str = '')¶

Get a count of all layers in the pcap

Parameters:	bpf_filter (str, optional) – Apply a BPF filter to the packets
Returns:	The Chepy object.
Return type:	ChepyPlugin

pcap_payload(layer: str, bpf_filter: str = '')¶

Get an array of payloads based on provided layer

Parameters:	layer (str) – Required. A valid Scapy layer. bpf_filter (str, optional) – Apply a BPF filter to the packets
Returns:	The Chepy object.
Return type:	ChepyPlugin

pcap_payload_offset(layer: str, start: int, end: int = None, bpf_filter: str = '')¶

Dump the raw payload by offset.

Parameters:	layer (str) – The layer to get the data from. start (int) – The starting offset of the data to be extracted. This could be a negative index number. end (int, optional) – The end index of the offset. bpf_filter (str, optional) – Apply a BPF filter to the packets
Returns:	The Chepy object.
Return type:	ChepyPlugin

Examples

In this example, we are extracting all the payloads from the last 20 bytes on on the ICMP layer.

>>> Chepy('tests/files/test.pcapng').read_pcap().pcap_payload_offset('ICMP', -20)
[b'secret', b'message']

pcap_to_dict(bpf_filter: str = '')¶

Convert a pcap to a dict

Parameters:	bpf_filter (str, optional) – Apply a BPF filter to the packets
Returns:	The Chepy object.
Return type:	ChepyPlugin

pcap_usb_keyboard(layout: str = 'qwerty')¶

Decode usb keyboard pcap

Parameters:	layout (str, optional) – Layout of the keyboard. Defaults to “qwerty”.
Raises:	`TypeError` – If layout is not qwerty or dvorak
Returns:	The Chepy object.
Return type:	ChepyPlugin

read_pcap()¶

Load a pcap. The state is set to scapy

Returns:	The Chepy object.
Return type:	ChepyPlugin

Chepy plugins