<p>您需要使用数据包的<a href="http://www.secdev.org/projects/scapy/doc/usage.html#sniffing" rel="nofollow noreferrer">^{<cd1>} function</a>而不是打印数据包本身。您还需要拆分从中返回的字符串,并将其与换行符连接起来,否则它会将其全部吐出到一行:</p>
<pre><code>#!/usr/bin/python
from scapy.all import *
def http_header(packet):
http_packet=str(packet)
if http_packet.find('GET'):
return GET_print(packet)
def GET_print(packet1):
ret = "***************************************GET PACKET****************************************************\n"
ret += "\n".join(packet1.sprintf("{Raw:%Raw.load%}\n").split(r"\r\n"))
ret += "*****************************************************************************************************\n"
return ret
sniff(iface='eth0', prn=http_header, filter="tcp port 80")
</code></pre>
<p>我还为TCP端口80添加了一个过滤器,但是如果需要的话,可以删除它。</p>
<p>示例输出:</p>
<pre><code>***************************************GET PACKET****************************************************
'GET /projects/scapy/doc/usage.html HTTP/1.1
Host: www.secdev.org
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.65 Safari/537.36
Referer: https://www.google.co.uk/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-GB,en;q=0.8,en-US;q=0.6
If-None-Match: "28c84-48498d5654df67640-gzip"
If-Modified-Since: Mon, 19 Apr 2010 15:44:17 GMT
'
*****************************************************************************************************
</code></pre>
<p><a href="https://stackoverflow.com/users/3223422/pierre">Pierre</a>指出,完全可以通过对<code>lfilter</code>参数使用<code>sniff()</code>来消除<code>http_header</code>函数。我冒昧地同时使代码更简洁了一点:</p>
<pre><code>#!/usr/bin/python
from scapy.all import *
stars = lambda n: "*" * n
def GET_print(packet):
return "\n".join((
stars(40) + "GET PACKET" + stars(40),
"\n".join(packet.sprintf("{Raw:%Raw.load%}").split(r"\r\n")),
stars(90)))
sniff(
iface='eth0',
prn=GET_print,
lfilter=lambda p: "GET" in str(p),
filter="tcp port 80")
</code></pre>