Detect Application layer protocols, python?

Question

I have a application which capture's and displays the network packets. The packets are represented in two forms in a TableView and as a TreeView. I am using scapy to capture the network packets.

I wish to display the highest protocol level of the packet (highest being application layer for any packet) , the problem that i am facing is that some packets have their final payload named as the protocol itself (for example , DNS payload is named as DNS) , but some payloads are just named as Raw (for example , HTTP payload is named as Raw).

So i was wondering is their any way i could detect these protocols, in python .

This is the output for a DNS packet.

This is the output for a HTTP packet.

Here is the code that generates the Tree .

def packet2Tree(self,pkt):
    if len(pkt.fields.keys()) == 0 or pkt.name == "":
        return
    self.rootNode = Node(pkt.name , self.RootNode ) 
    field = pkt.fields_desc
    for xfield in field:
        self.childNode = Node(xfield.name , self.rootNode , str(pkt.getfieldval(xfield.name)))
    self.packet2Tree(pkt.payload)
    return self.RootNode

Any guess how to solve this problem

Answer 1

I'm not sure if there is a built in way to do this, but you could look at the port numbers and take a guess? Scapy seems to understand the port numbers for most TCP packets (ie when you call repr(layer)) so maybe look to the source?

EDIT This question explains that the socket module can do this for you:

python-scapy: how to translate port numbers to service names?

>>> import socket
>>> socket.getservbyport(80)
'http'
>>> socket.getservbyport(21)
'ftp'
>>> socket.getservbyport(53, 'udp')
'domain'