I am trying to parse through a pcap file in python. My goal is to be able to pull out the type of TCP or UDP file it is and the time they start/end. Does anyone have any advice in any certain packages might be useful to use and the documentation for them or advice in general on writing it?
0
Add a comment
|
2 Answers
I would use python-dpkt. Here is the documentation.
This is all I know how to do though sorry.
#!/usr/local/bin/python2.7
import dpkt
counter=0
ipcounter=0
tcpcounter=0
udpcounter=0
filename='sampledata.pcap'
for ts, pkt in dpkt.pcap.Reader(open(filename,'r')):
counter+=1
eth=dpkt.ethernet.Ethernet(pkt)
if eth.type!=dpkt.ethernet.ETH_TYPE_IP:
continue
ip=eth.data
ipcounter+=1
if ip.p==dpkt.ip.IP_PROTO_TCP:
tcpcounter+=1
if ip.p==dpkt.ip.IP_PROTO_UDP:
udpcounter+=1
print "Total number of packets in the pcap file: ", counter
print "Total number of ip packets: ", ipcounter
print "Total number of tcp packets: ", tcpcounter
print "Total number of udp packets: ", udpcounter
3 Comments
Luc
Note that dpkt does not seem able to decode streams, e.g. from a named fifo pipe that tcpdump is writing to. It errors on being unable to seek (there is no need to seek in a pcap anyway...).
Luc
No python 3 version is available of dpkt (in the Debian repositories at least), but porting it seems easy: stackoverflow.com/a/27480361/1201863
korst1k
To prevent exception:
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xd4 in position 0: invalid continuation byte we need to use binary mode for open file: dpkt.pcap.Reader(open(filename,'rb'))You might want to start with scapy.
3 Comments
Eriks Dobelis
There is, also, newer version of scapy compatible with python3 with added features (github.com/phaethon/scapy).
Pawel
pycapfile can be also used. Link: pypi.python.org/pypi/pypcapfile