Dpkt Help

[Kenny_B]

Hi there I have a program that needs to perform a variety of tasks on a pcap file. I am using dpkt and python 3. What I have so far is simply opening, parsing and closing the file. My next task is to take each of the traffic types (TCP, UDP & IGMP in my example) and count the number of packets in each. This is proving to be very difficult as the documentation surrounding dpkt is either not there or it is far more complex than I am able to understand. What I have so far has been adapted and simplified from the official dpkt documentation. I am really looking for some advice on how to proceed and to see if anyone can spot problems with my current code. I think once I know how to separate the elements of my pcap properly I should be able to work from there. The tasks after counting the totals for each traffic type is to pull out first and last timestamps and a mean packet length. Any help is appreciated.

import dpkt
import socket


def pcapparse(pcap):
    for (ts, buf) in pcap:
        try:
            eth = dpkt.ethernet.Ethernet(buf)
            ip = eth.data
            src = socket.inet_ntoa(ip.src)
            dst = socket.inet_ntoa(ip.dst)
            tcp = ip.data
            http = dpkt.http.Request(tcp.data)
        except Exception:
            pass
    return eth, ip, src, dst, tcp, http


def main():
    pcapFile = 'evidence-packet-analysis.pcap'
    f = open(pcapFile, 'rb')
    pcap = dpkt.pcap.Reader(f)
    print(f'[*] Analysing {pcapFile}')
    result = pcapparse(pcap)


if __name__ == '__main__':
    main()

[Larz60+]

The examples provided look very well written. Have you seen:
https://jon.oberheide.org/blog/2008/10/1...pcap-file/

[Kenny_B]

The examples provided look very well written. Have you seen:
https://jon.oberheide.org/blog/2008/10/1...pcap-file/

I have seen these examples yes, as they are one of the very few which do explain the basics clearly for beginners to dpkt. What these examples don't really explain is how I can use or store this data in any way other than printing single packet elements to the screen. I am not asking for anyone to write code for me but it would be handy if someone could outline what my next steps would be for my task which is to separate the traffic types into a table and count the number of packets in each type. If there is documentation I have missed which could be helpful for this task a link would be appreciated. Thanks for the response.

[bowlofred]

What these examples don't really explain is how I can use or store this data in any way other than printing single packet elements to the screen.

As you're looping through the packets, collect the data you want in another data structure.

if someone could outline what my next steps would be for my task which is to separate the traffic types into a table and count the number of packets in each type.

What your code is doing right now seems to be looping over every packet in the buffer, then writing a variable. But since it's the same variable, each one overwrites the previous. Then when you reach the end, you return the information from only the final packet.

Maybe create a counter, then use it to track the packets of the various types. I haven't used this package to know how to distinguish types, but I suspect asking for the type of eth.data might be useful.

See what type(eth.data) returns for one of the packets. If that tells you IP vs ICMP, you could just feed that directly into a Counter and then print the results of the counter at the end.

Similar to:

        eth = dpkt.ethernet.Ethernet(buf)
        mytype = type(eth.data)
        c.update([mytype])

Then examine the counter at the end of the loop and see what you've got.

You could also keep a variable for first and last timestamp that you've seen. Update it if you see one outside the current range and then report on them when you're done with the loop.

[Kenny_B]

Thanks for the response! I'll try it out in the morning and post how it goes. Much appreciated.