Dec-01-2020, 04:08 PM
Hi there I have a program that needs to perform a variety of tasks on a pcap file. I am using dpkt and python 3. What I have so far is simply opening, parsing and closing the file. My next task is to take each of the traffic types (TCP, UDP & IGMP in my example) and count the number of packets in each. This is proving to be very difficult as the documentation surrounding dpkt is either not there or it is far more complex than I am able to understand. What I have so far has been adapted and simplified from the official dpkt documentation. I am really looking for some advice on how to proceed and to see if anyone can spot problems with my current code. I think once I know how to separate the elements of my pcap properly I should be able to work from there. The tasks after counting the totals for each traffic type is to pull out first and last timestamps and a mean packet length. Any help is appreciated.
import dpkt import socket def pcapparse(pcap): for (ts, buf) in pcap: try: eth = dpkt.ethernet.Ethernet(buf) ip = eth.data src = socket.inet_ntoa(ip.src) dst = socket.inet_ntoa(ip.dst) tcp = ip.data http = dpkt.http.Request(tcp.data) except Exception: pass return eth, ip, src, dst, tcp, http def main(): pcapFile = 'evidence-packet-analysis.pcap' f = open(pcapFile, 'rb') pcap = dpkt.pcap.Reader(f) print(f'[*] Analysing {pcapFile}') result = pcapparse(pcap) if __name__ == '__main__': main()