24

I am trying to parse through a pcap file in python. My goal is to be able to pull out the type of TCP or UDP file it is and the time they start/end. Does anyone have any advice in any certain packages might be useful to use and the documentation for them or advice in general on writing it?

Matthew Spriesterbach
  • 241
  • 1
  • 2
  • 3

2 Answers2

26

I would use python-dpkt. Here is the documentation.

This is all I know how to do though sorry.

#!/usr/local/bin/python2.7

import dpkt

counter=0
ipcounter=0
tcpcounter=0
udpcounter=0

filename='sampledata.pcap'

for ts, pkt in dpkt.pcap.Reader(open(filename,'r')):

    counter+=1
    eth=dpkt.ethernet.Ethernet(pkt) 
    if eth.type!=dpkt.ethernet.ETH_TYPE_IP:
       continue

    ip=eth.data
    ipcounter+=1

    if ip.p==dpkt.ip.IP_PROTO_TCP: 
       tcpcounter+=1

    if ip.p==dpkt.ip.IP_PROTO_UDP:
       udpcounter+=1

print "Total number of packets in the pcap file: ", counter
print "Total number of ip packets: ", ipcounter
print "Total number of tcp packets: ", tcpcounter
print "Total number of udp packets: ", udpcounter

Project on GitHub, documentation here

Neuron
  • 5,141
  • 5
  • 38
  • 59
Matt Roberts
  • 381
  • 2
  • 6
  • Note that dpkt does not seem able to decode streams, e.g. from a named fifo pipe that tcpdump is writing to. It errors on being unable to seek (there is no need to seek in a pcap anyway...). – Luc Jan 08 '16 at 18:14
  • No python 3 version is available of dpkt (in the Debian repositories at least), but porting it seems easy: http://stackoverflow.com/a/27480361/1201863 – Luc Nov 30 '16 at 13:19
  • 7
    To prevent exception: `UnicodeDecodeError: 'utf-8' codec can't decode byte 0xd4 in position 0: invalid continuation byte` we need to use binary mode for open file: `dpkt.pcap.Reader(open(filename,'rb'))` – korst1k Apr 03 '17 at 10:25
12

You might want to start with scapy.

  • 1
    There is, also, newer version of scapy compatible with python3 with added features (http://github.com/phaethon/scapy). – Eriks Dobelis Nov 13 '15 at 10:46
  • pycapfile can be also used. Link: https://pypi.python.org/pypi/pypcapfile – Pawel Feb 16 '16 at 14:36
  • pypcapfile or pycapfile - didn't work on my tcpdump file: ethernet from 55:32:fd:21:4d:7c to 00:00:02:00:00:00 type unknown ethernet from 9d:a9:41:cd:bb:ca to 00:04:02:00:00:00 type unknown –  Oct 02 '16 at 16:19