Using dpkt to parse through pcap files

Question

I'm doing an assignment where I have to parse through a pcap file and I am using dpkt to do so. I'm new to networking so I'm having a really hard time debugging the code / getting started.

First set of code:

import dpkt

filename='test.pcap'
f = open(filename)
pcap = dpkt.pcap.Reader(f)

for ts, buf in pcap:
    eth = dpkt.ethernet.Ethernet(buf)
    ip = eth.data
    tcp = ip.data

f.close()

Error is AttributeError: 'str' object has no attribute 'data'

So from a previous Stackoverflow I found out that maybe I'm supposed to "skip the dpkt ethernet decode and jump straight to an IP decode" so I altered the code and go to:

import dpkt

filename='test.pcap'

f = open(filename)
pcap = dpkt.pcap.Reader(f)

for ts,buf in pcap:
    ip = dpkt.ip.IP(buf)
    tcp = ip.data

f.close()

The error it is giving me now is "UnpackError: invalid header length"

Don't really understand how to move forward with this, any help would be greatly appreciated

can you share the pcap file? – Kiran Bandla Jun 17 '16 at 12:04 — Kiran Bandla, Jun 17 '16 at 12:04

Jeff S. · Answer 1 · 2017-04-29T13:53:05.500

I had this same problem for traces I took on my phone.

This was due to ethernet being replaced by Linux Cooked Capture. If your traces are encapsulated similarly, you'll have to use dpkt.sll.SLL(buff) rather than dpkt.ethernet.Ethernet(buf). Here's an example:

import dpkt

filename='a_linux_cooked_capture.pcap'
f = open(filename, 'rb')
pcap = dpkt.pcap.Reader(f)

for ts, buf in pcap:
    eth = dpkt.sll.SLL(buf)
    ip = eth.data
    tcp = ip.data
f.close()

score 3 · Answer 2 · answered Jun 20 '16 at 19:10

3

This typically happens on Windows. On windows, you should open the pcap file in binary mode:

f = open('test.pcap','rb')

answered Jun 20 '16 at 19:10

Kiran Bandla

686
4
10

Using dpkt to parse through pcap files

2 Answers2