0

I have some .CAP files (not PCAP file) from capturing packages with tcpdump.

When I try to open with wireshark, the machine gets very slow, as I imagine that it tries to load everything into RAM.

I do not need to read the whole file at once. Imagine that I want to read the .CAP file only from time (time) = 9:15 p.m. to 11:12 p.m. instead of loading all into memory.

How can I do it in Python?

This is a CAP file:

CAP file

Ed S
  • 385
  • 8
  • 31
  • 1
    The simplest way I can think of is to filter the packets *before* it gets to Python. `tshark` is a tool that can help with this. I haven't tried this, but I think the `-r` option can be used to read the file and then a filter can be used to filter it. – Ben Mar 01 '17 at 20:17
  • CAP and PCAP are the same? – Ed S Mar 02 '17 at 15:12
  • I'm referring to the files that can be viewed in Wireshark. That .cap file looks like a wireshark screenshot, so yeah, we're probably talking about the same filetype here. – Ben Mar 02 '17 at 19:42

1 Answers1

2

Installing scapy: pip install scapy

from scapy.all import *

pkts = rdpcap("file.cap")
Ed S
  • 385
  • 8
  • 31