Read pcap header length field with python

Question

I have captured some packets using pcap library in c. Now i am using python program to read that saved packet file. but i have a problem here. I have a file which first have pkthdr(provided by lybrary) and then actual packet. format of pkthdr is-

struct pcap_pkthdr {
    struct timeval ts; /* time stamp 32bit */ 32bit
    bpf_u_int32 caplen; /* length of portion present */
    bpf_u_int32 len; /* length this packet (off wire) */
};

now i want to read len field, so i have skipped timeval and cap len, and printed len field using python in binary form.. the binary code which i got is- 01001010 00000000 00000000 00000000 Now how to read it in u_int32, i dont think it is correct value(too large), actual len field value should be 74 byte(check in wireshark).. so please tell me what i am doing wrong.. thanks in advance

Answer 1

Or have a look at the pylibpcap module, the pypcap module, or the pcapy module, which let you just call pcap APIs with relative ease. That way you don't have to care about the details of pcap files, and your code will, with libpcap 1.1 or later, also be able to read at least some of the pcap-ng files that Wireshark can produce and that it will produce by default in the 1.8 release.

Writing your own code to read pcap files, rather than relying on libpcap/WinPcap to do so, is rarely worth doing. (Wireshark does so, as part of its library that reads a number of capture file formats and supports pcap-ng format in ways that the current pcap API can't, but the library in question also supports pcap-ng....)

Answer 2

Have a look at the struct module, which lets you unpack such binary data with relative ease, for example:

struct.unpack('LLL', yourbuffer)

This will give you a tuple of the three (L = unsigned long) values. If the len value doesn't seem right, the byte order of the file is different from your native one. In that case prefix the format string with either > (big-endian) or < (little-endian):

struct.unpack('>LLL', yourbuffer)