Parsing ip address with dpkt

Question

I am using dpkt to parse a pcap file, however I am confused about how to extract the destination ip address. I am parsing the packets using eth = dpkt.ethernet.Ethernet(buf) which returns an ethernet object which looks like the following:

Ethernet(src='\x00\x1a\xa0kUf', dst='\x00\x13I\xae\x84,', data=IP(src='\xc0\xa8\n\n',
off=16384, dst='C\x17\x030', sum=25129, len=52, p=6, id=51105, data=TCP(seq=9632694,
off_x2=128, ack=3382015884, win=54, sum=65372, flags=17, dport=80, sport=56145)))

I am confused about 2 things.

1. Should I be grabbing the dst field in Ethernet, or the one in IP (Ethernet.data)?
2. How can I turn these weird strings into ip addresses of the form x.x.x.x where x is an integer from 0-255?

I tried a solution like Convert "little endian" hex string to IP address in Python, but both dst fields seem to sometimes contain data which seemingly cannot be parsed to an ip address such as _daQ (how is _daQ parsed to address?) or RT\x00\x125\x02 (what is RT?) or 33\x00\x01\x00\x03 (what is the 33 at the beginning and why does this look like 5 bytes not 4?)

Answer 1

1. The eth.dst field will contain the destination MAC address (e.g. 01:23:45:67:89:ab), not the destination IP address. You need the ip.dst field.
2. The strings are byte strings, rather than ASCII (or otherwise) encoded readable character strings.

Try this:

ip_hdr = eth.data
ip_hdr.dst  # will contain your destination IP address in BINARY

# adapted from http://www.commercialventvac.com/dpkt.html#mozTocId303989
import socket
dst_ip_addr_str = socket.inet_ntoa(ip_hdr.dst)