READ PCAP: memory error in Python DPKT

Question

I am trying to read PCAP file in python 2.7.10. The code is:--->

import dpkt

f = open('testbed-11jun.pcap')

pcap = dpkt.pcap.Reader(f)

for ts, buf in pcap:

    print ts, len(buf)

---

But I got this error:--->

1276225266.46 60

1276225266.72 60

1276225266.84 110

1276225266.84 110

1276225266.84 134

277171502.827 132

Traceback (most recent call last): File "D:/UC subjects/MS Thesis/code/python/readpcap_dpkt.py", line 5, in for ts, buf in pcap: File "C:\Python27\lib\site-packages\dpkt\pcap.py", line 159, in iter buf = self.__f.read(hdr.caplen) MemoryError

---

So basically after reading 6 traces from the "testbed-11jun.pcap" file it showed memory error. The size of "testbed-11jun.pcap" is 2 GB. It has hundreds of traces. So only 6 traces will be few MB max. Still I got error.(my laptop RAM is 6 GB)

Can anybody tell how to read all hundred traces without any memory error?

Answer 1

I realize that this question was asked a long time back, but I thought I should still provide a couple of possible resolutions to the issue as it may help others.

There could be a couple of reasons for this error:

1: The pcap file was opened for parsing as an ascii file instead of a binary file. Try opening the file explicitly with "b" parameter i.e.

f = open('testbed-11jun.pcap','rb')

Note that not specifying a flag defaults mode character to 'r' which is meant for reading text files, as per the python documentation.

2: The format of PCAP file cannot be fully parsed by dpkt. Note that there are multiple versions of PCAP e.g. libpcap and pcap-ng, both of which have the same extension. Ensure that you have captured the wireshark dump correctly. For eg, if using Dumpcap then the following command line will capture the pcap for dpkt parsing in

dumpcap.exe -P -i "Wireless Network Connection" -w input.pcap -a duration:10

The -P flag ensures that the capture is performed using libpcap.