CODEWITHSUNDEEP
pythonpython-2.7network-programmingpcapdpkt
Parampara
Parampara

Reputation: 43

Using dpkt to parse through pcap files

I'm doing an assignment where I have to parse through a pcap file and I am using dpkt to do so. I'm new to networking so I'm having a really hard time debugging the code / getting started.

First set of code:

import dpkt

filename='test.pcap'
f = open(filename)
pcap = dpkt.pcap.Reader(f)

for ts, buf in pcap:
    eth = dpkt.ethernet.Ethernet(buf)
    ip = eth.data
    tcp = ip.data

f.close()

Error is AttributeError: 'str' object has no attribute 'data'

So from a previous Stackoverflow I found out that maybe I'm supposed to "skip the dpkt ethernet decode and jump straight to an IP decode" so I altered the code and go to:

import dpkt

filename='test.pcap'

f = open(filename)
pcap = dpkt.pcap.Reader(f)

for ts,buf in pcap:
    ip = dpkt.ip.IP(buf)
    tcp = ip.data

f.close()

The error it is giving me now is "UnpackError: invalid header length"

Don't really understand how to move forward with this, any help would be greatly appreciated

Upvotes: 3

Views: 11264

Answers (2)

Jeff S.
Jeff S.

Reputation: 461

I had this same problem for traces I took on my phone.

This was due to ethernet being replaced by Linux Cooked Capture. If your traces are encapsulated similarly, you'll have to use dpkt.sll.SLL(buff) rather than dpkt.ethernet.Ethernet(buf). Here's an example: 

import dpkt

filename='a_linux_cooked_capture.pcap'
f = open(filename, 'rb')
pcap = dpkt.pcap.Reader(f)

for ts, buf in pcap:
    eth = dpkt.sll.SLL(buf)
    ip = eth.data
    tcp = ip.data
f.close()

Upvotes: 7

Kiran Bandla
Kiran Bandla

Reputation: 686

This typically happens on Windows. On windows, you should open the pcap file in binary mode:

f = open('test.pcap','rb')

Upvotes: 3

Related Questions