How to get protocol numbers in PCAP file?

Question

Some protocols numbers are:

6 TCP Transmission Control [RFC793] ... 17 UDP User Datagram [RFC768]

by IANA.

import pyshark

pkts = pyshark.FileCapture('testes.pcap')

I just want to print all protocols number in PCAP file and save then in a file. How can I get it using pyshark?

Answer 1

Have you looked at the documentation for pyshark? The README shows you how to read data from individual packets. Given your example, we can get the first packet like this:

>>> pkt = next(pkts)
>>> pkt
<UDP/DNS Packet>

We can introspect pkt to see what fields are available:

>>> dir(pkt)
['__class__', '__contains__', '__delattr__', '__dict__', '__dir__', 
[...]
'get_multiple_layers', 'highest_layer', 'interface_captured', 'ip',
[...]

Since you're looking for protocol information, ip seems as if it might be useful (assuming you're asking about ip protocol numbers). Let's see what that contains:

>>> dir(pkt.ip)
['DATA_LAYER', '__class__', '__delattr__', '__dict__', '__dir__', 
[...]
'addr', 'checksum', 'checksum_status', 'dsfield', 'dsfield_dscp', 
'dsfield_ecn', 'dst', 'dst_host', 'field_names', 'flags', 'flags_df',
'flags_mf', 'flags_rb', 'frag_offset', 'get_field', 
'get_field_by_showname', 'get_field_value', 'hdr_len', 'host', 'id', 
'layer_name', 'len', 'pretty_print', 'proto', 'raw_mode', 'src', 
'src_host', 'ttl', 'version']

I'm going to guess proto is what we want.

>>> pkt.ip.proto
17

And indeed, 17 is the ip protocol number for UDP. So if you just wanted a list of protocol numbers, you could ask for (this output is from a local packet trace):

>>> [pkt.ip.proto for pkt in pkts if hasattr(pkt, 'ip')]
['17', '17', '17', '17', '6', '6', '6', '6', '6', '6', '6', '6', '6', '17', '17', '6', '6', '17', '17', '6', '6', '6', '6', '6', '6', '6', '6', '6', '6', '6', '6', '6', '6', '6', '6', '6', '6', '6', '6', '6', '6', '6', '6', '6', '6', '1', '1', '1', '1', '1', '1', '1', '1']

(We're using that hasattr check because non-ip packets don't have an ip attribute)