Scapy and rdpcap function

Question

Scapy and rdpcap function

I am using the rdpcapScapy function to read a PCAP file. I also use the module described in the HTTP support link in Scapy , which is necessary in my case, since I need to receive all HTTP requests and responses and related packages.

I noticed that when parsing a large PCAP file, the function rdpcaptakes too long to read it.

Is there a solution to reading the file faster pcap?

+5

python networking packet-capture pcap scapy

auino May 29 '12 at 13:42

source share

2 answers

vincent · Answer 1 · 2013-05-30T14:04:16+0000

So far, I agree that the load time is longer than might be expected, probably because the file is parsed to create an array of high-grade objects. What I needed to do was use editcapto split packet capture to make them easier to read. For instance:

$ editcap -B 2013-05-2810:05:55 -i 5 -F libpcap inputcapture.pcap outputcapture.pcap

Please note: a complete description of the switches for this command is available here .

Also, the part -F libpcapseemed necessary (at least for me) to get a scapy function pcapcapable of parsing the file. (This is supposed to be the default pcap file output format, but for some reason it wasn’t. You can check the file type of your input and output files with capinfos(for example, just type capinfos your_capture.pcap).

capinfos editcap WireShark.

wonder · Answer 2 · 2016-06-22T09:41:11+0000

Scapy sniff, pcap:

def method_filter_HTTP(pkt):
    #Your processing

sniff(offline="your_file.pcap",prn=method_filter_HTTP,store=0)

rdpcap pcap . , , , . sniff prn . store=0 , , .

Scapy and rdpcap function

More articles: