Code for pcap file analysis

Question

Code for pcap file analysis

I am trying to parse a file containing packets captured using tcpdump. First I want to classify packets into threads using a 5-tuple. Then I need to get the size and time between arrivals of each packet in each thread. I tried the conversation list in wirehark, but it gives only the number of packets in the stream, and not information about each packet in the stream. Suggestion for any code (C ++ or shell script) that can do the job? Thanks you

+3

c ++ shell wireshark pcap

Tesse m Apr 18 '12 at 10:21

source share

3 answers

dc5553 · Answer 1 · 2012-04-20T08:31:53+0000

UmNyobe,

Scapy, , , , . , , pcap - , Scapy.

#!/usr/bin/python -tt

from scapy import *
import sys
from datetime import datetime

'''Parse PCAP files into easy to read NETFLOW like output\n
   Usage:\n
   python cap2netflow.py <[ pcap filename or -l ]>\n
   -l is live capture switch\n
   ICMP packets print as source ip, type --> dest ip, code'''


def parse_netflow(pkt):  
    # grabs 'netflow-esqe' fields from packets in a PCAP file
    try:
        type = pkt.getlayer(IP).proto
    except:
        pass

    snifftime = datetime.fromtimestamp(pkt.time).strftime('%Y-%m-%d %H:%M:%S').split(' ')[1]

    if type == 6:
        type = 'TCP'
    if type == 17:
        type = 'UDP'
    if type == 1:
        type = 'ICMP'

    if type == 'TCP' or type == 'UDP':
        print( ' '.join([snifftime, type.rjust(4, ' '), str(pkt.getlayer(IP).src).rjust(15, ' ') , str(pkt.getlayer(type).sport).rjust(5, ' ') , '-->' , str(pkt.getlayer(IP).dst).rjust(15, ' ') , str(pkt.getlayer(type).dport).rjust(5, ' ')]))

    elif type == 'ICMP':
        print(' '.join([snifftime, 'ICMP'.rjust(4, ' '),  str(pkt.getlayer(IP).src).rjust(15, ' ') , ('t: '+ str(pkt.getlayer(ICMP).type)).rjust(5, ' '), '-->' , str(pkt.getlayer(IP).dst).rjust(15, ' '), ('c: ' + str(pkt.getlayer(ICMP).code)).rjust(5, ' ')]))

    else:
        pass
if '-l' in sys.argv:
    sniff(prn=parse_netflow)
else:
    pkts = rdpcap(sys.argv[1])
    print(' '.join(['Date: ',datetime.fromtimestamp(pkts[0].time).strftime('%Y-%m-%d %H:%M:%S').split(' ')[0]]))
    for pkt in pkts:
        parse_netflow(pkt)

Python Scapy, , . , - , , , ++ , .

Scapy

http://www.secdev.org/projects/scapy/

, , Scapy , , pcap.

, !

UmNyobe · Answer 2 · 2012-04-18T13:26:10+0000

tcp dump, , . , , . Tcpdump - , , pcap tcpdump.

, Libpcap File Format. , , .

,

-

. , pcap, , .

user862787 · Answer 3 · 2012-04-18T19:55:50+0000

5-? TCP UDP, IP- , , , ; SCTP , , , .

5- " " Wireshark, TShark -T fields -e (frame.time_epoch UN * X), (frame.len PLUS , 802.11) , TShark script , , . TShark , .

Code for pcap file analysis

More articles: