全包长度 Scapy

Question

I am capturing WiFi traffic with tcpdump using the parameter -s 100 (which means I am only capturing the headers of the packets).

When I load the .pcap file and process it with Scapy I do:

pkts = rdpcap(pcapfile)
totalbytes = 0
for pkt in pkts:
    totalbytes += len(pkt)

However, as I am truncating the capture, doing len(pkt) will not give me the whole packet length ( frame length ), it will give me the captured packet length . How can I get the real packet length?

Extra : as I have done in some occasions before, I open the pcap file in wireshark and search for the hex values of interest. But in this case ( frame.len ) will show the value I am looking for, but I can't find the way wireshark obtains this real packet length without having the whole packet captured.

Answer 1

The rdpcap function uses the PcapReader class for reading packets. Unfortunately this class discards the information you are looking for in the read_packet method, even though it is to be found in the pcap file. So you have to use the RawPcapReader directly.

totalbytes = 0
for pkt, (sec, usec, wirelen) in RawPcapReader(pcapfile):
    totalbytes += wirelen

Answer 2

If for some reason you don't want to use RawPcapReader, you can use the len attribute for IPv4 packets.

real_length = pkt[IP].len
truncated_length = len(pkt)

Strangely, the IPv6 layer in Scapy doesn't have the same attribute, but it does have an attribute called plen which is the length of the payload:

payload_length = pkt[IPv6].plen
real_length = payload_length + 40
truncated_length = len(pkt)

Answer 3

With modern Scapy versions, the proper answer would be to use pkt.wirelen . This only exists in packets read from a pcap