用dpkt解析ip地址

Question

I am using dpkt to parse a pcap file, however I am confused about how to extract the destination ip address. I am parsing the packets using eth = dpkt.ethernet.Ethernet(buf) which returns an ethernet object which looks like the following:

Ethernet(src='\x00\x1a\xa0kUf', dst='\x00\x13I\xae\x84,', data=IP(src='\xc0\xa8\n\n',
off=16384, dst='C\x17\x030', sum=25129, len=52, p=6, id=51105, data=TCP(seq=9632694,
off_x2=128, ack=3382015884, win=54, sum=65372, flags=17, dport=80, sport=56145)))

I am confused about 2 things.

1. Should I be grabbing the dst field in Ethernet, or the one in IP (Ethernet.data)?
2. How can I turn these weird strings into ip addresses of the form xxxx where x is an integer from 0-255?

I tried a solution like Convert "little endian" hex string to IP address in Python , but both dst fields seem to sometimes contain data which seemingly cannot be parsed to an ip address such as _daQ (how is _daQ parsed to address?) or RT\\x00\\x125\\x02 (what is RT?) or 33\\x00\\x01\\x00\\x03 (what is the 33 at the beginning and why does this look like 5 bytes not 4?)

Answer 1

1. The eth.dst field will contain the destination MAC address (eg 01:23:45:67:89:ab ), not the destination IP address. You need the ip.dst field.
2. The strings are byte strings, rather than ASCII (or otherwise) encoded readable character strings.

Try this:

ip_hdr = eth.data
ip_hdr.dst  # will contain your destination IP address in BINARY

# adapted from http://www.commercialventvac.com/dpkt.html#mozTocId303989
import socket
dst_ip_addr_str = socket.inet_ntoa(ip_hdr.dst)