[英]Reading PCAP file with scapy
I have about 10GB pcap data with IPv6 traffic to analyze infos stored in IPv6 header and other extension header. 我有大约10GB的pcap数据和IPv6流量来分析存储在IPv6标头和其他扩展标头中的信息。 To do this I decided to use Scapy framework. 为此,我决定使用Scapy框架。 I tried rdpcap function , but for such big files it is not recommended. 我试过rdpcap函数,但对于这样的大文件,不建议使用。 It tries to load all file into memory and get stuck in my case. 它试图将所有文件加载到内存中并陷入我的情况。 I found in the Net that in such situation sniff is recommended, my code look like: 我在网上发现,在这种情况下建议使用嗅探 ,我的代码如下:
def main():
sniff(offline='traffic.pcap', prn=my_method,store=0)
def my_method(packet):
packet.show()
In function called my_method I receive each packet separately and I can parse them, but.... When I call show function with is in-build framework method I got sth like this: 在名为my_method的函数中,我分别接收每个数据包,我可以解析它们,但....当我调用show function with in-build framework方法时,我得到了这样的信息:
When opened in wireshark I got properly looking packet: 当在wireshark中打开时,我得到了正确的数据包:
Could you tell me how to parse this packets in scapy to get proper results? 你能告诉我如何在scapy中解析这些数据包以获得正确的结果吗?
EDIT: According to the discussion in comments I found a way to parse PCAP file with Python. 编辑:根据评论中的讨论,我找到了一种用Python解析PCAP文件的方法。 In my opinion the easies way is to use pyshark framework: 在我看来,简单的方法是使用pyshark框架:
import pyshark
pcap = pyshark.FileCapture(pcap_path) ### for reading PCAP file
It is possible to easily iterate read file with for loop 可以使用for循环轻松迭代读取文件
for pkt in pcap:
#do what you want
For parsing IPv6 header following methods may be useful: 对于解析IPv6头,以下方法可能很有用:
pkt['ipv6'].tclass #Traffic class field
pkt['ipv6'].tclass_dscp #Traffic class DSCP field
pkt['ipv6'].tclass_ecn #Traffic class ECN field
pkt['ipv6'].flow #Flow label field
pkt['ipv6'].plen #Payload length field
pkt['ipv6'].nxt #Next header field
pkt['ipv6'].hlim #Hop limit field
Update 更新
The latest scapy versions now support ipv6
parsing. 最新的scapy版本现在支持 ipv6
解析。 So to parse an ipv6 ".pcap" file with scapy
now it can be done like so: 所以要用scapy
解析一个ipv6“.pcap”文件现在可以这样做:
from scapy.all import *
scapy_cap = rdpcap('file.pcap')
for packet in scapy_cap:
print packet[IPv6].src
Now as I had commented back when this question was originally asked, for older scapy
versions (that don't support ipv6 parsing): 现在正如我在最初询问此问题时回顾过的那样,对于较旧的scapy
版本(不支持ipv6解析):
pyshark
can be used instead ( pyshark
is a tshark wrapper) like so: pyshark
可以用来代替( pyshark
是tshark的包装器),如下所示: import pyshark
shark_cap = pyshark.FileCapture('file.pcap')
for packet in shark_cap:
print packet.ipv6.src
tshark
(kind of the terminal version of wireshark): 甚至当然是tshark
(有点终端版本的wireshark): $ tshark -r file.pcap -q -Tfields -e ipv6.src
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.